8 files changed, 85 insertions, 61 deletions

diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php
index 16abec5a..f52713b8 100644
--- a/modules/gallery/helpers/item_rest.php
+++ b/modules/gallery/helpers/item_rest.php
@@ -70,6 +70,14 @@ class item_rest_Core {
       $orm->where("type", "IN", explode(",", $p->type));
     }
 
+    // Apply the item's sort order, using id as the tie breaker.
+    // See Item_Model::children()
+    $order_by = array($item->sort_column => $item->sort_order);
+    if ($item->sort_column != "id") {
+      $order_by["id"] = "ASC";
+    }
+    $orm->order_by($order_by);
+
     $members = array();
     foreach ($orm->find_all() as $child) {
       $members[] = rest::url("item", $child);
@@ -86,33 +94,44 @@ class item_rest_Core {
     $item = rest::resolve($request->url);
     access::required("edit", $item);
 
-    $params = $request->params;
-
-    // Only change fields from a whitelist.
-    foreach (array("album_cover", "captured", "description",
-                   "height", "mime_type", "name", "parent", "rand_key", "resize_dirty",
-                   "resize_height", "resize_width", "slug", "sort_column", "sort_order",
-                   "thumb_dirty", "thumb_height", "thumb_width", "title", "view_count",
-                   "weight", "width") as $key) {
-      switch ($key) {
-      case "album_cover":
-        if (property_exists($request->params, "album_cover")) {
-          $album_cover_item = rest::resolve($request->params->album_cover);
-          access::required("view", $album_cover_item);
-          $item->album_cover_item_id = $album_cover_item->id;
+    if ($entity = $request->params->entity) {
+      // Only change fields from a whitelist.
+      foreach (array("album_cover", "captured", "description",
+                     "height", "mime_type", "name", "parent", "rand_key", "resize_dirty",
+                     "resize_height", "resize_width", "slug", "sort_column", "sort_order",
+                     "thumb_dirty", "thumb_height", "thumb_width", "title", "view_count",
+                     "width") as $key) {
+        switch ($key) {
+        case "album_cover":
+          if (property_exists($entity, "album_cover")) {
+            $album_cover_item = rest::resolve($entity->album_cover);
+            access::required("view", $album_cover_item);
+            $item->album_cover_item_id = $album_cover_item->id;
+          }
+          break;
+
+        case "parent":
+          if (property_exists($entity, "parent")) {
+            $parent = rest::resolve($entity->parent);
+            access::required("edit", $parent);
+            $item->parent_id = $parent->id;
+          }
+          break;
+        default:
+          if (property_exists($entity, $key)) {
+            $item->$key = $entity->$key;
+          }
         }
-        break;
+      }
+    }
 
-      case "parent":
-        if (property_exists($request->params, "parent")) {
-          $parent = rest::resolve($request->params->parent);
-          access::required("edit", $parent);
-          $item->parent_id = $parent->id;
-        }
-        break;
-      default:
-        if (property_exists($request->params, $key)) {
-          $item->$key = $request->params->$key;
+    $weight = 0;
+    if (isset($request->params->members)) {
+      foreach ($request->params->members as $url) {
+        $child = rest::resolve($url);
+        if ($child->parent_id == $item->id && $child->weight != $weight) {
+          $child->weight = $weight++;
+          $child->save();
         }
       }
     }
@@ -123,33 +142,33 @@ class item_rest_Core {
     $parent = rest::resolve($request->url);
     access::required("edit", $parent);
 
-    $params = $request->params;
+    $entity = $request->params->entity;
     $item = ORM::factory("item");
-    switch ($params->type) {
+    switch ($entity->type) {
     case "album":
       $item->type = "album";
       $item->parent_id = $parent->id;
-      $item->name = $params->name;
-      $item->title = isset($params->title) ? $params->title : $name;
-      $item->description = isset($params->description) ? $params->description : null;
-      $item->slug = isset($params->slug) ? $params->slug : null;
+      $item->name = $entity->name;
+      $item->title = isset($entity->title) ? $entity->title : $name;
+      $item->description = isset($entity->description) ? $entity->description : null;
+      $item->slug = isset($entity->slug) ? $entity->slug : null;
       $item->save();
       break;
 
     case "photo":
     case "movie":
-      $item->type = $params->type;
+      $item->type = $entity->type;
       $item->parent_id = $parent->id;
       $item->set_data_file($request->file);
-      $item->name = $params->name;
-      $item->title = isset($params->title) ? $params->title : $params->name;
-      $item->description = isset($params->description) ? $params->description : null;
-      $item->slug = isset($params->slug) ? $params->slug : null;
+      $item->name = $entity->name;
+      $item->title = isset($entity->title) ? $entity->title : $entity->name;
+      $item->description = isset($entity->description) ? $entity->description : null;
+      $item->slug = isset($entity->slug) ? $entity->slug : null;
       $item->save();
       break;
 
     default:
-      throw new Rest_Exception("Invalid type: $params->type", 400);
+      throw new Rest_Exception("Invalid type: $entity->type", 400);
     }
 
     return array("url" => rest::url("item", $item));
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index 1026264f..7fc37325 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -947,7 +947,7 @@ class Item_Model extends ORM_MPTT {
 
