From 3e6ba7acc3291f2268cbe9c9bef0a492b557babb Mon Sep 17 00:00:00 2001
From: Chad Kieffer <ckieffer@gmail.com>
Date: Sun, 4 Oct 2009 00:27:22 -0600
Subject: Renamed most, if not all css selectors from gName to g-name. Moved a
 few shared images from wind to lib. Deleted unused images in the admin_wind.
 This will likely break a few ajax features.

---
 modules/user/controllers/password.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 92608dcd..4629bbf2 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -85,9 +85,9 @@ class Password_Controller extends Controller {
   }
 
   private function _reset_form() {
-    $form = new Forge(url::current(true), "", "post", array("id" => "gResetForm"));
+    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
     $group = $form->group("reset")->label(t("Reset Password"));
-    $group->input("name")->label(t("Username"))->id("gName")->class(null)->rules("required");
+    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
     $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
     $group->submit("")->value(t("Reset"));
 
@@ -97,15 +97,15 @@ class Password_Controller extends Controller {
   private function _new_password_form($hash=null) {
     $template = new Theme_View("page.html", "reset");
 
-    $form = new Forge("password/do_reset", "", "post", array("id" => "gChangePasswordForm"));
+    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
     $group = $form->group("reset")->label(t("Change Password"));
     $hidden = $group->hidden("hash");
     if (!empty($hash)) {
       $hidden->value($hash);
     }
-    $group->password("password")->label(t("Password"))->id("gPassword")
+    $group->password("password")->label(t("Password"))->id("g-password")
       ->rules("required|length[1,40]");
-    $group->password("password2")->label(t("Confirm Password"))->id("gPassword2")
+    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
       ->matches($group->password);
     $group->inputs["password2"]->error_messages(
       "mistyped", t("The password and the confirm password must match"));
-- 
cgit v1.2.3


From 194cc3b27a73afe5119da9f09407c1e068dc6fa3 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Mon, 5 Oct 2009 14:04:27 -0700
Subject: First pass on converting calls to the Identity interface. Will worry
 about writes and saves later. Convert the Admin_User controller Convert the
 login and password change controller Change the item model to call
 user::lookup to get the owner. On the log model, delete the relationship
 between the log and user table, and replace with a call to user::lookup

---
 modules/gallery/models/item.php          |  2 +-
 modules/gallery/models/log.php           | 17 ++++++++-
 modules/user/controllers/admin_users.php | 65 +++++++++++++++-----------------
 modules/user/controllers/login.php       |  5 +--
 modules/user/controllers/password.php    | 15 +++-----
 5 files changed, 55 insertions(+), 49 deletions(-)

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index 246d5fcd..5d356841 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -332,7 +332,7 @@ class Item_Model extends ORM_MPTT {
       // This relationship depends on an outside module, which may not be present so handle
       // failures gracefully.
       try {
-        return model_cache::get("user", $this->owner_id);
+        return user::lookup($this->owner_id);
       } catch (Exception $e) {
         return null;
       }
diff --git a/modules/gallery/models/log.php b/modules/gallery/models/log.php
index 6734afb8..d143d7bd 100644
--- a/modules/gallery/models/log.php
+++ b/modules/gallery/models/log.php
@@ -18,5 +18,20 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Log_Model extends ORM {
-  protected $has_one = array("user");
+  /**
+   * @see ORM::__get()
+   */
+  public function __get($column) {
+    if ($column == "user") {
+      // This relationship depends on an outside module, which may not be present so handle
+      // failures gracefully.
+      try {
+        return user::lookup($this->user_id);
+      } catch (Exception $e) {
+        return null;
+      }
+    } else {
+      return parent::__get($column);
+    }
+  }
 }
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 0b748955..c405c5e7 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -21,8 +21,8 @@ class Admin_Users_Controller extends Admin_Controller {
   public function index() {
     $view = new Admin_View("admin.html");
     $view->content = new View("admin_users.html");
-    $view->content->users = ORM::factory("user")->orderby("name")->find_all();
-    $view->content->groups = ORM::factory("group")->orderby("name")->find_all();
+    $view->content->users = user::users(array("orderby" => array("name")));
+    $view->content->groups = group::groups(array("orderby" => array("name")));
     print $view;
   }
 
@@ -32,8 +32,7 @@ class Admin_Users_Controller extends Admin_Controller {
     $form = user::get_add_form_admin();
     $valid = $form->validate();
     $name = $form->add_user->inputs["name"]->value;
-    $user = ORM::factory("user")->where("name", $name)->find();
-    if ($user->loaded) {
+    if ($user = user::lookup_by_name($name)) {
       $form->add_user->inputs["name"]->add_error("in_use", 1);
       $valid = false;
     }
@@ -70,8 +69,8 @@ class Admin_Users_Controller extends Admin_Controller {
       access::forbidden();
     }
 
-    $user = ORM::factory("user", $id);
-    if (!$user->loaded) {
+    $user = user::lookup($id);
+    if (empty($user)) {
       kohana::show_404();
     }
 
@@ -91,8 +90,8 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function delete_user_form($id) {
-    $user = ORM::factory("user", $id);
-    if (!$user->loaded) {
+    $user = user::lookup($id);
+    if (empty($user)) {
       kohana::show_404();
     }
     print user::get_delete_form_admin($user);
@@ -101,8 +100,8 @@ class Admin_Users_Controller extends Admin_Controller {
   public function edit_user($id) {
     access::verify_csrf();
 
-    $user = ORM::factory("user", $id);
-    if (!$user->loaded) {
+    $user = user::lookup($id);
+    if (empty($user)) {
       kohana::show_404();
     }
 
@@ -110,12 +109,9 @@ class Admin_Users_Controller extends Admin_Controller {
     $valid = $form->validate();
     if ($valid) {
       $new_name = $form->edit_user->inputs["name"]->value;
+      $temp_user = user::lookup_by_name($new_name);
       if ($new_name != $user->name &&
-          ORM::factory("user")
-          ->where("name", $new_name)
-          ->where("id !=", $user->id)
-          ->find()
-          ->loaded) {
+          ($temp_user && $temp_user->id != $user->id)) {
         $form->edit_user->inputs["name"]->add_error("in_use", 1);
         $valid = false;
       } else {
@@ -151,8 +147,8 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function edit_user_form($id) {
-    $user = ORM::factory("user", $id);
-    if (!$user->loaded) {
+    $user = user::lookup($id);
+    if (empty($user)) {
       kohana::show_404();
     }
 
