5 files changed, 48 insertions, 29 deletions

diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php
index bc0c7c5e..22bbe1a6 100644
--- a/modules/digibug/controllers/digibug.php
+++ b/modules/digibug/controllers/digibug.php
@@ -18,6 +18,8 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Digibug_Controller extends Controller {
+  const ALLOW_PRIVATE_GALLERY = true;
+
   public function print_photo($id) {
     access::verify_csrf();
     $item = ORM::factory("item", $id);
diff --git a/modules/gallery/controllers/combined.php b/modules/gallery/controllers/combined.php
index 4b1a342a..64f8d22b 100644
--- a/modules/gallery/controllers/combined.php
+++ b/modules/gallery/controllers/combined.php
@@ -18,6 +18,9 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Combined_Controller extends Controller {
+  const ALLOW_MAINTENANCE_MODE = true;
+  const ALLOW_PRIVATE_GALLERY = true;
+
   /**
    * Return the combined Javascript bundle associated with the given key.
    */
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
index 62d33345..adb2e50b 100644
--- a/modules/gallery/controllers/login.php
+++ b/modules/gallery/controllers/login.php
@@ -18,6 +18,8 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Login_Controller extends Controller {
+  const ALLOW_MAINTENANCE_MODE = true;
+  const ALLOW_PRIVATE_GALLERY = true;
 
   public function ajax() {
     $view = new View("login_ajax.html");
diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php
index 2bb55ccb..69aabc4f 100644
--- a/modules/gallery/helpers/gallery.php
+++ b/modules/gallery/helpers/gallery.php
@@ -25,18 +25,27 @@ class gallery_Core {
    * down for maintenance" page.
    */
   static function maintenance_mode() {
-    // @todo: we need a mechanism here to identify controllers that are still legally accessible
-    // when the entire Gallery is in maintenance mode.  Perhaps a controller class function or
-    // method?
-    // https://sourceforge.net/apps/trac/gallery/ticket/1411
-    if (Router::$controller != "login" &&
-        Router::$controller != "combined" &&
-        module::get_var("gallery", "maintenance_mode", 0) &&
+    if (module::get_var("gallery", "maintenance_mode", 0) &&
         !identity::active_user()->admin) {
-      Session::instance()->set("continue_url", url::abs_site("admin/maintenance"));
-      Router::$controller = "login";
-      Router::$controller_path = MODPATH . "gallery/controllers/login.php";
-      Router::$method = "html";
+      try {
+        $class = new ReflectionClass(ucfirst(Router::$controller).'_Controller');
+        $allowed = $class->getConstant("ALLOW_MAINTENANCE_MODE") === true;
+      } catch (ReflectionClass $e) {
+        $allowed = false;
+      }
+      if (!$allowed) {
+        if (Router::$controller == "admin") {
+          // At this point we're in the admin theme and it doesn't have a themed login page, so
+          // we can't just swap in the login controller and have it work.  So redirect back to the
+          // root item where we'll run this code again with the site theme.
+          url::redirect(item::root()->abs_url());
+        } else {
+          Session::instance()->set("continue_url", url::abs_site("admin/maintenance"));
+          Router::$controller = "login";
+          Router::$controller_path = MODPATH . "gallery/controllers/login.php";
+          Router::$method = "html";
+        }
+      }
     }
   }
 
@@ -45,26 +54,27 @@ class gallery_Core {
    * the login page.
    */
   static function private_gallery() {
-    // @todo: we need a mechanism here to identify controllers that are still legally accessible
-    // when the entire Gallery is private.  Perhaps a controller class function or method?
-    // https://sourceforge.net/apps/trac/gallery/ticket/1411
-    if (Router::$controller != "login" &&
-        Router::$controller != "combined" &&
-        Router::$controller != "digibug" &&
-        Router::$controller != "rest" &&
-        identity::active_user()->guest &&
+    if (identity::active_user()->guest &&
         !access::user_can(identity::guest(), "view", item::root()) &&
         php_sapi_name() != "cli") {
-      if (Router::$controller == "admin") {
-        // At this point we're in the admin theme and it doesn't have a themed login page, so
-        // we can't just swap in the login controller and have it work.  So redirect back to the
-        // root item where we'll run this code again with the site theme.
-        url::redirect(item::root()->abs_url());
-      } else {
-        Session::instance()->set("continue_url", url::abs_current());
-        Router::$controller = "login";
-        Router::$controller_path = MODPATH . "gallery/controllers/login.php";
-        Router::$method = "html";
+      try {
+        $class = new ReflectionClass(ucfirst(Router::$controller).'_Controller');
+        $allowed = $class->getConstant("ALLOW_PRIVATE_GALLERY") === true;
+      } catch (ReflectionClass $e) {
+        $allowed = false;
+      }
+      if (!$allowed) {
+        if (Router::$controller == "admin") {
+          // At this point we're in the admin theme and it doesn't have a themed login page, so
+          // we can't just swap in the login controller and have it work.  So redirect back to the
+          // root item where we'll run this code again with the site theme.
+          url::redirect(item::root()->abs_url());
+        } else {
+          Session::instance()->set("continue_url", url::abs_current());
+          Router::$controller = "login";
+          Router::$controller_path = MODPATH . "gallery/controllers/login.php";
+          Router::$method = "html";
+        }
       }
     }
   }
diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index c4e0fda4..00c7cda2 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -18,6 +18,8 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Rest_Controller extends Controller {
+  const ALLOW_PRIVATE_GALLERY = true;
+
   public function index() {
     $username = Input::instance()->post("user");
     $password = Input::instance()->post("password");