3 files changed, 73 insertions, 9 deletions

diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 87b6b313..b1384c19 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -222,7 +222,7 @@ class access_Core {
       self::_update_access_non_view_cache($group, $perm_name, $album);
     }
 
-    self::_update_htaccess_files($album, $group, $perm_name, $value);
+    self::update_htaccess_files($album, $group, $perm_name, $value);
     model_cache::clear();
   }
 
@@ -623,11 +623,18 @@ class access_Core {
   }
 
   /**
-   * Maintain .htacccess files to prevent direct access to albums, resizes and thumbnails when we
-   * apply the view and view_full permissions to guest users.
+   * Rebuild the .htaccess files that prevent direct access to albums, resizes and thumbnails.  We
+   * call this internally any time we change the view or view_full permissions for guest users.
+   * This function is only public because we use it in maintenance tasks.
+   *
+   * @param  Item_Model   the album
+   * @param  Group_Model  the group whose permission is changing
+   * @param  string       the permission name
+   * @param  string       the new permission value (eg access::DENY)
    */
-  private static function _update_htaccess_files($album, $group, $perm_name, $value) {
-    if ($group->id != 1 || !($perm_name == "view" || $perm_name == "view_full")) {
+  public static function update_htaccess_files($album, $group, $perm_name, $value) {
+    if ($group->id != identity::everybody()->id ||
+        !($perm_name == "view" || $perm_name == "view_full")) {
       return;
     }
 
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 96ea7c0d..4b5e9e93 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -50,7 +50,14 @@ class gallery_task_Core {
       ->callback("gallery_task::fix_mptt")
       ->name(t("Fix Album/Photo hierarchy"))
       ->description(t("Fix problems where your album/photo breadcrumbs are out of " .
-                      "sync with your actual hierarchy."))
+                      "sync with your actual hierarchy"))
+      ->severity(log::SUCCESS);
+
+    $tasks[] = Task_Definition::factory()
+      ->callback("gallery_task::fix_permissions")
+      ->name(t("Fix permissions"))
+      ->description(t("Resynchronize database permissions with the .htaccess " .
+                      "files in your gallery3/var directory"))
       ->severity(log::SUCCESS);
 
     return $tasks;
@@ -386,4 +393,54 @@ class gallery_task_Core {
       ->where("id", "=", $id)
       ->execute();
   }
+
+  static function fix_permissions($task) {
+    $start = microtime(true);
+
+    $total = $task->get("total");
+    if (empty($total)) {
+      $everybody_id = identity::everybody()->id;
+      $stack = array();
+      foreach (db::build()
+               ->select("id")
+               ->from("access_intents")
+               ->where("view_{$everybody_id}", "=", 0)
+               ->or_where("view_full_{$everybody_id}", "=", 0)
+               ->execute() as $row) {
+        $stack[] = $row->id;
+      }
+
+      $task->set("total", $total = count($stack));
+      $task->set("stack", implode(" ", $stack));
+      $task->set("completed", 0);
+    }
+
+    $stack = explode(" ", $task->get("stack"));
+    $completed = $task->get("completed");
+
+    while ($stack && microtime(true) - $start < 1.5) {
+      $album = ORM::factory("item", array_pop($stack));
+      $everybody = identity::everybody();
+      if (!access::group_can($everybody, "view", $album)) {
+        access::update_htaccess_files($album, identity::everybody(), "view", access::DENY);
+      } else {
+        // It's one or the other, so if they have view then they don't have view_full
+        access::update_htaccess_files($album, identity::everybody(), "view_full", access::DENY);
+      }
+      $completed++;
+    }
+
+    $task->set("stack", implode(" ", $stack));
+    $task->set("completed", $completed);
+
+    if ($total == $completed) {
+      $task->done = true;
+      $task->state = "success";
+      $task->percent_complete = 100;
+    } else {
+      $task->percent_complete = round(100 * $completed / $total);
+    }
+    $task->status = t2("One album updated", "%count / %total albums updated", $completed,
+                       array("total" => $total));
+  }
 }
\ No newline at end of file
diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php
index ac597715..ad0e2f55 100644
--- a/modules/gallery/views/admin_maintenance.html.php
+++ b/modules/gallery/views/admin_maintenance.html.php
@@ -41,6 +41,9 @@
 
     <? if ($running_tasks->count()): ?>
     <div id="g-running-tasks">
+      <a href="<?= url::site("admin/maintenance/cancel_running_tasks?csrf=$csrf") ?>"
+         class="g-button g-right ui-icon-left ui-state-default ui-corner-all">
+        <?= t("cancel all running") ?></a>
       <h2> <?= t("Running tasks") ?> </h2>
       <table>
         <tr>
@@ -60,9 +63,6 @@
             <?= t("Owner") ?>
           </th>
           <th>
-            <a href="<?= url::site("admin/maintenance/cancel_running_tasks?csrf=$csrf") ?>"
-               class="g-button g-right ui-icon-left ui-state-default ui-corner-all">
-              <?= t("cancel all") ?></a>
             <?= t("Action") ?>
           </th>
         </tr>