2 files changed, 27 insertions, 5 deletions

diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
index 0486c0fe..53a96374 100644
--- a/modules/gallery/controllers/reauthenticate.php
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -19,12 +19,19 @@
  */
 class Reauthenticate_Controller extends Controller {
   public function index() {
+    $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax());
     if (!identity::active_user()->admin) {
-      access::forbidden();
+      if ($is_ajax) {
+        // We should never be able to get here since Admin_Controller::_reauth_check() won't work
+        // for non-admins.
+        access::forbidden();
+      } else {
+        url::redirect(item::root()->abs_url());
+      }
     }
+
     // On redirects from the admin controller, the ajax request indicator is lost,
     // so we store it in the session.
-    $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax());
     if ($is_ajax) {
       $v = new View("reauthenticate.html");
       $v->form = self::_form();
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index 6613d671..b2646874 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller {
       // @todo this may screw up some module installers, but we don't have a better answer at
       // this time.
       $_SERVER["HTTP_HOST"] = "example.com";
-    } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
-      access::forbidden();
+    } else {
+      if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
+        access::forbidden();
+      }
+
+      try {
+        access::verify_csrf();
+      } catch (Exception $e) {
+        url::redirect("upgrader");
+      }
     }
 
     $available = module::available();
@@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller {
     site_status::clear("upgrade_now");
 
     if (php_sapi_name() == "cli") {
-      print "Upgrade complete\n";
+      if ($failed) {
+        print "Upgrade completed ** WITH FAILURES **\n";
+        print "The following modules were not successfully upgraded:\n";
+        print "  " . implode($failed, "\n  ") . "\n";
+        print "Try getting newer versions or deactivating those modules\n";
+      } else {
+        print "Upgrade complete\n";
+      }
     } else {
       url::redirect("upgrader?failed=" . join(",", $failed));
     }