9 files changed, 111 insertions, 24 deletions

diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php
index b92a32cd..98cac557 100644
--- a/modules/gallery/controllers/admin.php
+++ b/modules/gallery/controllers/admin.php
@@ -21,7 +21,7 @@ class Admin_Controller extends Controller {
   private $theme;
 
   public function __construct($theme=null) {
-    if (!(user::active()->admin)) {
+    if (!(identity::active_user()->admin)) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/admin_identity.php b/modules/gallery/controllers/admin_identity.php
new file mode 100644
index 00000000..520b1966
--- /dev/null
+++ b/modules/gallery/controllers/admin_identity.php
@@ -0,0 +1,76 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Admin_Identity_Controller extends Admin_Controller {
+  public function index() {
+    $view = new Admin_View("admin.html");
+    $view->content = new View("admin_identity.html");
+    $view->content->available = identity::providers();
+    $view->content->active = module::get_var("gallery", "identity_provider", "user");
+    print $view;
+  }
+
+  public function confirm() {
+    access::verify_csrf();
+
+    $v = new View("admin_identity_confirm.html");
+    $v->new_provider = $this->input->post("provider");
+
+    print $v;
+  }
+
+  public function change() {
+    access::verify_csrf();
+
+    $active_provider = module::get_var("gallery", "identity_provider", "user");
+    $providers = identity::providers();
+
+    $new_provider = $this->input->post("provider");
+
+    if ($new_provider != $active_provider) {
+
+      module::event("identity_before_change", $active_provider, $new_provider);
+
+      module::deactivate($active_provider);
+      module::uninstall($active_provider);
+
+      // Switch authentication
+      identity::reset();
+      module::set_var("gallery", "identity_provider", $new_provider);
+
+      module::install($new_provider);
+      module::activate($new_provider);
+
+      message::success(t("Changed to %description",
+                         array("description" => $providers->$new_provider)));
+
+      try {
+        Session::instance()->destroy();
+      } catch (Exception $e) {
+        // We don't care if there was a problem destroying the session.
+      }
+      url::redirect(item::root()->abs_url());
+    }
+
+    message::info(t("The selected provider \"%description\" is already active.",
+                    array("description" => $providers->$new_provider)));
+    url::redirect("admin/identity");
+  }
+}
+
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index 21e37073..d393422e 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -29,7 +29,7 @@ class Albums_Controller extends Items_Controller {
         $view = new Theme_View("page.html", "login");
         $view->page_title = t("Log in to Gallery");
         $view->content = new View("login_ajax.html");
-        $view->content->form = user::get_login_form("login/auth_html");
+        $view->content->form = login::get_form("login/auth_html");
         print $view;
         return;
       } else {
@@ -111,7 +111,7 @@ class Albums_Controller extends Items_Controller {
         $this->input->post("name"),
         $this->input->post("title", $this->input->post("name")),
         $this->input->post("description"),
-        user::active()->id,
+        identity::active_user()->id,
         $this->input->post("slug"));
 
       log::success("content", "Created an album",
@@ -146,7 +146,7 @@ class Albums_Controller extends Items_Controller {
         $_FILES["file"]["name"],
         $this->input->post("title", $this->input->post("name")),
         $this->input->post("description"),
-        user::active()->id);
+        identity::active_user()->id);
 
       log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo"));
       message::success(t("Added photo %photo_title",
diff --git a/modules/gallery/controllers/l10n_client.php b/modules/gallery/controllers/l10n_client.php
index 6fdbb3a1..6db67d3b 100644
--- a/modules/gallery/controllers/l10n_client.php
+++ b/modules/gallery/controllers/l10n_client.php
@@ -20,7 +20,7 @@
 class L10n_Client_Controller extends Controller {
   public function save() {
     access::verify_csrf();
-    if (!user::active()->admin) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
 
@@ -85,7 +85,7 @@ class L10n_Client_Controller extends Controller {
 
   public function toggle_l10n_mode() {
     access::verify_csrf();
-    if (!user::active()->admin) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
index 2c4bd557..720e6375 100644
--- a/modules/gallery/controllers/login.php
+++ b/modules/gallery/controllers/login.php
@@ -21,7 +21,7 @@ class Login_Controller extends Controller {
 
   public function ajax() {
     $view = new View("login_ajax.html");
-    $view->form = user::get_login_form("login/auth_ajax");
+    $view->form = login::get_form("login/auth_ajax");
     print $view;
   }
 