@@ -166,23 +162,23 @@ class Admin_Users_Controller extends Admin_Controller {
 
   public function add_user_to_group($user_id, $group_id) {
     access::verify_csrf();
-    $group = ORM::factory("group", $group_id);
-    $user = ORM::factory("user", $user_id);
+    $group = group::lookup($group_id);
+    $user = user::lookup($user_id);
     $group->add($user);
     $group->save();
   }
 
   public function remove_user_from_group($user_id, $group_id) {
     access::verify_csrf();
-    $group = ORM::factory("group", $group_id);
-    $user = ORM::factory("user", $user_id);
+    $group = group::lookup($group_id);
+    $user = user::lookup($user_id);
     $group->remove($user);
     $group->save();
   }
 
   public function group($group_id) {
     $view = new View("admin_users_group.html");
-    $view->group = ORM::factory("group", $group_id);
+    $view->group = group::lookup($group_id);
     print $view;
   }
 
@@ -193,8 +189,8 @@ class Admin_Users_Controller extends Admin_Controller {
     $valid = $form->validate();
     if ($valid) {
       $new_name = $form->add_group->inputs["name"]->value;
-      $group = ORM::factory("group")->where("name", $new_name)->find();
-      if ($group->loaded) {
+      $group = group::lookup_by_name($new_name);
+      if (!empty($group)) {
         $form->add_group->inputs["name"]->add_error("in_use", 1);
         $valid = false;
       }
@@ -219,8 +215,8 @@ class Admin_Users_Controller extends Admin_Controller {
   public function delete_group($id) {
     access::verify_csrf();
 
-    $group = ORM::factory("group", $id);
-    if (!$group->loaded) {
+    $group = group::lookup($id);
+    if (empty($group)) {
       kohana::show_404();
     }
 
@@ -240,19 +236,20 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function delete_group_form($id) {
-    $group = ORM::factory("group", $id);
-    if (!$group->loaded) {
+    $group = group::lookup($id);
+    if (empty($group)) {
       kohana::show_404();
     }
+
     print group::get_delete_form_admin($group);
   }
 
   public function edit_group($id) {
     access::verify_csrf();
 
-    $group = ORM::factory("group", $id);
-    if (!$group->loaded) {
-      kohana::show_404();
+    $group = group::lookup($id);
+    if (empty($group)) {
+       kohana::show_404();
     }
 
     $form = group::get_edit_form_admin($group);
@@ -260,7 +257,7 @@ class Admin_Users_Controller extends Admin_Controller {
 
     if ($valid) {
       $new_name = $form->edit_group->inputs["name"]->value;
-      $group = ORM::factory("group")->where("name", $new_name)->find();
+      $group = group::lookup_by_name($name);
       if ($group->loaded) {
         $form->edit_group->inputs["name"]->add_error("in_use", 1);
         $valid = false;
@@ -282,8 +279,8 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function edit_group_form($id) {
-    $group = ORM::factory("group", $id);
-    if (!$group->loaded) {
+    $group = group::lookup($id);
+    if (empty($group)) {
       kohana::show_404();
     }
 
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
index 8bee7db5..2c4bd557 100644
--- a/modules/user/controllers/login.php
+++ b/modules/user/controllers/login.php
@@ -53,13 +53,12 @@ class Login_Controller extends Controller {
       print $form;
     }
   }
-
   private function _auth($url) {
     $form = user::get_login_form($url);
     $valid = $form->validate();
     if ($valid) {
-      $user = ORM::factory("user")->where("name", $form->login->inputs["name"]->value)->find();
-      if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) {
+      $user = user::lookup_by_name($form->login->inputs["name"]->value);
+      if (empty($user) || !user::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
           t("Failed login for %name",
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 4629bbf2..817ff01c 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -32,10 +32,8 @@ class Password_Controller extends Controller {
     if (request::method() == "post") {
       $this->_change_password();
     } else {
-      $user = ORM::factory("user")
-        ->where("hash", Input::instance()->get("key"))
-        ->find();
-      if ($user->loaded) {
+      $user = user::lookyp_by_hash(Input::instance()->get("key"));
+      if (!empty($user)) {
         print $this->_new_password_form($user->hash);
       } else {
         throw new Exception("@todo FORBIDDEN", 503);
@@ -48,7 +46,7 @@ class Password_Controller extends Controller {
 
     $valid = $form->validate();
     if ($valid) {
-      $user = ORM::factory("user")->where("name", $form->reset->inputs["name"]->value)->find();
+      $user = user::lockup_by_name($form->reset->inputs["name"]->value);
       if (!$user->loaded || empty($user->email)) {
         $form->reset->inputs["name"]->add_error("no_email", 1);
         $valid = false;
@@ -118,11 +116,8 @@ class Password_Controller extends Controller {
   private function _change_password() {
     $view = $this->_new_password_form();
     if ($view->content->validate()) {
-      $user = ORM::factory("user")
-        ->where("hash", $view->content->reset->hash->value)
-        ->find();
-
-      if (!$user->loaded) {
+      $user = user::lookyp_by_hash(Input::instance()->get("key"));
+      if (empty($user)) {
         throw new Exception("@todo FORBIDDEN", 503);
       }
 
-- 
cgit v1.2.3


From 7f38d6ff29e3554031496c3f98e357f7a87a2671 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Tue, 6 Oct 2009 18:30:11 -0700
Subject: Change the focus of the user module from providing user/group
 management to providing the default Identity implementation. * Remove the
 user_event callbacks and move them to the gallery_event callbacks. This will
 insure that the active user is always loaded (because the gallery callbacks
 are always called first) to its available to other gallery_ready handlers. 
 Moved the method set_request_locale to the locales helper as it is more
 related to locales. * Move the user controllers and views into the gallery
 module. * Move the theme and block processing out of the user module and into
 core.

