4 files changed, 36 insertions, 6 deletions

diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 86ea9572..52a36298 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -263,15 +263,15 @@ class access_Core {
   }
 
   /**
-   * Recalculate the permissions for a given item and its hierarchy.  $item must be an album.
+   * Recalculate the permissions for an album's hierarchy.
    */
-  static function recalculate_permissions($item) {
+  static function recalculate_album_permissions($album) {
     foreach (self::_get_all_groups() as $group) {
       foreach (ORM::factory("permission")->find_all() as $perm) {
         if ($perm->name == "view") {
-          self::_update_access_view_cache($group, $item);
+          self::_update_access_view_cache($group, $album);
         } else {
-          self::_update_access_non_view_cache($group, $perm->name, $item);
+          self::_update_access_non_view_cache($group, $perm->name, $album);
         }
       }
     }
@@ -279,6 +279,28 @@ class access_Core {
   }
 
   /**
+   * Recalculate the permissions for a single photo.
+   */
+  static function recalculate_photo_permissions($photo) {
+    $parent = $photo->parent();
+    $parent_access_cache = ORM::factory("access_cache")->where("item_id", "=", $parent->id)->find();
+    $photo_access_cache = ORM::factory("access_cache")->where("item_id", "=", $photo->id)->find();
+    foreach (self::_get_all_groups() as $group) {
+      foreach (ORM::factory("permission")->find_all() as $perm) {
+        $field = "{$perm->name}_{$group->id}";
+        if ($perm->name == "view") {
+          $photo->$field = $parent->$field;
+        } else {
+          $photo_access_cache->$field = $parent_access_cache->$field;
+        }
+      }
+    }
+    $photo_access_cache->save();
+    $photo->save();
+    model_cache::clear();
+  }
+
+  /**
    * Register a permission so that modules can use it.
    *
    * @param  string $name           The internal name for for this permission
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 78a9f5a9..b59bb9b9 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -157,7 +157,11 @@ class gallery_event_Core {
   }
 
   static function item_moved($item, $old_parent) {
-    access::recalculate_permissions($item->parent());
+    if ($item->is_album()) {
+      access::recalculate_album_permissions($item->parent());
+    } else {
+      access::recalculate_photo_permissions($item);
+    }
 
     // If the new parent doesn't have an album cover, make this it.
     if (!$item->parent()->album_cover_item_id) {
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 985346ba..3b173928 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -571,7 +571,7 @@ class gallery_task_Core {
           // The new cache rows are there, but they're incorrectly populated so we have to fix
           // them.  If this turns out to be too slow, we'll have to refactor
           // access::recalculate_permissions to allow us to do it in slices.
-          access::recalculate_permissions(item::root());
+          access::recalculate_album_permissions(item::root());
           $state = self::FIX_STATE_DONE;
         }
         break;
diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php
index c092e3fd..32b3020f 100644
--- a/modules/gallery/tests/Access_Helper_Test.php
+++ b/modules/gallery/tests/Access_Helper_Test.php
@@ -359,11 +359,13 @@ class Access_Helper_Test extends Gallery_Unit_Test_Case {
     $public_album = test::random_album();
     $public_photo = test::random_photo($public_album);
     access::allow(identity::everybody(), "view", $public_album);
+    access::allow(identity::everybody(), "edit", $public_album);
 
     item::root()->reload();  // Account for MPTT changes
 
     $private_album = test::random_album();
     access::deny(identity::everybody(), "view", $private_album);
+    access::deny(identity::everybody(), "edit", $private_album);
     $private_photo = test::random_photo($private_album);
 
     // Make sure that we now have a public photo and private photo.
@@ -385,6 +387,8 @@ class Access_Helper_Test extends Gallery_Unit_Test_Case {
 
     // Make sure that the public_photo is now private, and the private_photo is now public.
     $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
+    $this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo));
     $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
+    $this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo));
   }
 }