5 files changed, 21 insertions, 23 deletions

diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php
index 8a1b1e8b..02c79e5d 100644
--- a/modules/tag/helpers/item_tags_rest.php
+++ b/modules/tag/helpers/item_tags_rest.php
@@ -31,8 +31,8 @@ class item_tags_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     tag::add($item, $tag->name);
@@ -45,6 +45,7 @@ class item_tags_rest_Core {
 
   static function delete($request) {
     list ($tag, $item) = rest::resolve($request->url);
+    access::required("edit", $item);
     $tag->remove($item);
     $tag->save();
   }
diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index bce00a9f..17cb726e 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -22,7 +22,7 @@ class tag_item_rest_Core {
     list ($tag, $item) = rest::resolve($request->url);
     return array(
       "url" => $request->url,
-      "members" => array(
+      "entity" => array(
         "tag" => rest::url("tag", $tag),
         "item" => rest::url("item", $item)));
   }
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index 003c7c95..848c2cd3 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -33,8 +33,8 @@ class tag_items_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     if (!$tag->loaded()) {
diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php
index f30706bd..e0b7bd87 100644
--- a/modules/tag/helpers/tag_rest.php
+++ b/modules/tag/helpers/tag_rest.php
@@ -36,28 +36,25 @@ class tag_rest_Core {
           "members" => $tag_items)));
   }
 
-  static function post($request) {
-    if (empty($request->params->url)) {
-      throw new Rest_Exception("Bad request", 400);
-    }
-
-    $tag = rest::resolve($request->url);
-    $item = rest::resolve($request->params->url);
-    access::required("edit", $item);
-
-    tag::add($item, $tag->name);
-    return array("url" => rest::url("tag_item", $tag, $item));
-  }
-
   static function put($request) {
+    // Who can we allow to edit a tag name?  If we allow anybody to do it then any logged in
+    // user can rename all your tags to something offensive.  Right now limit renaming to admins.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
-    if (isset($request->params->name)) {
-      $tag->name = $request->params->name;
+    if (isset($request->params->entity->name)) {
+      $tag->name = $request->params->entity->name;
       $tag->save();
     }
   }
 
   static function delete($request) {
+    // Restrict deleting tags to admins.  Otherwise, a logged in user can do great harm to an
+    // install.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
     $tag->delete();
   }
diff --git a/modules/tag/helpers/tags_rest.php b/modules/tag/helpers/tags_rest.php
index 82826d8e..434e774a 100644
--- a/modules/tag/helpers/tags_rest.php
+++ b/modules/tag/helpers/tags_rest.php
@@ -40,13 +40,13 @@ class tags_rest_Core {
       }
     }
 
-    if (empty($request->params->name)) {
+    if (empty($request->params->entity->name)) {
       throw new Rest_Exception("Bad Request", 400);
     }
 
-    $tag = ORM::factory("tag")->where("name", "=", $request->params->name)->find();
+    $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find();
     if (!$tag->loaded()) {
-      $tag->name = $request->params->name;
+      $tag->name = $request->params->entity->name;
       $tag->count = 0;
       $tag->save();
     }