---
 modules/gallery/controllers/admin_users.php        | 290 +++++++++++++++++++++
 modules/gallery/controllers/login.php              |  81 ++++++
 modules/gallery/controllers/logout.php             |  38 +++
 modules/gallery/controllers/password.php           | 133 ++++++++++
 modules/gallery/controllers/users.php              |  67 +++++
 modules/gallery/helpers/gallery_block.php          |  23 ++
 modules/gallery/helpers/gallery_event.php          |  12 +
 modules/gallery/helpers/gallery_theme.php          |  13 +
 modules/gallery/helpers/locales.php                |  17 ++
 modules/gallery/views/admin_users.html.php         | 128 +++++++++
 modules/gallery/views/admin_users_group.html.php   |  38 +++
 modules/gallery/views/login.html.php               |  22 ++
 modules/gallery/views/login_ajax.html.php          |  43 +++
 modules/gallery/views/reset_password.html.php      |  17 ++
 .../gallery/views/user_languages_block.html.php    |  19 ++
 modules/user/controllers/admin_users.php           | 290 ---------------------
 modules/user/controllers/login.php                 |  81 ------
 modules/user/controllers/logout.php                |  38 ---
 modules/user/controllers/password.php              | 133 ----------
 modules/user/controllers/users.php                 |  67 -----
 modules/user/helpers/user_block.php                |  46 ----
 modules/user/helpers/user_event.php                |  53 ----
 modules/user/helpers/user_theme.php                |  36 ---
 modules/user/views/admin_users.html.php            | 128 ---------
 modules/user/views/admin_users_group.html.php      |  38 ---
 modules/user/views/login.html.php                  |  22 --
 modules/user/views/login_ajax.html.php             |  43 ---
 modules/user/views/reset_password.html.php         |  17 --
 modules/user/views/user_languages_block.html.php   |  19 --
 29 files changed, 941 insertions(+), 1011 deletions(-)
 create mode 100644 modules/gallery/controllers/admin_users.php
 create mode 100644 modules/gallery/controllers/login.php
 create mode 100644 modules/gallery/controllers/logout.php
 create mode 100644 modules/gallery/controllers/password.php
 create mode 100644 modules/gallery/controllers/users.php
 create mode 100644 modules/gallery/views/admin_users.html.php
 create mode 100644 modules/gallery/views/admin_users_group.html.php
 create mode 100644 modules/gallery/views/login.html.php
 create mode 100644 modules/gallery/views/login_ajax.html.php
 create mode 100644 modules/gallery/views/reset_password.html.php
 create mode 100644 modules/gallery/views/user_languages_block.html.php
 delete mode 100644 modules/user/controllers/admin_users.php
 delete mode 100644 modules/user/controllers/login.php
 delete mode 100644 modules/user/controllers/logout.php
 delete mode 100644 modules/user/controllers/password.php
 delete mode 100644 modules/user/controllers/users.php
 delete mode 100644 modules/user/helpers/user_block.php
 delete mode 100644 modules/user/helpers/user_event.php
 delete mode 100644 modules/user/helpers/user_theme.php
 delete mode 100644 modules/user/views/admin_users.html.php
 delete mode 100644 modules/user/views/admin_users_group.html.php
 delete mode 100644 modules/user/views/login.html.php
 delete mode 100644 modules/user/views/login_ajax.html.php
 delete mode 100644 modules/user/views/reset_password.html.php
 delete mode 100644 modules/user/views/user_languages_block.html.php

