Merge branch 'master' into talmdal_dev

8 files changed, 9 insertions, 276 deletions

diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php
index 8562355c..9b904387 100644
--- a/modules/gallery/tests/Albums_Controller_Test.php
+++ b/modules/gallery/tests/Albums_Controller_Test.php
@@ -48,7 +48,8 @@ class Albums_Controller_Test extends Unit_Test_Case {
     access::allow(identity::everybody(), "edit", $root);
 
     ob_start();
-    $controller->_update($this->_album);
+    $controller->update($this->_album->id);
+    $this->_album->reload();
     $results = ob_get_contents();
     ob_end_clean();
 
diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php
index 0a7076c6..124d8b4c 100644
--- a/modules/gallery/tests/Controller_Auth_Test.php
+++ b/modules/gallery/tests/Controller_Auth_Test.php
@@ -18,11 +18,6 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Controller_Auth_Test extends Unit_Test_Case {
-  static $rest_methods = array("_index", "_show", "_form_edit", "_form_add", "_create",
-                               "_update", "_delete");
-
-  static $rest_methods_with_csrf_check = array("_update", "_delete", "_create");
-
   public function find_missing_auth_test() {
     $found = array();
     $controllers = explode("\n", `git ls-files '*/*/controllers/*.php'`);
@@ -46,7 +41,6 @@ class Controller_Auth_Test extends Unit_Test_Case {
       }
 
       $is_admin_controller = false;
-      $is_rest_controller = false;
 
       $open_braces = 0;
       $function = null;
@@ -64,7 +58,6 @@ class Controller_Auth_Test extends Unit_Test_Case {
               $function = null;
             } else if ($open_braces == 0) {
               $is_admin_controller = false;
-              $is_rest_controller = false;
             }
           } else if ($token == "{") {
             $open_braces++;
@@ -75,8 +68,6 @@ class Controller_Auth_Test extends Unit_Test_Case {
           if ($open_braces == 0 && $token[0] == T_EXTENDS) {
             if (self::_token_matches(array(T_STRING, "Admin_Controller"), $tokens, $token_number + 1)) {
               $is_admin_controller = true;
-            } else if (self::_token_matches(array(T_STRING, "REST_Controller"), $tokens, $token_number + 1)) {
-              $is_rest_controller = true;
             }
           } else if ($open_braces == 1 && $token[0] == T_FUNCTION) {
             $line = $token[2];
@@ -101,13 +92,8 @@ class Controller_Auth_Test extends Unit_Test_Case {
 
             $is_rss_feed = $name == "feed" && strpos(basename($controller), "_rss.php");
 
-            if ((!$is_static || $is_rss_feed) &&
-                (!$is_private ||
-                 ($is_rest_controller && in_array($name, self::$rest_methods)))) {
+            if ((!$is_static || $is_rss_feed) && !$is_private) {
               $function = self::_function($name, $line, $is_admin_controller);
-              if ($is_rest_controller && in_array($name, self::$rest_methods_with_csrf_check)) {
-                $function->checks_csrf(true);
-              }
             }
           }
 
diff --git a/modules/gallery/tests/Database_Test.php b/modules/gallery/tests/Database_Test.php
index ad2bbba1..98bd4046 100644
--- a/modules/gallery/tests/Database_Test.php
+++ b/modules/gallery/tests/Database_Test.php
@@ -138,7 +138,6 @@ class Database_For_Test extends Database {
 
   public function query($sql = '') {
     if (!empty($sql)) {
-      print " query($sql)\n";
       $sql = $this->add_table_prefixes($sql);
     }
     return $sql;
diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php
index 624e6878..fa4f101a 100644
--- a/modules/gallery/tests/Photos_Controller_Test.php
+++ b/modules/gallery/tests/Photos_Controller_Test.php
@@ -44,7 +44,8 @@ class Photos_Controller_Test extends Unit_Test_Case {
     access::allow(identity::everybody(), "edit", $root);
 
     ob_start();
-    $controller->_update($photo);
+    $controller->update($photo->id);
+    $photo->reload();
     $results = ob_get_contents();
     ob_end_clean();
 
