Merge commit 'upstream/master'

Conflicts:

	modules/gallery/tests/xss_data.txt

5 files changed, 107 insertions, 326 deletions

diff --git a/modules/user/helpers/group.php b/modules/user/helpers/group.php
index 04e6efd6..3aaf1b11 100644
--- a/modules/user/helpers/group.php
+++ b/modules/user/helpers/group.php
@@ -28,7 +28,7 @@ class group_Core {
    * Create a new group.
    *
    * @param string  $name
-   * @return Group_Model
+   * @return Group_Definition the group object
    */
   static function create($name) {
     $group = ORM::factory("group")->where("name", $name)->find();
@@ -38,14 +38,13 @@ class group_Core {
 
     $group->name = $name;
     $group->save();
-
     return $group;
   }
 
   /**
    * The group of all possible visitors.  This includes the guest user.
    *
-   * @return Group_Model
+   * @return Group_Definition the group object
    */
   static function everybody() {
     return model_cache::get("group", 1);
@@ -54,54 +53,47 @@ class group_Core {
   /**
    * The group of all logged-in visitors.  This does not include guest users.
    *
-   * @return Group_Model
+   * @return Group_Definition the group object
    */
   static function registered_users() {
     return model_cache::get("group", 2);
   }
 
   /**
+   * Look up a group by id.
+   * @param integer      $id the user id
+   * @return Group_Definition  the group object, or null if the id was invalid.
+   */
+  static function lookup($id) {
+    return self::_lookup_by_field("id", $id);
+  }
+
+  /**
    * Look up a group by name.
    * @param integer      $id the group name
-   * @return Group_Model  the group object, or null if the name was invalid.
+   * @return Group_Definition  the group object, or null if the name was invalid.
    */
   static function lookup_by_name($name) {
-    $group = model_cache::get("group", $name, "name");
-    if ($group->loaded) {
-      return $group;
-    }
-    return null;
+    return self::_lookup_by_field("name", $name);
   }
 