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/gallery/controllers/admin_users.php b/modules/gallery/controllers/admin_users.php
new file mode 100644
index 00000000..6c72440a
--- /dev/null
+++ b/modules/gallery/controllers/admin_users.php
@@ -0,0 +1,290 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Admin_Users_Controller extends Admin_Controller {
+  public function index() {
+    $view = new Admin_View("admin.html");
+    $view->content = new View("admin_users.html");
+    $view->content->users = user::users(array("orderby" => array("name" => "ASC")));
+    $view->content->groups = group::groups(array("orderby" => array("name" => "ASC")));
+    print $view;
+  }
+
+  public function add_user() {
+    access::verify_csrf();
+
+    $form = user::get_add_form_admin();
+    $valid = $form->validate();
+    $name = $form->add_user->inputs["name"]->value;
+    if ($user = user::lookup_by_name($name)) {
+      $form->add_user->inputs["name"]->add_error("in_use", 1);
+      $valid = false;
+    }
+
+    if ($valid) {
+      $user = user::create(
+        $name, $form->add_user->full_name->value, $form->add_user->password->value);
+      $user->email = $form->add_user->email->value;
+      $user->admin = $form->add_user->admin->checked;
+
+      if ($form->add_user->locale) {
+        $desired_locale = $form->add_user->locale->value;
+        $user->locale = $desired_locale == "none" ? null : $desired_locale;
+      }
+      $user->save();
+      module::event("user_add_form_admin_completed", $user, $form);
+
+      message::success(t("Created user %user_name", array("user_name" => $user->name)));
+      print json_encode(array("result" => "success"));
+    } else {
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+  }
+
+  public function add_user_form() {
+    print user::get_add_form_admin();
+  }
+
+  public function delete_user($id) {
+    access::verify_csrf();
+
+    if ($id == user::active()->id || $id == user::guest()->id) {
+      access::forbidden();
+    }
+
+    $user = user::lookup($id);
+    if (empty($user)) {
+      kohana::show_404();
+    }
+
+    $form = user::get_delete_form_admin($user);
+    if($form->validate()) {
+      $name = $user->name;
+      $user->delete();
+    } else {
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+
+    $message = t("Deleted user %user_name", array("user_name" => $name));
+    log::success("user", $message);
+    message::success($message);
+    print json_encode(array("result" => "success"));
+  }
+
+  public function delete_user_form($id) {
+    $user = user::lookup($id);
+    if (empty($user)) {
+      kohana::show_404();
+    }
+    print user::get_delete_form_admin($user);
+  }
+
+  public function edit_user($id) {
+    access::verify_csrf();
+
+    $user = user::lookup($id);
+    if (empty($user)) {
+      kohana::show_404();
+    }
+
+    $form = user::get_edit_form_admin($user);
+    $valid = $form->validate();
+    if ($valid) {
+      $new_name = $form->edit_user->inputs["name"]->value;
+      $temp_user = user::lookup_by_name($new_name);
+      if ($new_name != $user->name &&
+          ($temp_user && $temp_user->id != $user->id)) {
+        $form->edit_user->inputs["name"]->add_error("in_use", 1);
+        $valid = false;
+      } else {
+        $user->name = $new_name;
+      }
+    }
+
+    if ($valid) {
+      $user->full_name = $form->edit_user->full_name->value;
+      if ($form->edit_user->password->value) {
+        $user->password = $form->edit_user->password->value;
+      }
+      $user->email = $form->edit_user->email->value;
+      $user->url = $form->edit_user->url->value;
+      if ($form->edit_user->locale) {
+        $desired_locale = $form->edit_user->locale->value;
+        $user->locale = $desired_locale == "none" ? null : $desired_locale;
+      }
+
+      // An admin can change the admin status for any user but themselves
+      if ($user->id != user::active()->id) {
+        $user->admin = $form->edit_user->admin->checked;
+      }
+      $user->save();
+      module::event("user_edit_form_admin_completed", $user, $form);
+
+      message::success(t("Changed user %user_name", array("user_name" => $user->name)));
+      print json_encode(array("result" => "success"));
+    } else {
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+  }
+
+  public function edit_user_form($id) {
+    $user = user::lookup($id);
+    if (empty($user)) {
+      kohana::show_404();
+    }
+
+    $form = user::get_edit_form_admin($user);
+    // Don't allow the user to control their own admin bit, else you can lock yourself out
+    if ($user->id == user::active()->id) {
+      $form->edit_user->admin->disabled(1);
+    }
+    print $form;
+  }
+
+  public function add_user_to_group($user_id, $group_id) {
+    access::verify_csrf();
+    $group = group::lookup($group_id);
+    $user = user::lookup($user_id);
+    $group->add($user);
+    $group->save();
+  }
+
+  public function remove_user_from_group($user_id, $group_id) {
+    access::verify_csrf();
+    $group = group::lookup($group_id);
+    $user = user::lookup($user_id);
+    $group->remove($user);
+    $group->save();
+  }
+
+  public function group($group_id) {
+    $view = new View("admin_users_group.html");
+    $view->group = group::lookup($group_id);
+    print $view;
+  }
+
+  public function add_group() {
+    access::verify_csrf();
+
+    $form = group::get_add_form_admin();
+    $valid = $form->validate();
+    if ($valid) {
+      $new_name = $form->add_group->inputs["name"]->value;
+      $group = group::lookup_by_name($new_name);
+      if (!empty($group)) {
+        $form->add_group->inputs["name"]->add_error("in_use", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      $group = group::create($new_name);
+      $group->save();
+      message::success(
+        t("Created group %group_name", array("group_name" => $group->name)));
+      print json_encode(array("result" => "success"));
+    } else {
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+  }
+
+  public function add_group_form() {
+    print group::get_add_form_admin();
+  }
+
+  public function delete_group($id) {
+    access::verify_csrf();
+
+    $group = group::lookup($id);
+    if (empty($group)) {
+      kohana::show_404();
+    }
+
+    $form = group::get_delete_form_admin($group);
+    if ($form->validate()) {
+      $name = $group->name;
+      $group->delete();
+    } else {
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+
+    $message = t("Deleted group %group_name", array("group_name" => $name));
+    log::success("group", $message);
+    message::success($message);
+    print json_encode(array("result" => "success"));
+  }
+
+  public function delete_group_form($id) {
+    $group = group::lookup($id);
+    if (empty($group)) {
+      kohana::show_404();
+    }
+
+    print group::get_delete_form_admin($group);
+  }
+
+  public function edit_group($id) {
+    access::verify_csrf();
+
+    $group = group::lookup($id);
+    if (empty($group)) {
+       kohana::show_404();
+    }
+
+    $form = group::get_edit_form_admin($group);
+    $valid = $form->validate();
+
+    if ($valid) {
+      $new_name = $form->edit_group->inputs["name"]->value;
+      $group = group::lookup_by_name($name);
+      if ($group->loaded) {
+        $form->edit_group->inputs["name"]->add_error("in_use", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      $group->name = $form->edit_group->inputs["name"]->value;
+      $group->save();
+      message::success(
+        t("Changed group %group_name", array("group_name" => $group->name)));
+      print json_encode(array("result" => "success"));
+    } else {
+      message::error(
+        t("Failed to change group %group_name", array("group_name" => $group->name)));
+      print json_encode(array("result" => "error",
+                              "form" => $form->__toString()));
+    }
+  }
+
+  public function edit_group_form($id) {
+    $group = group::lookup($id);
+    if (empty($group)) {
+      kohana::show_404();
+    }
+
+    print group::get_edit_form_admin($group);
+  }
+
+}
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
new file mode 100644
index 00000000..2c4bd557
--- /dev/null
+++ b/modules/gallery/controllers/login.php
@@ -0,0 +1,81 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Login_Controller extends Controller {
+
+  public function ajax() {
+    $view = new View("login_ajax.html");
+    $view->form = user::get_login_form("login/auth_ajax");
+    print $view;
+  }
+
