Merge branch 'master' of git@github.com:gallery/gallery3

author: andyst <andy.st@gmail.com> 2009-06-01 23:45:37 -0700
committer: andyst <andy.st@gmail.com> 2009-06-01 23:45:37 -0700
commit: 02a840c84cada5a1c0cc0768f350424460310e5d (patch)
tree: 6a35d4afddcf291327a4ff42245bca17328084ae /modules/gallery/controllers/albums.php
parent: d0845aadc629cf10b8eee490a651c039750a1430 (diff)
parent: 3b6567f38c206f1302c7b22d94d5eae4b458311a (diff)
1 files changed, 11 insertions, 3 deletions
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index 5ccadb37..efde4f09 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -24,11 +24,11 @@ class Albums_Controller extends Items_Controller {
    */
   public function _show($album) {
     if (!access::can("view", $album)) {
-      if ($album->id != 1) {
-        access::forbidden();
-      } else {
+      if ($album->id == 1) {
         print new Theme_View("login_page.html", "album");
         return;
+      } else {
+        access::forbidden();
       }
     }
 
@@ -77,6 +77,8 @@ class Albums_Controller extends Items_Controller {
    * @see REST_Controller::_create($resource)
    */
   public function _create($album) {
+    access::verify_csrf();
+    access::required("view", $album);
     access::required("add", $album);
 
     switch ($this->input->post("type")) {
@@ -92,6 +94,7 @@ class Albums_Controller extends Items_Controller {
   }
 
   private function _create_album($album) {
+    access::required("view", $album);
     access::required("add", $album);
 
     $form = album::get_add_form($album);
@@ -120,6 +123,7 @@ class Albums_Controller extends Items_Controller {
   }
 
   private function _create_photo($album) {
+    access::required("view", $album);
     access::required("add", $album);
 
     // If we set the content type as JSON, it triggers saving the result as
@@ -153,6 +157,8 @@ class Albums_Controller extends Items_Controller {
    * @see REST_Controller::_update($resource)
    */
   public function _update($album) {
+    access::verify_csrf();
+    access::required("view", $album);
     access::required("edit", $album);
 
     $form = album::get_edit_form($album);
@@ -202,6 +208,7 @@ class Albums_Controller extends Items_Controller {
    */
   public function _form_add($album_id) {
     $album = ORM::factory("item", $album_id);
+    access::required("view", $album);
     access::required("add", $album);
 
     switch ($this->input->get("type")) {
@@ -223,6 +230,7 @@ class Albums_Controller extends Items_Controller {
    *  @see REST_Controller::_form_add($parameters)
    */
   public function _form_edit($album) {
+    access::required("view", $album);
     access::required("edit", $album);
 
     print album::get_edit_form($album);
author	andyst <andy.st@gmail.com>	2009-06-01 23:45:37 -0700
committer	andyst <andy.st@gmail.com>	2009-06-01 23:45:37 -0700
commit	02a840c84cada5a1c0cc0768f350424460310e5d (patch)
tree	6a35d4afddcf291327a4ff42245bca17328084ae /modules/gallery/controllers/albums.php
parent	d0845aadc629cf10b8eee490a651c039750a1430 (diff)
parent	3b6567f38c206f1302c7b22d94d5eae4b458311a (diff)