Lots of deltas rolled up into a bigger change. Sorry for the mess.

1) Deleted in-place-editing.  We'll be replacing this with a real edit
   system that groups settings together and is more coherent.

2) Tweaked the way that dialog boxes work to get the ajax stuff working
   again.  It's imperfect and does not work properly for uploading images.
   This is going to get redone also, but this is a good resting point.

3) Created edit forms for albums and photos.  Moved _update and _create out
   of Items_Controller and into the individual subclasses.

4) Created access::required which is a shorthand for:
    if (!access::can(...)) {
      access::forbidden();
    }

5) Added validation rules to Items_Model

6) Converted login to use the regular modal dialog approach in the theme.

4 files changed, 168 insertions, 140 deletions

diff --git a/core/controllers/albums.php b/core/controllers/albums.php
index 0947e913..8d2b5b77 100644
--- a/core/controllers/albums.php
+++ b/core/controllers/albums.php
@@ -22,15 +22,13 @@ class Albums_Controller extends Items_Controller {
   /**
    *  @see Rest_Controller::_show($resource)
    */
-  public function _show($item) {
-    if (!access::can("view", $item)) {
-      Kohana::show_404();
-    }
+  public function _show($album) {
+    access::required("view", $album);
 
     $theme_name = module::get_var("core", "active_theme", "default");
     $page_size = module::get_var("core", "page_size", 9);
     $page = $this->input->get("page", "1");
-    $children_count = $item->viewable()->children_count();
+    $children_count = $album->viewable()->children_count();
     $offset = ($page-1) * $page_size;
 
     // Make sure that the page references a valid offset
@@ -40,25 +38,136 @@ class Albums_Controller extends Items_Controller {
 
     $template = new Theme_View("page.html", "album", $theme_name);
     $template->set_global("page_size", $page_size);
-    $template->set_global("item", $item);
-    $template->set_global("children", $item->viewable()->children($page_size, $offset));
+    $template->set_global("item", $album);
+    $template->set_global("children", $album->viewable()->children($page_size, $offset));
     $template->set_global("children_count", $children_count);
-    $template->set_global("parents", $item->parents());
+    $template->set_global("parents", $album->parents());
     $template->content = new View("album.html");
 
-    $item->view_count++;
-    $item->save();
+    $album->view_count++;
+    $album->save();
 
     print $template;
   }
 
   /**
+   * @see Rest_Controller::_create($resource)
+   */
+  public function _create($album) {
+    access::required("edit", $album);
+
+    switch ($this->input->post("type")) {
+    case "album":
+      return $this->_create_album($album);
+
+    case "photo":
+      return $this->_create_photo($album);
+
+    default:
+      access::forbidden();
+    }
+  }
+
+  private function _create_album($album) {
+    access::required("edit", $album);
+
+    $form = album::get_add_form($album);
+    if ($form->validate()) {
+      $new_album = album::create(
+        $album,
+        $this->input->post("name"),
+        $this->input->post("title", $this->input->post("name")),
+        $this->input->post("description"),
+        user::active()->id);
+
+      log::add("content", "Created an album", log::INFO,
+               html::anchor("albums/$new_album->id", "view album"));
+      message::add(_("Successfully created album"));
+      rest::http_status(rest::CREATED);
+      rest::http_location(url::site("albums/$new_album->id"));
+    } else {
+      print $form;
+    }
+  }
+
+  private function _create_photo($album) {
+    access::required("edit", $album);
+
+    $form = photo::get_add_form($album);
+    if ($form->validate()) {
+      $photo = photo::create(
+        $album,
+        $this->input->post("file"),
+        $_FILES["file"]["name"],
+        $this->input->post("title", $this->input->post("name")),
+        $this->input->post("description"),
+        user::active()->id);
+
+      log::add("content", "Added a photo", log::INFO,
+               html::anchor("photos/$photo->id", "view photo"));
+      message::add(_("Successfully added photo"));
+      //rest::http_status(rest::CREATED);
+      //rest::http_location(url::site("photos/$photo->id"));
+      print "<h1>this is a response</h1>";
+    } else {
+      print $form;
+    }
+  }
+
+  /**
+   * @see Rest_Controller::_update($resource)
+   */
+  public function _update($album) {
+    access::required("edit", $album);
+
+    $form = album::get_edit_form($album);
+    if ($form->validate()) {
+      // @todo implement changing the name.  This is not trivial, we have
+      // to check for conflicts and rename the album itself, etc.  Needs an
+      // api method.
+      $album->title = $form->edit_album->title->value;
+      $album->description = $form->edit_album->description->value;
+      $album->save();
+
+      module::event("album_changed", $album);
+
+      log::add("content", "Updated album", log::INFO, "<a href=\"albums/$album->id\">view</a>");
+      message::add(_("Successfully saved album"));
+      rest::http_status(rest::CREATED);
+      rest::http_location(url::site("albums/$album->id"));
+    } else {
+      rest::html($form);
+    }
+    rest::respond();
+  }
+
+  /**
    *  @see Rest_Controller::_form_add($parameters)
    */
-  public function _form_add($parent_id) {
-    $parent = ORM::factory("item", $parent_id);
+  public function _form_add($album_id) {
+    $album = ORM::factory("item", $album_id);
+    access::required("edit", $album);
+
+    switch ($this->input->get("type")) {
+    case "album":
+      print album::get_add_form($album)->render();
+      break;
+
+    case "photo":
+      print photo::get_add_form($album)->render();
+      break;
 
