6 files changed, 29 insertions, 20 deletions

diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index e1985cfb..c2b474ee 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -26,12 +26,18 @@ class Albums_Controller extends Items_Controller {
     if (!is_object($album)) {
       // show() must be public because we route to it in url::parse_url(), so make
       // sure that we're actually receiving an object
-      Kohana::show_404();
+      throw new Kohana_404_Exception();
     }
 
     if (!access::can("view", $album)) {
-      print auth::require_login();
-      return;
+      if ($album->id == 1) {
+        // Even show the login page to logged in users.
+        // It's a better user experience than a "Dang" error page.
+        print auth::login_page();
+        return;
+      } else {
+        access::required("view", $album);
+      }
     }
 
     $page_size = module::get_var("gallery", "page_size", 9);
diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index 8041066e..78a56e81 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -22,13 +22,10 @@ class Movies_Controller extends Items_Controller {
     if (!is_object($movie)) {
       // show() must be public because we route to it in url::parse_url(), so make
       // sure that we're actually receiving an object
-      Kohana::show_404();
+      throw new Kohana_404_Exception();
     }
 
-    if (!access::can("view", $movie)) {
-      print auth::require_login();
-      return;
-    }
+    access::required("view", $movie);
 
     $where = array(array("type", "!=", "album"));
     $position = $movie->parent()->get_position($movie, $where);
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index 778e9ae7..f2d47eec 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -22,14 +22,11 @@ class Photos_Controller extends Items_Controller {
     if (!is_object($photo)) {
       // show() must be public because we route to it in url::parse_url(), so make
       // sure that we're actually receiving an object
-      Kohana::show_404();
+      throw new Kohana_404_Exception();
     }
-
-    if (!access::can("view", $photo)) {
-      print auth::require_login();
-      return;
-    }
-
+  
+    access::required("view", $photo);
+  
     $where = array(array("type", "!=", "album"));
     $position = $photo->parent()->get_position($photo, $where);
     if ($position > 1) {
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 29b981e8..7e8b079a 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -118,7 +118,12 @@ class access_Core {
    */
   static function required($perm_name, $item) {
     if (!self::can($perm_name, $item)) {
-      self::forbidden();
+      if ($perm_name == "view") {
+        // Treat as if the item didn't exist, don't leak any information.
+        throw new Kohana_404_Exception();
+      } else {
+        self::forbidden();
+      }
     }
   }
 
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php
index f5454f85..8b0ce470 100644
--- a/modules/gallery/helpers/auth.php
+++ b/modules/gallery/helpers/auth.php
@@ -132,15 +132,16 @@ class auth_Core {
   }
 
   /**
-   * Redirect to the login page.
+   * Returns the themed login page.
    */
-  static function require_login() {
+  static function login_page($continue_url=null) {
     $view = new Theme_View("page.html", "other", "login");
     $view->page_title = t("Log in to Gallery");
     $view->content = new View("login_ajax.html");
     $view->content->form = auth::get_login_form("login/auth_html");
     // Avoid anti-phishing protection by passing the url as session variable.
-    Session::instance()->set("continue_url", url::current(true));
+    $continue_url or $continue_url = url::current(true);
+    Session::instance()->set("continue_url", $continue_url);
     return $view;
   }
 }
\ No newline at end of file
diff --git a/modules/gallery/views/welcome_message.html.php b/modules/gallery/views/welcome_message.html.php
index caeeff66..4d6ed726 100644
--- a/modules/gallery/views/welcome_message.html.php
+++ b/modules/gallery/views/welcome_message.html.php
@@ -15,12 +15,15 @@
   </p>
 
   <p>
-    <a href="<?= url::site("user_profile/show/{$user->id}") ?>"
+    <a href="<?= url::site("admin/users/edit_user_form/{$user->id}") ?>"
       title="<?= t("Edit your profile")->for_html_attr() ?>"
       id="g-after-install-change-password-link"
       class="g-button ui-state-default ui-corners-all">
       <?= t("Change password and email now") ?>
     </a>
+    <script type="text/javascript">
+      $("#g-after-install-change-password-link").gallery_dialog();
+    </script>
   </p>
 
   <p>