6 files changed, 49 insertions, 34 deletions

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 8604b7c4..c3e66634 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -57,9 +57,8 @@ class Password_Controller extends Controller {
       $user->hash = md5(rand());
       $user->save();
       $message = new View("reset_password.html");
-      $message->url = url::abs_site("password/do_reset?key=$user->hash");
-      $message->name = $user->full_name;
-      $message->title = t("Password Reset Request");
+      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
+      $message->user = $user;
 
       Sendmail::factory()
         ->to($user->email)
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index 5d70b8c9..9e9d4ca1 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -123,6 +123,7 @@ class user_Core {
     // upconvert into a user.
     if ($user === 2) {
       $user = model_cache::get("user", 2);
+      user::login($user);
       $session->set("user", $user);
     }
 
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index bec74d28..a99c9506 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         <td id="user-<?= $user->id ?>" class="core-info gDraggable">
           <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
                title="<?= t("Drag user onto group below to add as a new member") ?>"
-               alt="<?= $user->name ?>"
+               alt="<?= p::clean($user->name) ?>"
                width="20"
                height="20" />
-          <?= $user->name ?>
+          <?= p::clean($user->name) ?>
         </td>
         <td>
-          <?= $user->full_name ?>
+          <?= p::clean($user->full_name) ?>
         </td>
         <td>
-          <?= $user->email ?>
+          <?= p::clean($user->email) ?>
         </td>
         <td>
           <?= ($user->last_login == 0) ? "" : date("j-M-y", $user->last_login) ?>
@@ -118,7 +118,7 @@
   <div class="gBlockContent">
     <ul>
       <? foreach ($groups as $i => $group): ?>
-      <li id="group-<?= $group->id ?>" class="gGroup">
+      <li id="group-<?= $group->id ?>" class="gGroup <?= ($group->special ? "gDefaultGroup" : "") ?>" />
         <? $v = new View("admin_users_group.html"); $v->group = $group; ?>
         <?= $v ?>
       </li>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index a25e687a..bfd79dba 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,24 +1,38 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<strong><?= $group->name ?></strong>
-<? if (!$group->special): ?>
-<a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-  title="<?= t("Delete " . $group->name) ?>"
-  class="gDialogLink gButtonLink ui-state-default ui-corner-all">
-  <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-<? else: ?>
-<a title="<?= t("This group cannot be deleted") ?>"
-   class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
-  <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-<? endif ?>
+<h4>
+  <?= p::clean($group->name) ?>
+  <? if (!$group->special): ?>
+  <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
+    title="<?= t("Delete the %name group", array("name" => p::clean($group->name))) ?>"
+    class="gDialogLink gButtonLink ui-state-default ui-corner-all">
+    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+  <? else: ?>
+  <a title="<?= t("This default group cannot be deleted") ?>"
+     class="gDialogLink gButtonLink ui-state-disabled ui-corner-all ui-icon-left">
+    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+  <? endif ?>
+</h4>
+
+<? if ($group->users->count() > 0): ?>
 <ul>
   <? foreach ($group->users as $i => $user): ?>
   <li class="gUser">
-    <?= $user->name ?>
+    <?= p::clean($user->name) ?>
     <? if (!$group->special): ?>
     <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
-       class="gButtonLink ui-state-default ui-corner-all ui-icon-left">
-      <span class="ui-icon ui-icon-closethick">Remove <?= $user->name ?> from <?= $group->name ?></span></a>
+       class="gButtonLink ui-state-default ui-corner-all ui-icon-left"
+       title="<?= t("Remove %user from %group group",
+              array("user" => p::clean($user->name), "group" => p::clean($group->name))) ?>">
+      <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
+    </a>
     <? endif ?>
   </li>
   <? endforeach ?>
 </ul>
+<? else: ?>
+<div>
+  <p>
+    <?= t("Drag &amp; drop users from the User Admin above into this group box to add group members.") ?>
+  </p>
+</div>
+<? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
index d9a558b5..cce2fb54 100644
--- a/modules/user/views/login.html.php
+++ b/modules/user/views/login.html.php
@@ -11,7 +11,7 @@
                 '<a href="' . url::site("form/edit/users/{$user->id}") .
                 '" title="' . t("Edit Your Profile") .
                 '" id="gUserProfileLink" class="gDialogLink">' .
-                (empty($user->full_name) ? $user->name : $user->full_name) . '</a>')) ?></li>
+                p::clean(empty($user->full_name) ? $user->name : $user->full_name) . '</a>')) ?></li>
   <li><a href="<?= url::site("logout?continue=" . url::current(true)) ?>"
       id="gLogoutLink"><?= t("Logout") ?></a></li>
   <? endif; ?>
diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php
index 39845d61..4c4672ee 100644
--- a/modules/user/views/reset_password.html.php
+++ b/modules/user/views/reset_password.html.php
@@ -1,14 +1,15 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <html>
-<head>
-  <title><?= $title ?> </title>
-</head>
-<body>
-  <h2><?= t("Password Reset Request") ?> </h2>
-  <p>
-    <?= sprintf(t("A request to reset your password (user: %s) at %s."), $name, url::base(false, "http")) ?>
-    <?= sprintf(t("To confirm this request please click on the link below")) ?><br />
-    <a href="<?= $url ?>"><?= t("Reset Password") ?></a>
-  </p>
-</body>
+  <head>
+    <title><?= t("Password Reset Request") ?> </title>
+  </head>
+  <body>
+    <h2><?= t("Password Reset Request") ?> </h2>
+    <p>
+      <?= t("Hello, %name,", array("name" => p::clean($user->full_name ? $user->full_name : $user->name))) ?>
+    </p>
+    <p>
+      <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.", array("site_url" => url::base(false, "http"), "confirm_url" => $confirm_url)) ?>
+    </p>
+  </body>
 </html>