+  public function auth_ajax() {
+    access::verify_csrf();
+
+    list ($valid, $form) = $this->_auth("login/auth_ajax");
+    if ($valid) {
+      print json_encode(
+        array("result" => "success"));
+    } else {
+      print json_encode(
+        array("result" => "error",
+              "form" => $form->__toString()));
+    }
+  }
+
+  public function html() {
+    print user::get_login_form("login/auth_html");
+  }
+
+  public function auth_html() {
+    access::verify_csrf();
+
+    list ($valid, $form) = $this->_auth("login/auth_html");
+    if ($valid) {
+      url::redirect(item::root()->abs_url());
+    } else {
+      print $form;
+    }
+  }
+  private function _auth($url) {
+    $form = user::get_login_form($url);
+    $valid = $form->validate();
+    if ($valid) {
+      $user = user::lookup_by_name($form->login->inputs["name"]->value);
+      if (empty($user) || !user::is_correct_password($user, $form->login->password->value)) {
+        log::warning(
+          "user",
+          t("Failed login for %name",
+            array("name" => $form->login->inputs["name"]->value)));
+        $form->login->inputs["name"]->add_error("invalid_login", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      user::login($user);
+      log::info("user", t("User %name logged in", array("name" => $user->name)));
+    }
+
+    // Either way, regenerate the session id to avoid session trapping
+    Session::instance()->regenerate();
+
+    return array($valid, $form);
+  }
+}
\ No newline at end of file
diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php
new file mode 100644
index 00000000..45d397ad
--- /dev/null
+++ b/modules/gallery/controllers/logout.php
@@ -0,0 +1,38 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Logout_Controller extends Controller {
+  public function index() {
+    //access::verify_csrf();
+
+    $user = user::active();
+    user::logout();
+    log::info("user", t("User %name logged out", array("name" => $user->name)),
+              html::anchor("user/$user->id", html::clean($user->name)));
+    if ($continue_url = $this->input->get("continue")) {
+      $item = url::get_item_from_uri($continue_url);
+      if (access::can("view", $item)) {
+        // Don't use url::redirect() because it'll call url::site() and munge the continue url.
+        header("Location: $continue_url");
+      } else {
+        url::redirect(item::root()->abs_url());
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/gallery/controllers/password.php b/modules/gallery/controllers/password.php
new file mode 100644
index 00000000..817ff01c
--- /dev/null
+++ b/modules/gallery/controllers/password.php
@@ -0,0 +1,133 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Password_Controller extends Controller {
+  public function reset() {
+    if (request::method() == "post") {
+      // @todo separate the post from get parts of this function
+      access::verify_csrf();
+      $this->_send_reset();
+    } else {
+      print $this->_reset_form();
+    }
+  }
+
+  public function do_reset() {
+    if (request::method() == "post") {
+      $this->_change_password();
+    } else {
+      $user = user::lookyp_by_hash(Input::instance()->get("key"));
+      if (!empty($user)) {
+        print $this->_new_password_form($user->hash);
+      } else {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+    }
+  }
+
+  private function _send_reset() {
+    $form = $this->_reset_form();
+
+    $valid = $form->validate();
+    if ($valid) {
+      $user = user::lockup_by_name($form->reset->inputs["name"]->value);
+      if (!$user->loaded || empty($user->email)) {
+        $form->reset->inputs["name"]->add_error("no_email", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      $user->hash = md5(rand());
+      $user->save();
+      $message = new View("reset_password.html");
+      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
+      $message->user = $user;
+
+      Sendmail::factory()
+        ->to($user->email)
+        ->subject(t("Password Reset Request"))
+        ->header("Mime-Version", "1.0")
+        ->header("Content-type", "text/html; charset=iso-8859-1")
+        ->message($message->render())
+        ->send();
+
+      log::success(
+        "user",
+        t("Password reset email sent for user %name", array("name" => $user->name)));
+    } else {
+      // Don't include the username here until you're sure that it's XSS safe
+      log::warning(
+        "user", "Password reset email requested for bogus user");
+    }
+
+    message::success(t("Password reset email sent"));
+    print json_encode(
+      array("result" => "success"));
+  }
+
+  private function _reset_form() {
+    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
+    $group = $form->group("reset")->label(t("Reset Password"));
+    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
+    $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
+    $group->submit("")->value(t("Reset"));
+
+    return $form;
+  }
+
+  private function _new_password_form($hash=null) {
+    $template = new Theme_View("page.html", "reset");
+
+    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
+    $group = $form->group("reset")->label(t("Change Password"));
+    $hidden = $group->hidden("hash");
+    if (!empty($hash)) {
+      $hidden->value($hash);
+    }
+    $group->password("password")->label(t("Password"))->id("g-password")
+      ->rules("required|length[1,40]");
+    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
+      ->matches($group->password);
+    $group->inputs["password2"]->error_messages(
+      "mistyped", t("The password and the confirm password must match"));
+    $group->submit("")->value(t("Update"));
+
+    $template->content = $form;
+    return $template;
+  }
+
+  private function _change_password() {
+    $view = $this->_new_password_form();
+    if ($view->content->validate()) {
+      $user = user::lookyp_by_hash(Input::instance()->get("key"));
+      if (empty($user)) {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+
+      $user->password = $view->content->reset->password->value;
+      $user->hash = null;
+      $user->save();
+      message::success(t("Password reset successfully"));
+      url::redirect(item::root()->abs_url());
+    } else {
+      print $view;
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/gallery/controllers/users.php b/modules/gallery/controllers/users.php
new file mode 100644
index 00000000..4ad704f0
--- /dev/null
+++ b/modules/gallery/controllers/users.php
@@ -0,0 +1,67 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Users_Controller extends REST_Controller {
+  protected $resource_type = "user";
+
+  public function _update($user) {
+    if ($user->guest || $user->id != user::active()->id) {
+      access::forbidden();
+    }
+
+    $form = user::get_edit_form($user);
+    $valid = $form->validate();
+    if ($valid) {
+      $user->full_name = $form->edit_user->full_name->value;
+      if ($form->edit_user->password->value) {
+        $user->password = $form->edit_user->password->value;
+      }
+      $user->email = $form->edit_user->email->value;
+      $user->url = $form->edit_user->url->value;
+      if ($form->edit_user->locale) {
+        $desired_locale = $form->edit_user->locale->value;
+        $new_locale = $desired_locale == "none" ? null : $desired_locale;
+        if ($new_locale != $user->locale) {
+          // Delete the session based locale preference
+          setcookie("g_locale", "", time() - 24 * 3600, "/");
+        }
+        $user->locale = $new_locale;
+      }
+      $user->save();
+      module::event("user_edit_form_completed", $user, $form);
+
+      message::success(t("User information updated."));
+      print json_encode(
+        array("result" => "success",
+              "resource" => url::site("users/{$user->id}")));
+    } else {
+      print json_encode(
+        array("result" => "error",
+              "form" => $form->__toString()));
+    }
+  }
+
+  public function _form_edit($user) {
+    if ($user->guest || $user->id != user::active()->id) {
+      access::forbidden();
+    }
+
+    print user::get_edit_form($user);
+  }
+}
diff --git a/modules/gallery/helpers/gallery_block.php b/modules/gallery/helpers/gallery_block.php
index 5d49a9de..f43d82c9 100644
--- a/modules/gallery/helpers/gallery_block.php
+++ b/modules/gallery/helpers/gallery_block.php
@@ -28,6 +28,10 @@ class gallery_block_Core {
       "project_news" => t("Gallery Project News"));
   }
 