-  static function get_edit_form_admin($group) {
-    $form = new Forge("admin/users/edit_group/$group->id", "", "post", array("id" => "gEditGroupForm"));
-    $form_group = $form->group("edit_group")->label(t("Edit Group"));
-    $form_group->input("name")->label(t("Name"))->id("gName")->value($group->name);
-    $form_group->inputs["name"]->error_messages(
-      "in_use", t("There is already a group with that name"));
-    $form_group->submit("")->value(t("Save"));
-    $form->add_rules_from($group);
-    return $form;
-  }
-
-  static function get_add_form_admin() {
-    $form = new Forge("admin/users/add_group", "", "post", array("id" => "gAddGroupForm"));
-    $form_group = $form->group("add_group")->label(t("Add Group"));
-    $form_group->input("name")->label(t("Name"))->id("gName");
-    $form_group->inputs["name"]->error_messages(
-      "in_use", t("There is already a group with that name"));
-    $form_group->submit("")->value(t("Add Group"));
-    $group = ORM::factory("group");
-    $form->add_rules_from($group);
-    return $form;
-  }
-
-  static function get_delete_form_admin($group) {
-    $form = new Forge("admin/users/delete_group/$group->id", "", "post",
-                      array("id" => "gDeleteGroupForm"));
-    $form_group = $form->group("delete_group")->label(
-      t("Are you sure you want to delete group %group_name?", array("group_name" => $group->name)));
-    $form_group->submit("")->value(t("Delete"));
-    return $form;
+  /**
+   * Search the groups by the field and value.
+   * @param string      $field_name column to look up the user by
+   * @param string      $value value to match
+   * @return Group_Definition  the group object, or null if the name was invalid.
+   */
+  private static function _lookup_by_field($field_name, $value) {
+    try {
+      $user = model_cache::get("group", $value, $field_name);
+      if ($user->loaded) {
+        return $user;
+      }
+    } catch (Exception $e) {
+      if (strpos($e->getMessage(), "MISSING_MODEL") === false) {
+       throw $e;
+      }
+    }
+    return null;
   }
 }
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index b9162b92..f9f16da5 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -24,153 +24,6 @@
  * Note: by design, this class does not do any permission checking.
  */
 class user_Core {
-  static function get_edit_form($user) {
-    $form = new Forge("users/$user->id?_method=put", "", "post", array("id" => "gEditUserForm"));
-    $group = $form->group("edit_user")->label(t("Edit User: %name", array("name" => $user->name)));
-    $group->input("full_name")->label(t("Full Name"))->id("gFullName")->value($user->full_name);
-    self::_add_locale_dropdown($group, $user);
-    $group->password("password")->label(t("Password"))->id("gPassword");
-    $group->password("password2")->label(t("Confirm Password"))->id("gPassword2")
-      ->matches($group->password);
-    $group->input("email")->label(t("Email"))->id("gEmail")->value($user->email);
-    $group->input("url")->label(t("URL"))->id("gUrl")->value($user->url);
-    $form->add_rules_from($user);
-
-    module::event("user_edit_form", $user, $form);
-    $group->submit("")->value(t("Save"));
-    return $form;
-  }
-
-  static function get_edit_form_admin($user) {
-    $form = new Forge(
-      "admin/users/edit_user/$user->id", "", "post", array("id" => "gEditUserForm"));
-    $group = $form->group("edit_user")->label(t("Edit User"));
-    $group->input("name")->label(t("Username"))->id("gUsername")->value($user->name);
-    $group->inputs["name"]->error_messages(
-      "in_use", t("There is already a user with that username"));
-    $group->input("full_name")->label(t("Full Name"))->id("gFullName")->value($user->full_name);
-    self::_add_locale_dropdown($group, $user);
-    $group->password("password")->label(t("Password"))->id("gPassword");
-    $group->password("password2")->label(t("Confirm Password"))->id("gPassword2")
-      ->matches($group->password);
-    $group->input("email")->label(t("Email"))->id("gEmail")->value($user->email);
-    $group->input("url")->label(t("URL"))->id("gUrl")->value($user->url);
-    $group->checkbox("admin")->label(t("Admin"))->id("gAdmin")->checked($user->admin);
-    $form->add_rules_from($user);
-    $form->edit_user->password->rules("-required");
-
-    module::event("user_edit_form_admin", $user, $form);
-    $group->submit("")->value(t("Modify User"));
-    return $form;
-  }
-
-  static function get_add_form_admin() {
-    $form = new Forge("admin/users/add_user", "", "post", array("id" => "gAddUserForm"));
-    $group = $form->group("add_user")->label(t("Add User"));
-    $group->input("name")->label(t("Username"))->id("gUsername")
-      ->error_messages("in_use", t("There is already a user with that username"));
-    $group->input("full_name")->label(t("Full Name"))->id("gFullName");
-    $group->password("password")->label(t("Password"))->id("gPassword");
-    $group->password("password2")->label(t("Confirm Password"))->id("gPassword2")
-      ->matches($group->password);
-    $group->input("email")->label(t("Email"))->id("gEmail");
-    $group->input("url")->label(t("URL"))->id("gUrl");
-    self::_add_locale_dropdown($group);
-    $group->checkbox("admin")->label(t("Admin"))->id("gAdmin");
-    $user = ORM::factory("user");
-    $form->add_rules_from($user);
-
-    module::event("user_add_form_admin", $user, $form);
-    $group->submit("")->value(t("Add User"));
-    return $form;
-  }
-
-  private static function _add_locale_dropdown(&$form, $user=null) {
-    $locales = locales::installed();
-    foreach ($locales as $locale => $display_name) {
-      $locales[$locale] = SafeString::of_safe_html($display_name);
-    }
-    if (count($locales) > 1) {
-      // Put "none" at the first position in the array
-      $locales = array_merge(array("" => t("« none »")), $locales);
-      $selected_locale = ($user && $user->locale) ? $user->locale : "";
-      $form->dropdown("locale")
-        ->label(t("Language Preference"))
-        ->options($locales)
-        ->selected($selected_locale);
-    }
-  }
-
-  static function get_delete_form_admin($user) {
-    $form = new Forge("admin/users/delete_user/$user->id", "", "post",
-                      array("id" => "gDeleteUserForm"));
-    $group = $form->group("delete_user")->label(
-      t("Are you sure you want to delete user %name?", array("name" => $user->name)));
-    $group->submit("")->value(t("Delete user %name", array("name" => $user->name)));
-    return $form;
-  }
-
-  static function get_login_form($url) {
-    $form = new Forge($url, "", "post", array("id" => "gLoginForm"));
-    $group = $form->group("login")->label(t("Login"));
-    $group->input("name")->label(t("Username"))->id("gUsername")->class(null);
-    $group->password("password")->label(t("Password"))->id("gPassword")->class(null);
-    $group->inputs["name"]->error_messages("invalid_login", t("Invalid name or password"));
-    $group->submit("")->value(t("Login"));
-    return $form;
-  }
-
-  /**
-   * Make sure that we have a session and group_ids cached in the session.
-   */
-  static function load_user() {
-    $session = Session::instance();
-    if (!($user = $session->get("user"))) {
-      $session->set("user", $user = user::guest());
-    }
-
-    // The installer cannot set a user into the session, so it just sets an id which we should
-    // upconvert into a user.
-    if ($user === 2) {
-      $user = model_cache::get("user", 2);
-      user::login($user);
-      $session->set("user", $user);
-    }
-
-    if (!$session->get("group_ids")) {
-      $ids = array();
-      foreach ($user->groups as $group) {
-        $ids[] = $group->id;
-      }
-      $session->set("group_ids", $ids);
-    }
-  }
-
-  /**
-   * Return the array of group ids this user belongs to
-   *
-   * @return array
-   */
-  static function group_ids() {
-    return Session::instance()->get("group_ids", array(1));
-  }
-
-  /**
-   * Return the active user.  If there's no active user, return the guest user.
-   *
-   * @return User_Model
-   */
-  static function active() {
-    // @todo (maybe) cache this object so we're not always doing session lookups.
-    $user = Session::instance()->get("user", null);
-    if (!isset($user)) {
-      // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary
-      // work.
-      $user = user::guest();
-    }
-    return $user;
-  }
-
   /**
    * Return the guest user.
    *
@@ -183,18 +36,6 @@ class user_Core {
   }
 
