4 files changed, 24 insertions, 18 deletions
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 4fd447bd..d723cc1b 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -383,7 +383,7 @@ class gallery_event_Core {
                    ->id("delete")
                    ->label($delete_title)
                    ->css_class("ui-icon-trash")
-                   ->css_id("g-quick-delete")
+                   ->css_class("g-quick-delete")
                    ->url(url::site("quick/form_delete/$item->id?csrf=$csrf&amp;from_id=$theme_item->id&amp;page_type=$page_type")));
       }
 
diff --git a/modules/organize/helpers/organize_event.php b/modules/organize/helpers/organize_event.php
index 4b048630..a9d64637 100644
--- a/modules/organize/helpers/organize_event.php
+++ b/modules/organize/helpers/organize_event.php
@@ -26,7 +26,7 @@ class organize_event_Core {
         ->append(Menu::factory("dialog")
                  ->id("organize")
                  ->label(t("Organize album"))
-                 ->css_id("g-organize-link")
+                 ->css_id("g-menu-organize-link")
                  ->url(url::site("organize/dialog/{$item->id}")));
     }
   }
@@ -37,8 +37,7 @@ class organize_event_Core {
         ->append(Menu::factory("dialog")
                  ->id("organize")
                  ->label(t("Organize album"))
-                 ->css_id("g-organize-link")
-                 ->css_class("ui-icon-folder-open")
+                 ->css_class("ui-icon-folder-open g-organize-link")
                  ->url(url::site("organize/dialog/{$item->id}")));
     }
   }
diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index cd962057..7440350f 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -39,8 +39,7 @@ class rest_Core {
 
   static function set_active_user($access_token) {
     if (empty($access_token)) {
-      identity::set_active_user(identity::guest());
-      return;
+      throw new Rest_Exception("Forbidden", 403);
     }
 
     $key = ORM::factory("user_access_token")
diff --git a/modules/rest/tests/Rest_Controller_Test.php b/modules/rest/tests/Rest_Controller_Test.php
index a5c7dda6..21be8300 100644
--- a/modules/rest/tests/Rest_Controller_Test.php
+++ b/modules/rest/tests/Rest_Controller_Test.php
@@ -20,6 +20,9 @@
 class Rest_Controller_Test extends Gallery_Unit_Test_Case {
   public function setup() {
     $this->_save = array($_GET, $_POST, $_SERVER);
+
+    $key = rest::get_access_token(1);  // admin user
+    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = $key->access_key;
   }
 
   public function teardown() {
@@ -60,24 +63,26 @@ class Rest_Controller_Test extends Gallery_Unit_Test_Case {
   }
 
   public function get_test() {
+    unset($_SERVER["HTTP_X_GALLERY_REQUEST_KEY"]);
+
     $_SERVER["REQUEST_METHOD"] = "GET";
     $_GET["key"] = "value";
 
-    $this->assert_array_equal_to_json(
-      array("params" => array("key" => "value"),
-            "method" => "get",
-            "access_token" => null,
-            "url" => "http://./index.php/gallery_unit_test"),
-      test::call_and_capture(array(new Rest_Controller(), "mock")));
+    try {
+      test::call_and_capture(array(new Rest_Controller(), "mock"));
+    } catch (Rest_Exception $e) {
+      $this->assert_same(403, $e->getCode());
+      return;
+    }
+
+    $this->assert_true(false, "Should be forbidden");
   }
 
   public function get_with_access_key_test() {
-    $key = rest::get_access_token(1);  // admin user
-
     $_SERVER["REQUEST_METHOD"] = "GET";
-    $_SERVER["HTTP_X_GALLERY_REQUEST_KEY"] = $key->access_key;
     $_GET["key"] = "value";
 
+    $key = rest::get_access_token(1);  // admin user
     $this->assert_array_equal_to_json(
       array("params" => array("key" => "value"),
             "method" => "get",
@@ -90,10 +95,11 @@ class Rest_Controller_Test extends Gallery_Unit_Test_Case {
     $_SERVER["REQUEST_METHOD"] = "POST";
     $_POST["key"] = "value";
 
+    $key = rest::get_access_token(1);  // admin user
     $this->assert_array_equal_to_json(
       array("params" => array("key" => "value"),
             "method" => "post",
-            "access_token" => null,
+            "access_token" => $key->access_key,
             "url" => "http://./index.php/gallery_unit_test"),
       test::call_and_capture(array(new Rest_Controller(), "mock")));
   }
@@ -103,10 +109,11 @@ class Rest_Controller_Test extends Gallery_Unit_Test_Case {
     $_SERVER["HTTP_X_GALLERY_REQUEST_METHOD"] = "put";
     $_POST["key"] = "value";
 
+    $key = rest::get_access_token(1);  // admin user
     $this->assert_array_equal_to_json(
       array("params" => array("key" => "value"),
             "method" => "put",
-            "access_token" => null,
+            "access_token" => $key->access_key,
             "url" => "http://./index.php/gallery_unit_test"),
       test::call_and_capture(array(new Rest_Controller(), "mock")));
   }
@@ -116,10 +123,11 @@ class Rest_Controller_Test extends Gallery_Unit_Test_Case {
     $_SERVER["HTTP_X_GALLERY_REQUEST_METHOD"] = "delete";
     $_POST["key"] = "value";
 
+    $key = rest::get_access_token(1);  // admin user
     $this->assert_array_equal_to_json(
       array("params" => array("key" => "value"),
             "method" => "delete",
-            "access_token" => null,
+            "access_token" => $key->access_key,
             "url" => "http://./index.php/gallery_unit_test"),
       test::call_and_capture(array(new Rest_Controller(), "mock")));
   }