diff --git a/modules/gallery/tests/REST_Controller_Test.php b/modules/gallery/tests/REST_Controller_Test.php
deleted file mode 100644
index 8fb04d86..00000000
--- a/modules/gallery/tests/REST_Controller_Test.php
+++ /dev/null
@@ -1,197 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class REST_Controller_Test extends Unit_Test_Case {
-  public function setup() {
-    $this->_post = $_POST;
-    $this->mock_controller = new Mock_RESTful_Controller("mock");
-    $this->mock_not_loaded_controller = new Mock_RESTful_Controller("mock_not_loaded");
-    $_POST = array();
-  }
-
-  public function teardown() {
-    $_POST = $this->_post;
-  }
-
-  public function dispatch_index_test() {
-    $_SERVER["REQUEST_METHOD"] = "GET";
-    $_POST["_method"] = "";
-    $this->mock_controller->__call("index", "");
-    $this->assert_equal("index", $this->mock_controller->method_called);
-  }
-
-  public function dispatch_show_test() {
-    $_SERVER["REQUEST_METHOD"] = "GET";
-    $_POST["_method"] = "";
-    $this->mock_controller->__call("3", "");
-    $this->assert_equal("show", $this->mock_controller->method_called);
-    $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource));
-  }
-
-  public function dispatch_update_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "PUT";
-    $_POST["csrf"] = access::csrf_token();
-    $this->mock_controller->__call("3", "");
-    $this->assert_equal("update", $this->mock_controller->method_called);
-    $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource));
-  }
-
-  public function dispatch_update_fails_without_csrf_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "PUT";
-    try {
-      $this->mock_controller->__call("3", "");
-      $this->assert_false(true, "this should fail with a forbidden exception");
-    } catch (Exception $e) {
-      // pass
-    }
-  }
-
-  public function dispatch_delete_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "DELETE";
-    $_POST["csrf"] = access::csrf_token();
-    $this->mock_controller->__call("3", "");
-    $this->assert_equal("delete", $this->mock_controller->method_called);
-    $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource));
-  }
-
-  public function dispatch_delete_fails_without_csrf_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "DELETE";
-    try {
-      $this->mock_controller->__call("3", "");
-      $this->assert_false(true, "this should fail with a forbidden exception");
-    } catch (Exception $e) {
-      // pass
-    }
-  }
-
-  public function dispatch_404_test() {
-    /* The dispatcher should throw a 404 if the resource isn't loaded and the method isn't POST. */
-    $methods = array(
-      array("GET", ""),
-      array("POST", "PUT"),
-      array("POST", "DELETE"));
-
-    foreach ($methods as $method) {
-      $_SERVER["REQUEST_METHOD"] = $method[0];
-      $_POST["_method"] = $method[1];
-      $exception_caught = false;
-      try {
-        $this->mock_not_loaded_controller->__call(rand(), "");
-      } catch (Kohana_404_Exception $e) {
-        $exception_caught = true;
-      }
-      $this->assert_true($exception_caught, "$method[0], $method[1]");
-    }
-  }
-
-  public function dispatch_create_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "";
-    $_POST["csrf"] = access::csrf_token();
-    $this->mock_not_loaded_controller->__call("", "");
-    $this->assert_equal("create", $this->mock_not_loaded_controller->method_called);
-    $this->assert_equal(
-      "Mock_Not_Loaded_Model", get_class($this->mock_not_loaded_controller->resource));
-  }
-
-  public function dispatch_create_fails_without_csrf_test() {
-    $_SERVER["REQUEST_METHOD"] = "POST";
-    $_POST["_method"] = "";
-    try {
-      $this->mock_not_loaded_controller->__call("", "");
-      $this->assert_false(true, "this should fail with a forbidden exception");
-    } catch (Exception $e) {
-      // pass
-    }
-  }
-
-  public function dispatch_form_test_add() {
-    $this->mock_controller->form_add("args");
-    $this->assert_equal("form_add", $this->mock_controller->method_called);
-    $this->assert_equal("args", $this->mock_controller->resource);
-  }
-
-  public function dispatch_form_test_edit() {
-    $this->mock_controller->form_edit("1");
-    $this->assert_equal("form_edit", $this->mock_controller->method_called);
-    $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource));
-  }
-
-  public function routes_test() {
-    $this->assert_equal("mock/form_add/args", router::routed_uri("form/add/mock/args"));
-    $this->assert_equal("mock/form_edit/args", router::routed_uri("form/edit/mock/args"));
-    $this->assert_equal(null, router::routed_uri("rest/args"));
-  }
-}
-
-class Mock_RESTful_Controller extends REST_Controller {
-  public $method_called;
-  public $resource;
-
-  public function __construct($type) {
-    $this->resource_type = $type;
-    parent::__construct();
-  }
-
-  public function _index() {
-    $this->method_called = "index";
-  }
-
-  public function _create($resource) {
-    $this->method_called = "create";
-    $this->resource = $resource;
-  }
-
-  public function _show($resource) {
-    $this->method_called = "show";
-    $this->resource = $resource;
-  }
-
-  public function _update($resource) {
-    $this->method_called = "update";
-    $this->resource = $resource;
-  }
-
-  public function _delete($resource) {
-    $this->method_called = "delete";
-    $this->resource = $resource;
-  }
-
-  public function _form_add($args) {
-    $this->method_called = "form_add";
-    $this->resource = $args;
-  }
-
-  public function _form_edit($resource) {
-    $this->method_called = "form_edit";
-    $this->resource = $resource;
-  }
-}
-
-class Mock_Model {
-  public $loaded = true;
-}
-
-class Mock_Not_Loaded_Model {
-  public $loaded = false;
-}