   /**
-   * Change the active user.
-   *
-   * @return User_Model
-   */
-  static function set_active($user) {
-    $session = Session::instance();
-    $session->set("user", $user);
-    $session->delete("group_ids");
-    self::load_user();
-  }
-
-  /**
    * Create a new user.
    *
    * @param string  $name
@@ -267,91 +108,69 @@ class user_Core {
   }
 
   /**
-   * Log in as a given user.
-   * @param object $user the user object.
-   */
-  static function login($user) {
-    $user->login_count += 1;
-    $user->last_login = time();
-    $user->save();
-
-    user::set_active($user);
-    module::event("user_login", $user);
-  }
-
-  /**
-   * Log out the active user and destroy the session.
-   * @param object $user the user object.
-   */
-  static function logout() {
-    $user = user::active();
-    if (!$user->guest) {
-      try {
-        Session::instance()->destroy();
-      } catch (Exception $e) {
-        Kohana::log("error", $e);
-      }
-      module::event("user_logout", $user);
-    }
-  }
-
-  /**
    * Look up a user by id.
    * @param integer      $id the user id
    * @return User_Model  the user object, or null if the id was invalid.
    */
   static function lookup($id) {
-    $user = model_cache::get("user", $id);
-    if ($user->loaded) {
-      return $user;
-    }
-    return null;
+    return self::_lookup_user_by_field("id", $id);
   }
 
   /**
    * Look up a user by name.
-   * @param integer      $id the user name
+   * @param integer      $name the user name
    * @return User_Model  the user object, or null if the name was invalid.
    */
   static function lookup_by_name($name) {
-    $user = model_cache::get("user", $name, "name");
-    if ($user->loaded) {
-      return $user;
-    }
-    return null;
+    return self::_lookup_user_by_field("name", $name);
   }
 
   /**
-   * Create a hashed password using md5 plus salt.
-   * @param string $password plaintext password
-   * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted)
-   * @return string hashed password
+   * Look up a user by hash.
+   * @param integer      $hash the user hash value
+   * @return User_Model  the user object, or null if the name was invalid.
    */
-  private static function _md5Salt($password, $salt="") {
-    if (empty($salt)) {
-      for ($i = 0; $i < 4; $i++) {
-        $char = mt_rand(48, 109);
-        $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0;
-        $salt .= chr($char);
+  static function lookup_by_hash($hash) {
+    return self::_lookup_user_by_field("hash", $hash);
+  }
+
+  /**
+   * List the users
+   * @param mixed      filters (@see Database.php
+   * @return array     the user list.
+   */
+  static function get_user_list($filter=array()) {
+    $user = ORM::factory("user");
+
+    foreach($filter as $method => $args) {
+      switch ($method) {
+      case "in":
+        $user->in($args[0], $args[1]);
+        break;
+      default:
+        $user->$method($args);
       }
-    } else {
-      $salt = substr($salt, 0, 4);
     }
-    return $salt . md5($salt . $password);
+    return $user->find_all();
   }
 
-  static function cookie_locale() {
-    $cookie_data = Input::instance()->cookie("g_locale");
-    $locale = null;
-    if ($cookie_data) {
-      if (preg_match("/^([a-z]{2,3}(?:_[A-Z]{2})?)$/", trim($cookie_data), $matches)) {
-        $requested_locale = $matches[1];
-        $installed_locales = locales::installed();
-        if (isset($installed_locales[$requested_locale])) {
-          $locale = $requested_locale;
-        }
+  /**
+   * Look up a user by field value.
+   * @param string      search field
+   * @param string      search value
+   * @return User_Core  the user object, or null if the name was invalid.
+   */
+  private static function _lookup_user_by_field($field_name, $value) {
+    try {
+      $user = model_cache::get("user", $value, $field_name);
+      if ($user->loaded) {
+        return $user;
+      }
+    } catch (Exception $e) {
+      if (strpos($e->getMessage(), "MISSING_MODEL") === false) {
+       throw $e;
       }
     }
-    return $locale;
+    return null;
   }
 }
\ No newline at end of file
diff --git a/modules/user/helpers/user_event.php b/modules/user/helpers/user_event.php
index ede4e515..cf91812e 100644
--- a/modules/user/helpers/user_event.php
+++ b/modules/user/helpers/user_event.php
@@ -17,37 +17,14 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class user_event_Core {
-  /**
-   * Initialization.
-   */
-  static function gallery_ready() {
-    user::load_user();
-    self::set_request_locale();
-  }
 