+  static function get_site_list() {
+    return array("language" => t("Language Preference"));
+  }
+
   static function get($block_id) {
     $block = new Block();
     switch($block_id) {
@@ -85,6 +89,25 @@ class gallery_block_Core {
       $block->css_id = "g-block-adder";
       $block->title = t("Dashboard Content");
       $block->content = self::get_add_block_form();
+      break;
+
+    case "language":
+      $locales = locales::installed();
+      if (count($locales)) {
+        foreach ($locales as $locale => $display_name) {
+          $locales[$locale] = SafeString::of_safe_html($display_name);
+        }
+        $block = new Block();
+        $block->css_id = "g-user-language-block";
+        $block->title = t("Language Preference");
+        $block->content = new View("user_languages_block.html");
+        $block->content->installed_locales =
+          array_merge(array("" => t("« none »")), $locales);
+        $block->content->selected = (string) user::cookie_locale();
+      } else {
+        $block = "";
+      }
+      break;
     }
 
     return $block;
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 290d7d12..e0de2152 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -19,6 +19,14 @@
  */
 
 class gallery_event_Core {
+  /**
+   * Initialization.
+   */
+  static function gallery_ready() {
+    user::load_user();
+    locales::set_request_locale();
+  }
+
   static function group_created($group) {
     access::add_group($group);
   }
@@ -179,6 +187,10 @@ class gallery_event_Core {
                         ->id("sidebar")
                         ->label(t("Manage Sidebar"))
                         ->url(url::site("admin/sidebar"))))
+      ->append(Menu::factory("link")
+               ->id("users_groups")
+               ->label(t("Users/Groups"))
+               ->url(url::site("admin/users")))
       ->append(Menu::factory("submenu")
                ->id("statistics_menu")
                ->label(t("Statistics")))
diff --git a/modules/gallery/helpers/gallery_theme.php b/modules/gallery/helpers/gallery_theme.php
index 20dfeb04..a342b4bd 100644
--- a/modules/gallery/helpers/gallery_theme.php
+++ b/modules/gallery/helpers/gallery_theme.php
@@ -37,6 +37,11 @@ class gallery_theme_Core {
       }
     }
 
+    if (count(locales::installed())) {
+      // Needed by the languages block
+      $theme->script("jquery.cookie.js");
+    }
+
     if ($session->get("l10n_mode", false)) {
       $theme->css("l10n_client.css");
       $theme->script("jquery.cookie.js");
@@ -46,6 +51,14 @@ class gallery_theme_Core {
     return $buf;
   }
 
+  static function header_top($theme) {
+    if ($theme->page_type != "login") {
+      $view = new View("login.html");
+      $view->user = user::active();
+      return $view->render();
+    }
+  }
+
   static function admin_head($theme) {
     $theme->script("gallery.panel.js");
     $session = Session::instance();
diff --git a/modules/gallery/helpers/locales.php b/modules/gallery/helpers/locales.php
index ab7f7526..faec7816 100644
--- a/modules/gallery/helpers/locales.php
+++ b/modules/gallery/helpers/locales.php
@@ -136,6 +136,23 @@ class locales_Core {
     return in_array($language, array("he", "fa", "ar"));
   }
 