@@ -40,7 +40,7 @@ class Login_Controller extends Controller {
   }
 
   public function html() {
-    print user::get_login_form("login/auth_html");
+    print login::get_form("login/auth_html");
   }
 
   public function auth_html() {
@@ -53,12 +53,13 @@ class Login_Controller extends Controller {
       print $form;
     }
   }
+
   private function _auth($url) {
-    $form = user::get_login_form($url);
+    $form = login::get_form($url);
     $valid = $form->validate();
     if ($valid) {
-      $user = user::lookup_by_name($form->login->inputs["name"]->value);
-      if (empty($user) || !user::is_correct_password($user, $form->login->password->value)) {
+      $user = identity::lookup_user_by_name($form->login->inputs["name"]->value);
+      if (empty($user) || !identity::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
           t("Failed login for %name",
@@ -69,7 +70,12 @@ class Login_Controller extends Controller {
     }
 
     if ($valid) {
-      user::login($user);
+      if (identity::is_writable()) {
+        $user->login_count += 1;
+        $user->last_login = time();
+        $user->save();
+      }
+      identity::set_active_user($user);
       log::info("user", t("User %name logged in", array("name" => $user->name)));
     }
 
diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php
index 45d397ad..1b0364fd 100644
--- a/modules/gallery/controllers/logout.php
+++ b/modules/gallery/controllers/logout.php
@@ -19,10 +19,15 @@
  */
 class Logout_Controller extends Controller {
   public function index() {
-    //access::verify_csrf();
-
-    $user = user::active();
-    user::logout();
+    $user = identity::active_user();
+    if (!$user->guest) {
+      try {
+        Session::instance()->destroy();
+      } catch (Exception $e) {
+        Kohana::log("error", $e);
+      }
+      module::event("user_logout", $user);
+    }
     log::info("user", t("User %name logged out", array("name" => $user->name)),
               html::anchor("user/$user->id", html::clean($user->name)));
     if ($continue_url = $this->input->get("continue")) {
diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php
index 8d75862e..99943fbb 100644
--- a/modules/gallery/controllers/permissions.php
+++ b/modules/gallery/controllers/permissions.php
@@ -51,13 +51,13 @@ class Permissions_Controller extends Controller {
   function change($command, $group_id, $perm_id, $item_id) {
     access::verify_csrf();
 
-    $group = ORM::factory("group", $group_id);
+    $group = identity::lookup_group($group_id);
     $perm = ORM::factory("permission", $perm_id);
     $item = ORM::factory("item", $item_id);
     access::required("view", $item);
     access::required("edit", $item);
 
-    if ($group->loaded && $perm->loaded && $item->loaded) {
+    if (!empty($group) && $perm->loaded && $item->loaded) {
       switch($command) {
       case "allow":
         access::allow($group, $perm->name, $item);
@@ -74,7 +74,7 @@ class Permissions_Controller extends Controller {
 
       // If the active user just took away their own edit permissions, give it back.
       if ($perm->name == "edit") {
-        if (!access::user_can(user::active(), "edit", $item)) {
+        if (!access::user_can(identity::active_user(), "edit", $item)) {
           access::allow($group, $perm->name, $item);
         }
       }
@@ -84,7 +84,7 @@ class Permissions_Controller extends Controller {
   private function _get_form($item) {
     $view = new View("permissions_form.html");
     $view->item = $item;
-    $view->groups = ORM::factory("group")->find_all();
+    $view->groups = identity::groups();
     $view->permissions = ORM::factory("permission")->find_all();
     return $view;
   }
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index 0f6cbc2c..1aa607ef 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -40,7 +40,7 @@ class Upgrader_Controller extends Controller {
     }
 
     $view = new View("upgrader.html");
-    $view->can_upgrade = user::active()->admin || $session->get("can_upgrade");
+    $view->can_upgrade = identity::active_user()->admin || $session->get("can_upgrade");
     $view->upgrade_token = $upgrade_token;
     $view->available = module::available();
     $view->done = ($available_upgrades == 0);
@@ -52,7 +52,7 @@ class Upgrader_Controller extends Controller {
       // @todo this may screw up some module installers, but we don't have a better answer at
       // this time.
       $_SERVER["HTTP_HOST"] = "example.com";
-    } else if (!user::active()->admin && !Session::instance()->get("can_upgrade", false)) {
+    } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/welcome_message.php b/modules/gallery/controllers/welcome_message.php
index 8fd1e0a0..af0d6997 100644
--- a/modules/gallery/controllers/welcome_message.php
+++ b/modules/gallery/controllers/welcome_message.php
@@ -19,12 +19,12 @@
  */
 class Welcome_Message_Controller extends Controller {
   public function index() {
-    if (!user::active()->admin) {
+    if (!identity::active_user()->admin) {
       url::redirect(item::root()->abs_url());
     }
 
     $v = new View("welcome_message.html");
-    $v->user = user::active();
+    $v->user = identity::active_user();
     print $v;
   }
 }