+class user_event_Core {
   static function admin_menu($menu, $theme) {
-    $menu->add_after("appearance_menu",
-                     Menu::factory("link")
+    $menu->add_after("appearance_menu", Menu::factory("link")
                      ->id("users_groups")
                      ->label(t("Users/Groups"))
                      ->url(url::site("admin/users")));
-  }
 
-  static function set_request_locale() {
-    // 1. Check the session specific preference (cookie)
-    $locale = user::cookie_locale();
-    // 2. Check the user's preference
-    if (!$locale) {
-      $locale = user::active()->locale;
-    }
-    // 3. Check the browser's / OS' preference
-    if (!$locale) {
-      $locale = locales::locale_from_http_request();
-    }
-    // If we have any preference, override the site's default locale
-    if ($locale) {
-      I18n::instance()->locale($locale);
-    }
+    return $menu;
   }
 }
diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php
index 8ef4f13d..0cba502f 100644
--- a/modules/user/helpers/user_installer.php
+++ b/modules/user/helpers/user_installer.php
@@ -70,9 +70,18 @@ class user_installer {
     $admin->admin = true;
     $admin->save();
 
-    // Let the admin own everything
-    $db->update("items", array("owner_id" => $admin->id), array("owner_id" => "IS NULL"));
-    module::set_version("user", 1);
+    $current_provider = module::get_var("gallery", "identity_provider");
+    if (empty($current_provider)) {
+      // If there is no provider defined then we are doing an initial install
+      // so we need to set the provider and make the administrator own everything
+      // If the installer is called and there is an identity provider, then we
+      // are switching identity providers and and the event handlers will do the
+      // right things
+      module::set_var("gallery", "identity_provider", "user");
+
+      // Let the admin own everything
+      $db->query("update {items} set owner_id = {$admin->id}");
+    }
 
     $root = ORM::factory("item", 1);
     access::allow($everybody, "view", $root);
@@ -80,6 +89,18 @@ class user_installer {
 
     access::allow($registered, "view", $root);
     access::allow($registered, "view_full", $root);
+
+    module::set_var("user", "mininum_password_length", 5);
+
+    module::set_version("user", 2);
+  }
+
+  static function upgrade($version) {
+    if ($version == 1) {
+      module::set_var("user", "mininum_password_length", 5);
+
+      module::set_version("user", $version = 2);
+    }
   }
 
   static function uninstall() {
@@ -92,11 +113,6 @@ class user_installer {
       $group->delete();
     }
 
-    try {
-      Session::instance()->destroy();
-    } catch (Exception $e) {
-      // We don't care if there was a problem destroying the session.
-    }
     $db = Database::instance();
     $db->query("DROP TABLE IF EXISTS {users};");
     $db->query("DROP TABLE IF EXISTS {groups};");
diff --git a/modules/user/helpers/user_theme.php b/modules/user/helpers/user_theme.php
index 098d87fd..31e2e8c0 100644
--- a/modules/user/helpers/user_theme.php
+++ b/modules/user/helpers/user_theme.php
@@ -19,35 +19,12 @@
  */
 class user_theme_Core {
   static function head($theme) {
-    if (count(locales::installed())) {
-      // Needed by the languages block
-      $theme->script("jquery.cookie.js");
-    }
-    return "";
+    $theme->css("user.css");
+    $theme->script("password_strength.js");
   }
 
-  static function header_top($theme) {
-    if ($theme->page_type != "login") {
-      $view = new View("login.html");
-      $view->user = user::active();
-      return $view->render();
-    }
+  static function admin_head($theme) {
+    $theme->css("user.css");
+    $theme->script("password_strength.js");
   }
-
-  static function sidebar_blocks($theme) {
-    $locales = locales::installed();
-    foreach ($locales as $locale => $display_name) {
-      $locales[$locale] = SafeString::of_safe_html($display_name);
-    }
-    if (count($locales) > 1) {
-      $block = new Block();
-      $block->css_id = "gUserLanguageBlock";
-      $block->title = t("Language Preference");
-      $block->content = new View("user_languages_block.html");
-      $block->content->installed_locales =
-        array_merge(array("" => t("« none »")), $locales);
-      $block->content->selected = (string) user::cookie_locale();
-      return $block;
-    }
-  }
-}
+}
\ No newline at end of file