     // Elide some internal-only data that is going to cause confusion in the client.
     foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr",
-                   "thumb_dirty", "resize_dirty") as $key) {
+                   "thumb_dirty", "resize_dirty", "weight") as $key) {
       unset($data[$key]);
     }
     return $data;
diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index 29334cea..dab54976 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -54,6 +54,13 @@ class Rest_Controller extends Controller {
       break;
     }
 
+    if (isset($request->params->entity)) {
+      $request->params->entity = json_decode($request->params->entity);
+    }
+    if (isset($request->params->members)) {
+      $request->params->members = json_decode($request->params->members);
+    }
+
     $request->method = strtolower($input->server("HTTP_X_GALLERY_REQUEST_METHOD", $method));
     $request->access_key = $input->server("HTTP_X_GALLERY_REQUEST_KEY");
     $request->url = url::abs_current(true);
diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php
index 8a1b1e8b..02c79e5d 100644
--- a/modules/tag/helpers/item_tags_rest.php
+++ b/modules/tag/helpers/item_tags_rest.php
@@ -31,8 +31,8 @@ class item_tags_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     tag::add($item, $tag->name);
@@ -45,6 +45,7 @@ class item_tags_rest_Core {
 
   static function delete($request) {
     list ($tag, $item) = rest::resolve($request->url);
+    access::required("edit", $item);
     $tag->remove($item);
     $tag->save();
   }
diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index bce00a9f..17cb726e 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -22,7 +22,7 @@ class tag_item_rest_Core {
     list ($tag, $item) = rest::resolve($request->url);
     return array(
       "url" => $request->url,
-      "members" => array(
+      "entity" => array(
         "tag" => rest::url("tag", $tag),
         "item" => rest::url("item", $item)));
   }
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index 003c7c95..848c2cd3 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -33,8 +33,8 @@ class tag_items_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     if (!$tag->loaded()) {
diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php
index f30706bd..e0b7bd87 100644
--- a/modules/tag/helpers/tag_rest.php
+++ b/modules/tag/helpers/tag_rest.php
@@ -36,28 +36,25 @@ class tag_rest_Core {
           "members" => $tag_items)));
   }
 
-  static function post($request) {
-    if (empty($request->params->url)) {
-      throw new Rest_Exception("Bad request", 400);
-    }
-
-    $tag = rest::resolve($request->url);
-    $item = rest::resolve($request->params->url);
-    access::required("edit", $item);
-
-    tag::add($item, $tag->name);
-    return array("url" => rest::url("tag_item", $tag, $item));
-  }
-
   static function put($request) {
+    // Who can we allow to edit a tag name?  If we allow anybody to do it then any logged in
+    // user can rename all your tags to something offensive.  Right now limit renaming to admins.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
-    if (isset($request->params->name)) {
-      $tag->name = $request->params->name;
+    if (isset($request->params->entity->name)) {
+      $tag->name = $request->params->entity->name;
       $tag->save();
     }
   }
 
   static function delete($request) {
+    // Restrict deleting tags to admins.  Otherwise, a logged in user can do great harm to an
+    // install.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
     $tag->delete();
   }
diff --git a/modules/tag/helpers/tags_rest.php b/modules/tag/helpers/tags_rest.php
index 82826d8e..434e774a 100644
--- a/modules/tag/helpers/tags_rest.php
+++ b/modules/tag/helpers/tags_rest.php
@@ -40,13 +40,13 @@ class tags_rest_Core {
       }
     }
 
-    if (empty($request->params->name)) {
+    if (empty($request->params->entity->name)) {
       throw new Rest_Exception("Bad Request", 400);
     }
 
-    $tag = ORM::factory("tag")->where("name", "=", $request->params->name)->find();
+    $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find();
     if (!$tag->loaded()) {
-      $tag->name = $request->params->name;
+      $tag->name = $request->params->entity->name;
       $tag->count = 0;
       $tag->save();
     }