-    print album::get_add_form($parent)->render();
+    default:
+      kohana::show_404();
+    }
   }
 
+  /**
+   *  @see Rest_Controller::_form_add($parameters)
+   */
+  public function _form_edit($album) {
+    access::required("edit", $album);
+
+    print album::get_edit_form($album);
+  }
 }
diff --git a/core/controllers/items.php b/core/controllers/items.php
index b79d28d2..1cb24324 100644
--- a/core/controllers/items.php
+++ b/core/controllers/items.php
@@ -45,125 +45,19 @@ class Items_Controller extends REST_Controller {
     // Redirect to the more specific resource type, since it will render
     // differently.  We could also just delegate here, but it feels more appropriate
     // to have a single canonical resource mapping.
+    access::required("view", $item);
     return url::redirect("{$item->type}s/$item->id");
   }
 
-  public function _create($item) {
-    // @todo Productionize this code
-    // 1) Add security checks
-    $owner_id = user::active()->id;
-
-    switch ($this->input->post("type")) {
-    case "album":
-      $album = album::create(
-        $item,
-        $this->input->post("name"),
-        $this->input->post("title", $this->input->post("name")),
-        $this->input->post("description"),
-        $owner_id);
-      log::add("content", "Created an album", log::INFO,
-               html::anchor("albums/$album->id", "view album"));
-      message::add(_("Successfully created album"));
-      if (request::is_ajax()) {
-        rest::http_status(rest::CREATED);
-        rest::http_location(url::site("albums/$album->id"));
-      } else {
-        url::redirect("albums/$album->id");
-      }
-      break;
-
-    case "photo":
-      if (is_array($_FILES["file"]["name"])) {
-        $count = count($_FILES["file"]["name"]);
-        for ($i = 0; $i < $count - 1; $i++) {
-          if ($_FILES["file"]["error"][$i] == 0) {
-            $photo = photo::create(
-              $item,
-              $_FILES["file"]["tmp_name"][$i],
-              $_FILES["file"]["name"][$i],
-              $_FILES["file"]["name"][$i],
-              "", $owner_id);
-          } else {
-            log::add("content", "Error uploading photo", log::WARNING);
-            message::add(sprintf(_("Error uploading photo %s"),
-                                 html::specialchars($_FILES["file"]["name"][$i])));
-          }
-        }
-        log::add("content", "Added $count photos", log::INFO,
-                 html::anchor("albums/$item->id", "view album"));
-        if (request::is_ajax()) {
-          rest::http_status(rest::CREATED);
-          rest::http_location(url::site("albums/$item->id"));
-        } else {
-          url::redirect("albums/$item->id");
-        }
-      } else {
-        $photo = photo::create(
-          $item,
-          $_FILES["file"]["tmp_name"],
-          $_FILES["file"]["name"],
-          $this->input->post("title", $this->input->post("name")),
-          $this->input->post("description"),
-          $owner_id);
-        log::add("content", "Added a photo", log::INFO,
-                 html::anchor("photos/$photo->id", "view photo"));
-        message::add(_("Successfully added photo"));
-        if (request::is_ajax()) {
-          rest::http_status(rest::CREATED);
-          rest::http_location(url::site("photos/$photo->id"));
-        } else {
-          url::redirect("photos/$photo->id");
-        }
-      }
-      break;
-    }
-  }
-
   public function _delete($item) {
-    // @todo Productionize this code
-    // 1) Add security checks
-    $parent = $item->parent();
-    if ($parent->id) {
-      module::event("{$item->type}_before_delete", $item);
-
-      $item->delete();
-    }
+    throw new Exception("@todo Item_Controller::_delete NOT IMPLEMENTED");
+  }
 
