5 files changed, 69 insertions, 19 deletions

diff --git a/modules/user/helpers/group.php b/modules/user/helpers/group.php
index f4d57275..a47ade37 100644
--- a/modules/user/helpers/group.php
+++ b/modules/user/helpers/group.php
@@ -24,9 +24,6 @@
  * Note: by design, this class does not do any permission checking.
  */
 class group_Core {
-  const EVERYBODY = 0;
-  const REGISTERED_USERS = 1;
-
   /**
    * Create a new group.
    *
@@ -45,4 +42,22 @@ class group_Core {
     module::event("group_created", $group);
     return $group;
   }
+
+  /**
+   * The group of all possible visitors.  This includes the guest user.
+   *
+   * @return Group_Model
+   */
+  static function everybody() {
+    return ORM::factory("group", 1);
+  }
+
+  /**
+   * The group of all logged-in visitors.  This does not include guest users.
+   *
+   * @return Group_Model
+   */
+  static function registered_users() {
+    return ORM::factory("group", 2);
+  }
 }
\ No newline at end of file
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index dfaa90f2..005431b7 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -24,8 +24,6 @@
  * Note: by design, this class does not do any permission checking.
  */
 class user_Core {
-  const ADMIN = 1;
-
   /**
    * Return the form for creating / modifying users.
    */
@@ -59,15 +57,32 @@ class user_Core {
   }
 
   /**
+   * Return the active user.  If there's no active user, return the guest user.
+   *
+   * @return User_Model
+   */
+  static function active() {
+    return Session::instance()->get("user", ORM::factory("user", 1));
+  }
+
+  /**
+   * Change the active user.
+   *
+   * @return User_Model
+   */
+  static function set_active($user) {
+    return Session::instance()->set("user", $user);
+  }
+
+  /**
    * Create a new user.
    *
    * @param string  $name
    * @param string  $display_name
    * @param string  $password
-   * @param boolean $admin true if this user is a site admin
    * @return User_Model
    */
-  static function create($name, $display_name, $password, $admin=false) {
+  static function create($name, $display_name, $password) {
     $user = ORM::factory("user")->where("name", $name);
     if ($user->loaded) {
       throw new Exception("@todo USER_ALREADY_EXISTS $name");
@@ -76,10 +91,14 @@ class user_Core {
     $user->name = $name;
     $user->display_name = $display_name;
     $user->password = $password;
-    $user->admin = $admin;
     $user->save();
 
-    $group = ORM::factory("group", group::REGISTERED_USERS);
+    // Everybody user
+    $group = ORM::factory("group", 1);
+    $group->add($user);
+
+    // Registered users
+    $group = ORM::factory("group", 2);
     $group->add($user);
 
     module::event("user_created", $user);
@@ -138,7 +157,7 @@ class user_Core {
     $user->last_login = time();
     $user->save();
 
-    Session::instance()->set("user", $user);
+    user::set_active($user);
     module::event("user_login", $user);
   }
 
diff --git a/modules/user/helpers/user_block.php b/modules/user/helpers/user_block.php
index 762c7d17..b737cec6 100644
--- a/modules/user/helpers/user_block.php
+++ b/modules/user/helpers/user_block.php
@@ -21,7 +21,7 @@ class user_block_Core {
   public static function head($theme) {
     $url = url::file("modules/user/js/user.js");
     $script[] = "<script src=\"$url\" type=\"text/javascript\"></script>";
-    $user = Session::instance()->get('user', null);
+    $user = user::active();
     $url = url::file("lib/jquery.jeditable.js");
     $script[] = empty($user) ? "" : "<script src=\"$url\" type=\"text/javascript\"></script>";
     return implode("\n", $script);
@@ -29,7 +29,7 @@ class user_block_Core {
 
   public static function header_top($theme) {
     $view = new View("login.html");
-    $view->user = Session::instance()->get('user', null);
+    $view->user = user::active();
     return $view->render();
   }
 }
diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php
index 3dbdaf25..2de3a6cd 100644
--- a/modules/user/helpers/user_installer.php
+++ b/modules/user/helpers/user_installer.php
@@ -32,6 +32,7 @@ class user_installer {
           `last_login` int(10) unsigned NOT NULL DEFAULT 0,
           `email` varchar(255) default NULL,
           `admin` BOOLEAN default 0,
+          `guest` BOOLEAN default 0,
           PRIMARY KEY (`id`),
           UNIQUE KEY(`display_name`))
         ENGINE=InnoDB DEFAULT CHARSET=utf8;");
@@ -39,6 +40,7 @@ class user_installer {
       $db->query("CREATE TABLE IF NOT EXISTS `groups` (
           `id` int(9) NOT NULL auto_increment,
           `name` char(255) default NULL,
+          `special` BOOLEAN default 0,
           PRIMARY KEY (`id`),
           UNIQUE KEY(`name`))
         ENGINE=InnoDB DEFAULT CHARSET=utf8;");
@@ -50,18 +52,32 @@ class user_installer {
           UNIQUE KEY(`user_id`, `group_id`))
         ENGINE=InnoDB DEFAULT CHARSET=utf8;");
 
+      $everybody = group::create("Everybody");
+      $everybody->special = true;
+      $everybody->save();
+
       $registered = group::create("Registered Users");
+      $registered->special = true;
+      $registered->save();
 
-      // @todo: get this info from the installer
-      $admin = user::create("admin", "Gallery Administrator", "admin", true);
-      $user = user::create("joe", "Joe User", "joe");
+      $guest = user::create("guest", "Guest User", "");
+      $guest->guest = true;
+      $guest->save();
+      $guest->remove($registered);
 
-      $registered->add($admin);
-      $registered->add($user);
+      $admin = user::create("admin", "Gallery Administrator", "admin");
+      $admin->admin = true;
+      $admin->save();
 
       // Let the admin own everything
       $db->query("UPDATE `items` SET `owner_id` = {$admin->id} WHERE `owner_id` IS NULL");
       module::set_version("user", 1);
+
+      $root = ORM::factory("item", 1);
+      access::allow($guest, "view", $root);
+      access::allow($guest, "view", $root);
+      access::allow($registered, "view", $root);
+      access::allow($admin, "edit", $root);
     }
   }
 
diff --git a/modules/user/helpers/user_menu.php b/modules/user/helpers/user_menu.php
index 0f25527a..886a873a 100644
--- a/modules/user/helpers/user_menu.php
+++ b/modules/user/helpers/user_menu.php
@@ -19,8 +19,8 @@
  */
 class user_menu_Core {
   public static function site_navigation($menu, $theme) {
-    $user = Session::instance()->get("user", null);
-    if ($user) {
+    $user = user::active();
+    if (!$user->guest) {
       $menu->get("admin_menu")->append(
         Menu::Factory("dialog")
         ->id("edit_profile")