2 files changed, 17 insertions, 5 deletions

diff --git a/core/controllers/item.php b/core/controllers/item.php
index 78ee7b0b..286eb66f 100644
--- a/core/controllers/item.php
+++ b/core/controllers/item.php
@@ -21,6 +21,10 @@ class Item_Controller extends REST_Controller {
   protected $resource_type = "item";
 
   public function _get($item) {
+    if (empty($item)) {
+      // A null item is not allowed for albums or photos.
+      return Kohana::show_404();
+    }
     // Redirect to the more specific resource type, since it will render
     // differently.  We could also just delegate here, but it feels more appropriate
     // to have a single canonical resource mapping.
diff --git a/core/controllers/rest.php b/core/controllers/rest.php
index ff4d5120..6e0acbcb 100644
--- a/core/controllers/rest.php
+++ b/core/controllers/rest.php
@@ -49,17 +49,25 @@
 abstract class REST_Controller extends Controller {
   protected $resource_type = null;
 
-  public function dispatch($id) {
+  public function dispatch($id=null) {
     if ($this->resource_type == null) {
       throw new Exception("@todo ERROR_MISSING_RESOURCE_TYPE");
     }
 
-    // @todo this needs security checks
-    $resource = ORM::factory($this->resource_type, $id);
-    if (!$resource->loaded) {
+    if ($id != null) {
+      // @todo this needs security checks
+      $resource = ORM::factory($this->resource_type, $id);
+      if (!$resource->loaded) {
+        return Kohana::show_404();
+      }
+    } else if (request::method() == "get") {
+      // A null id and a request method of "get" just returns an empty form
+      // @todo figure out how to handle the input without and id
+      // @todo do we use put for create and post for update?
+      $resource = null;
+    } else {
       return Kohana::show_404();
     }
-
     /**
      * We're expecting to run in an environment that only supports GET/POST, so expect to tunnel
      * PUT/DELETE through POST.