+  static function set_request_locale() {
+    // 1. Check the session specific preference (cookie)
+    $locale = user::cookie_locale();
+    // 2. Check the user's preference
+    if (!$locale) {
+      $locale = user::active()->locale;
+    }
+    // 3. Check the browser's / OS' preference
+    if (!$locale) {
+      $locale = self::locale_from_http_request();
+    }
+    // If we have any preference, override the site's default locale
+    if ($locale) {
+      I18n::instance()->locale($locale);
+    }
+  }
+
   /**
    * Returns the best match comparing the HTTP accept-language header
    * with the installed locales.
diff --git a/modules/gallery/views/admin_users.html.php b/modules/gallery/views/admin_users.html.php
new file mode 100644
index 00000000..28daff29
--- /dev/null
+++ b/modules/gallery/views/admin_users.html.php
@@ -0,0 +1,128 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<script type="text/javascript">
+  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
+  $(document).ready(function(){
+    $("#g-user-admin-list .core-info").draggable({
+      helper: "clone"
+    });
+    $("#g-group-admin .g-group").droppable({
+      accept: ".core-info",
+      hoverClass: "g-selected",
+      drop: function(ev, ui) {
+        var user_id = $(ui.draggable).attr("id").replace("user-", "");
+        var group_id = $(this).attr("id").replace("group-", "");
+        $.get(add_user_to_group_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
+              {},
+              function() {
+                reload_group(group_id);
+              });
+      }
+    });
+    $("#group-1").droppable("destroy");
+    $("#group-2").droppable("destroy");
+  });
+
+  var reload_group = function(group_id) {
+    var reload_group_url = "<?= url::site("admin/users/group/__GROUPID__") ?>";
+    $.get(reload_group_url.replace("__GROUPID__", group_id),
+          {},
+          function(data) {
+            $("#group-" + group_id).html(data);
+            $("#group-" + group_id + " .g-dialog-link").gallery_dialog();
+          });
+  }
+
+  var remove_user = function(user_id, group_id) {
+    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
+    $.get(remove_user_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
+          {},
+          function() {
+            reload_group(group_id);
+          });
+  }
+</script>
+<div class="g-block">
+  <a href="<?= url::site("admin/users/add_user_form") ?>"
+      class="g-dialog-link g-button g-right ui-icon-left ui-state-default ui-corner-all"
+      title="<?= t("Create a new user")->for_html_attr() ?>">
+    <span class="ui-icon ui-icon-circle-plus"></span>
+    <?= t("Add a new user") ?>
+  </a>
+
+  <h2>
+    <?= t("User Admin") ?>
+  </h2>
+
+  <div class="g-block-content">
+    <table id="g-user-admin-list">
+      <tr>
+        <th><?= t("Username") ?></th>
+        <th><?= t("Full name") ?></th>
+        <th><?= t("Email") ?></th>
+        <th><?= t("Last login") ?></th>
+        <th><?= t("Actions") ?></th>
+      </tr>
+
+      <? foreach ($users as $i => $user): ?>
+      <tr id="g-user-<?= $user->id ?>" class="<?= text::alternate("g-odd", "g-even") ?> user <?= $user->admin ? "admin" : "" ?>">
+        <td id="user-<?= $user->id ?>" class="core-info g-draggable">
+          <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
+               title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>"
+               alt="<?= html::clean_attribute($user->name) ?>"
+               width="20"
+               height="20" />
+          <?= html::clean($user->name) ?>
+        </td>
+        <td>
+          <?= html::clean($user->full_name) ?>
+        </td>
+        <td>
+          <?= html::clean($user->email) ?>
+        </td>
+        <td>
+          <?= ($user->last_login == 0) ? "" : gallery::date($user->last_login) ?>
+        </td>
+        <td class="g-actions">
+          <a href="<?= url::site("admin/users/edit_user_form/$user->id") ?>"
+              open_text="<?= t("close") ?>"
+              class="g-panel-link g-button ui-state-default ui-corner-all ui-icon-left">
+            <span class="ui-icon ui-icon-pencil"></span><span class="g-button-text"><?= t("edit") ?></span></a>
+          <? if (user::active()->id != $user->id && !$user->guest): ?>
+          <a href="<?= url::site("admin/users/delete_user_form/$user->id") ?>"
+              class="g-dialog-link g-button ui-state-default ui-corner-all ui-icon-left">
+            <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
+          <? else: ?>
+          <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>"
+              class="g-button ui-state-disabled ui-corner-all ui-icon-left">
+            <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span>
+          <? endif ?>
+        </td>
+      </tr>
+      <? endforeach ?>
+    </table>
+  </div>
+</div>
+
+<div id="g-group-admin" class="g-block">
+  <a href="<?= url::site("admin/users/add_group_form") ?>"
+      class="g-dialog-link g-button g-right ui-icon-left ui-state-default ui-corner-all"
+      title="<?= t("Create a new group")->for_html_attr() ?>">
+    <span class="ui-icon ui-icon-circle-plus"></span>
+    <?= t("Add a new group") ?>
+  </a>
+
+  <h2>
+    <?= t("Group Admin") ?>
+  </h2>
+
+  <div class="g-block-content">
+    <ul>
+      <? foreach ($groups as $i => $group): ?>
+      <li id="group-<?= $group->id ?>" class="g-group <?= ($group->special ? "g-default-group" : "") ?>" />
+        <? $v = new View("admin_users_group.html"); $v->group = $group; ?>
+        <?= $v ?>
+      </li>
+      <? endforeach ?>
+    </ul>
+  </div>
+</div>
diff --git a/modules/gallery/views/admin_users_group.html.php b/modules/gallery/views/admin_users_group.html.php
new file mode 100644
index 00000000..db3645a0
--- /dev/null
+++ b/modules/gallery/views/admin_users_group.html.php
@@ -0,0 +1,38 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<h4>
+  <?= html::clean($group->name) ?>
+  <? if (!$group->special): ?>
+  <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
+    title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>"
+    class="g-dialog-link g-button ui-state-default ui-corner-all">
+    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+  <? else: ?>
+  <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>"
+     class="g-dialog-link g-button ui-state-disabled ui-corner-all ui-icon-left">
+    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
+  <? endif ?>
+</h4>
+
+<? if ($group->users->count() > 0): ?>
+<ul>
+  <? foreach ($group->users as $i => $user): ?>
+  <li class="g-user">
+    <?= html::clean($user->name) ?>
+    <? if (!$group->special): ?>
+    <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
+       class="g-button ui-state-default ui-corner-all ui-icon-left"
+       title="<?= t("Remove %user from %group group",
+              array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>">
+      <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
+    </a>
+    <? endif ?>
+  </li>
+  <? endforeach ?>
+</ul>
+<? else: ?>
+<div>
+  <p>
+    <?= t("Drag &amp; drop users from the User Admin above into this group box to add group members.") ?>
+  </p>
+</div>
+<? endif ?>
diff --git a/modules/gallery/views/login.html.php b/modules/gallery/views/login.html.php
new file mode 100644
index 00000000..049ba043
--- /dev/null
+++ b/modules/gallery/views/login.html.php
@@ -0,0 +1,22 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<ul id="g-login-menu">