diff --git a/modules/gallery/tests/REST_Helper_Test.php b/modules/gallery/tests/REST_Helper_Test.php
deleted file mode 100644
index 1bfc63ab..00000000
--- a/modules/gallery/tests/REST_Helper_Test.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class REST_Helper_Test extends Unit_Test_Case {
-  public function setup() {
-    $this->_post = $_POST;
-  }
-
-  public function teardown() {
-    $_POST = $this->_post;
-  }
-
-  public function request_method_test() {
-    foreach (array("GET", "POST") as $method) {
-      foreach (array("", "PUT", "DELETE") as $tunnel) {
-        if ($method == "GET") {
-          $expected = "GET";
-        } else {
-          $expected = $tunnel == "" ? $method : $tunnel;
-        }
-        $_SERVER["REQUEST_METHOD"] = $method;
-        $_POST["_method"] = $tunnel;
-
-        $this->assert_equal(strtolower(rest::request_method()), strtolower($expected),
-          "Request method: {$method}, tunneled: {$tunnel}");
-      }
-    }
-  }
-}
diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt
index 30102538..1fe29ffb 100644
--- a/modules/gallery/tests/controller_auth_data.txt
+++ b/modules/gallery/tests/controller_auth_data.txt
@@ -1,11 +1,9 @@
 modules/comment/controllers/admin_comments.php               queue                DIRTY_CSRF
-modules/comment/controllers/comments.php                     _index               DIRTY_CSRF
 modules/comment/helpers/comment_rss.php                      feed                 DIRTY_AUTH
 modules/digibug/controllers/digibug.php                      print_proxy          DIRTY_CSRF|DIRTY_AUTH
 modules/digibug/controllers/digibug.php                      close_window         DIRTY_AUTH
 modules/gallery/controllers/admin.php                        __call               DIRTY_AUTH
 modules/gallery/controllers/albums.php                       _show                DIRTY_CSRF
-modules/gallery/controllers/albums.php                       _form_add            DIRTY_CSRF
 modules/gallery/controllers/combined.php                     javascript           DIRTY_AUTH
 modules/gallery/controllers/combined.php                     css                  DIRTY_AUTH
 modules/gallery/controllers/file_proxy.php                   __call               DIRTY_CSRF|DIRTY_AUTH
@@ -15,17 +13,6 @@ modules/gallery/controllers/login.php                        html
 modules/gallery/controllers/login.php                        auth_html            DIRTY_AUTH
 modules/gallery/controllers/logout.php                       index                DIRTY_CSRF|DIRTY_AUTH
 modules/gallery/controllers/maintenance.php                  index                DIRTY_AUTH
-modules/gallery/controllers/rest.php                         __construct          DIRTY_AUTH
-modules/gallery/controllers/rest.php                         __call               DIRTY_AUTH
-modules/gallery/controllers/rest.php                         form_edit            DIRTY_AUTH
-modules/gallery/controllers/rest.php                         form_add             DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _index               DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _create              DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _show                DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _update              DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _delete              DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _form_add            DIRTY_AUTH
-modules/gallery/controllers/rest.php                         _form_edit           DIRTY_AUTH
 modules/gallery/controllers/simple_uploader.php              start                DIRTY_AUTH
 modules/gallery/controllers/simple_uploader.php              finish               DIRTY_AUTH
 modules/gallery/controllers/upgrader.php                     index                DIRTY_AUTH
@@ -35,6 +22,7 @@ modules/search/controllers/search.php                        index
 modules/server_add/controllers/admin_server_add.php          autocomplete         DIRTY_CSRF
 modules/server_add/controllers/server_add.php                children             DIRTY_CSRF
 modules/tag/controllers/admin_tags.php                       index                DIRTY_CSRF
-modules/tag/controllers/tags.php                             _show                DIRTY_CSRF|DIRTY_AUTH
+modules/tag/controllers/tags.php                             show                 DIRTY_CSRF|DIRTY_AUTH
+modules/tag/controllers/tags.php                             autocomplete         DIRTY_CSRF|DIRTY_AUTH
 modules/user/controllers/password.php                        reset                DIRTY_AUTH
 modules/user/controllers/password.php                        do_reset             DIRTY_CSRF|DIRTY_AUTH
diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt
index fa818636..3708bc6d 100644
--- a/modules/gallery/tests/xss_data.txt
+++ b/modules/gallery/tests/xss_data.txt
@@ -298,8 +298,8 @@ modules/server_add/views/server_add_tree_dialog.html.php     4   DIRTY_JS url::s
 modules/server_add/views/server_add_tree_dialog.html.php     21  DIRTY    $tree
 modules/tag/views/admin_tags.html.php                        45  DIRTY_ATTR $tag->id
 modules/tag/views/admin_tags.html.php                        46  DIRTY    $tag->count
-modules/tag/views/tag_block.html.php                         27  DIRTY    $cloud
-modules/tag/views/tag_block.html.php                         29  DIRTY    $form
+modules/tag/views/tag_block.html.php                         25  DIRTY    $cloud
+modules/tag/views/tag_block.html.php                         27  DIRTY    $form
 modules/tag/views/tag_cloud.html.php                         4   DIRTY_ATTR (int)(($tag->count/$max_count)*7)
 modules/tag/views/tag_cloud.html.php                         5   DIRTY    $tag->count
 modules/tag/views/tag_cloud.html.php                         6   DIRTY_JS $tag->url()