-    url::redirect("{$parent->type}s/{$parent->id}");
+  public function _create($item) {
+    throw new Exception("@todo Item_Controller::_create NOT IMPLEMENTED");
   }
 
   public function _update($item) {
-    // @todo Productionize this
-    // 1) Figure out how to do the right validation here.  Validate the form input and apply it to
-    //    the model as appropriate.
-    // 2) Figure out how to dispatch according to the needs of the client.  Ajax requests from
-    //    jeditable will want the changed field back, and possibly the whole item in json.
-    //
-    // For now let's establish a simple protocol where the client passes in a __return parameter
-    // that specifies which field it wants back from the item.  Later on we can expand that to
-    // include a data format, etc.
-
-    // These fields are safe to change
-    $post = $this->input->post();
-    foreach ($post as $key => $value) {
-      switch ($key) {
-      case "title":
-      case "description":
-        $item->$key = $value;
-        break;
-      }
-    }
-
-    // @todo Support additional fields
-    // These fields require additional work if you change them
-    // parent_id, owner_id
-
-    $item->save();
-
-    module::event("{$item->type}_changed", $item);
-
-    if (array_key_exists("_return", $post)) {
-      print $item->{$post["_return"]};
-    }
+    throw new Exception("@todo Item_Controller::_update NOT IMPLEMENTED");
   }
 }
diff --git a/core/controllers/photos.php b/core/controllers/photos.php
index 465c291d..730cfd2c 100644
--- a/core/controllers/photos.php
+++ b/core/controllers/photos.php
@@ -22,34 +22,59 @@ class Photos_Controller extends Items_Controller {
   /**
    *  @see Rest_Controller::_show($resource)
    */
-  public function _show($item) {
-    if (!access::can("view", $item)) {
-      return Kohana::show_404();
-    }
+  public function _show($photo) {
+    access::required("view", $photo);
 
     $theme_name = module::get_var("core", "active_theme", "default");
 
     $template = new Theme_View("page.html", "photo", $theme_name);
 
-    $template->set_global('item', $item);
-    $template->set_global('children', $item->children());
-    $template->set_global('children_count', $item->children_count());
-    $template->set_global('parents', $item->parents());
+    $template->set_global('item', $photo);
+    $template->set_global('children', array());
+    $template->set_global('children_count', $photo->children_count());
+    $template->set_global('parents', $photo->parents());
 
     $template->content = new View("photo.html");
 
-    $item->view_count++;
-    $item->save();
+    $photo->view_count++;
+    $photo->save();
 
     print $template;
   }
 
   /**
-   *  @see Rest_Controller::_form_add($parameters)
+   * @see Rest_Controller::_update($resource)
    */
-  public function _form_add($parent_id) {
-    $parent = ORM::factory("item", $parent_id);
+  public function _update($photo) {
+    access::required("edit", $photo);
+
+    $form = photo::get_edit_form($photo);
+    if ($form->validate()) {
+      // @todo implement changing the name.  This is not trivial, we have
+      // to check for conflicts and rename the album itself, etc.  Needs an
+      // api method.
+      $photo->title = $form->edit_photo->title->value;
+      $photo->description = $form->edit_photo->description->value;
+      $photo->save();
+
+      module::event("photo_changed", $photo);
 
-    print photo::get_add_form($parent)->render();
+      log::add("content", "Updated photo", log::INFO, "<a href=\"photos/$photo->id\">view</a>");
+      message::add(_("Successfully saved photo"));
+
+      rest::http_status(rest::FOUND);
+      rest::http_location(url::site("photos/$photo->id"));
+    } else {
+      rest::html($form);
+    }
+    rest::respond();
+  }
+
+  /**
+   *  @see Rest_Controller::_form_edit($resource)
+   */
+  public function _form_edit($photo) {
+    access::required("edit", $photo);
+    print photo::get_edit_form($photo);
   }
 }
diff --git a/core/controllers/rest.php b/core/controllers/rest.php
index c10bbcdb..0ac7a1c9 100644
--- a/core/controllers/rest.php
+++ b/core/controllers/rest.php
@@ -118,7 +118,7 @@ abstract class REST_Controller extends Controller {
 
   /* We're adding a new item, pass along any additional parameters. */
   public function form_add($parameters) {
-      return $this->_form_add($parameters);
+    return $this->_form_add($parameters);
   }
 
   /**