+  <? if ($user->guest): ?>
+  <li class="first">
+    <a href="<?= url::site("login/ajax") ?>"
+       title="<?= t("Login to Gallery")->for_html_attr() ?>"
+       id="g-login-link"><?= t("Login") ?></a>
+  </li>
+  <? else: ?>
+  <li class="first">
+    <?= t('Logged in as %name', array('name' => html::mark_clean(
+      '<a href="' . url::site("form/edit/users/{$user->id}") .
+      '" title="' . t("Edit Your Profile")->for_html_attr() .
+      '" id="g-user-profile-link" class="g-dialog-link">' .
+      html::clean($user->display_name()) . '</a>'))) ?>
+  </li>
+  <li>
+    <a href="<?= url::site("logout?csrf=$csrf&amp;continue=" . urlencode(url::current(true))) ?>"
+       id="g-logout-link"><?= t("Logout") ?></a>
+  </li>
+  <? endif ?>
+</ul>
diff --git a/modules/gallery/views/login_ajax.html.php b/modules/gallery/views/login_ajax.html.php
new file mode 100644
index 00000000..d3364b46
--- /dev/null
+++ b/modules/gallery/views/login_ajax.html.php
@@ -0,0 +1,43 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<script type="text/javascript">
+  $("#g-login-form").ready(function() {
+    $("#g-password-reset").click(function() {
+      $.ajax({
+        url: "<?= url::site("password/reset") ?>",
+        success: function(data) {
+          $("#g-login").html(data);
+          $("#ui-dialog-title-g-dialog").html(<?= t("Reset Password")->for_js() ?>);
+          $(".submit").addClass("g-button ui-state-default ui-corner-all");
+          $(".submit").gallery_hover_init();
+          ajaxify_login_reset_form();
+        }
+      });
+    });
+  });
+
+  function ajaxify_login_reset_form() {
+    $("#g-login form").ajaxForm({
+      dataType: "json",
+      success: function(data) {
+        if (data.form) {
+          $("#g-login form").replaceWith(data.form);
+          ajaxify_login_reset_form();
+        }
+        if (data.result == "success") {
+          $("#g-dialog").dialog("close");
+          window.location.reload();
+        }
+      }
+    });
+  };
+</script>
+<div id="g-login">
+  <ul>
+    <li id="g-login-form">
+      <?= $form ?>
+    </li>
+    <li>
+      <a href="#" id="g-password-reset" class="g-right g-txt-small"><?= t("Forgot Your Password?") ?></a>
+    </li>
+  </ul>
+</div>
diff --git a/modules/gallery/views/reset_password.html.php b/modules/gallery/views/reset_password.html.php
new file mode 100644
index 00000000..92ca4917
--- /dev/null
+++ b/modules/gallery/views/reset_password.html.php
@@ -0,0 +1,17 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<html>
+  <head>
+    <title><?= t("Password Reset Request") ?> </title>
+  </head>
+  <body>
+    <h2><?= t("Password Reset Request") ?> </h2>
+    <p>
+      <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?>
+    </p>
+    <p>
+  <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.",
+        array("site_url" => html::mark_clean(url::base(false, "http")),
+              "confirm_url" => $confirm_url)) ?>
+    </p>
+  </body>
+</html>
diff --git a/modules/gallery/views/user_languages_block.html.php b/modules/gallery/views/user_languages_block.html.php
new file mode 100644
index 00000000..89185967
--- /dev/null
+++ b/modules/gallery/views/user_languages_block.html.php
@@ -0,0 +1,19 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<?= form::dropdown("g-select-session-locale", $installed_locales, $selected) ?>
+<script type="text/javascript">
+  $("#g-select-session-locale").change(function() {
+    var old_locale_preference = <?= html::js_string($selected) ?>;
+    var locale = $(this).val();
+    if (old_locale_preference == locale) {
+      return;
+    }
+
+    var expires = -1;
+    if (locale) {
+      expires = 365;
+    }
+    $.cookie("g_locale", locale, {"expires": expires, "path": "/"});
+    window.location.reload(true);
+  });
+</script>
+
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
deleted file mode 100644
index 6c72440a..00000000
--- a/modules/user/controllers/admin_users.php
+++ /dev/null
@@ -1,290 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Admin_Users_Controller extends Admin_Controller {
-  public function index() {
-    $view = new Admin_View("admin.html");
-    $view->content = new View("admin_users.html");
-    $view->content->users = user::users(array("orderby" => array("name" => "ASC")));
-    $view->content->groups = group::groups(array("orderby" => array("name" => "ASC")));
-    print $view;
-  }
-
-  public function add_user() {
-    access::verify_csrf();
-
-    $form = user::get_add_form_admin();
-    $valid = $form->validate();
-    $name = $form->add_user->inputs["name"]->value;
-    if ($user = user::lookup_by_name($name)) {
-      $form->add_user->inputs["name"]->add_error("in_use", 1);
-      $valid = false;
-    }
-
-    if ($valid) {
-      $user = user::create(
-        $name, $form->add_user->full_name->value, $form->add_user->password->value);
-      $user->email = $form->add_user->email->value;
-      $user->admin = $form->add_user->admin->checked;
-
-      if ($form->add_user->locale) {
-        $desired_locale = $form->add_user->locale->value;
-        $user->locale = $desired_locale == "none" ? null : $desired_locale;
-      }
-      $user->save();
-      module::event("user_add_form_admin_completed", $user, $form);
-
-      message::success(t("Created user %user_name", array("user_name" => $user->name)));
-      print json_encode(array("result" => "success"));
-    } else {
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-  }
-
-  public function add_user_form() {
-    print user::get_add_form_admin();
-  }
-
-  public function delete_user($id) {
-    access::verify_csrf();
-
-    if ($id == user::active()->id || $id == user::guest()->id) {
-      access::forbidden();
-    }
-
-    $user = user::lookup($id);
-    if (empty($user)) {
-      kohana::show_404();
-    }
-
-    $form = user::get_delete_form_admin($user);
-    if($form->validate()) {
-      $name = $user->name;
-      $user->delete();
-    } else {
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-
-    $message = t("Deleted user %user_name", array("user_name" => $name));
-    log::success("user", $message);
-    message::success($message);
-    print json_encode(array("result" => "success"));
-  }
-
-  public function delete_user_form($id) {
-    $user = user::lookup($id);
-    if (empty($user)) {
-      kohana::show_404();
-    }
-    print user::get_delete_form_admin($user);
-  }
-
-  public function edit_user($id) {
-    access::verify_csrf();
-
-    $user = user::lookup($id);
-    if (empty($user)) {
-      kohana::show_404();
-    }
-
-    $form = user::get_edit_form_admin($user);
-    $valid = $form->validate();
-    if ($valid) {
-      $new_name = $form->edit_user->inputs["name"]->value;
-      $temp_user = user::lookup_by_name($new_name);
-      if ($new_name != $user->name &&
-          ($temp_user && $temp_user->id != $user->id)) {
-        $form->edit_user->inputs["name"]->add_error("in_use", 1);
-        $valid = false;
-      } else {
-        $user->name = $new_name;
-      }
-    }
-
-    if ($valid) {
-      $user->full_name = $form->edit_user->full_name->value;
-      if ($form->edit_user->password->value) {
-        $user->password = $form->edit_user->password->value;
-      }
-      $user->email = $form->edit_user->email->value;
-      $user->url = $form->edit_user->url->value;
-      if ($form->edit_user->locale) {
-        $desired_locale = $form->edit_user->locale->value;
-        $user->locale = $desired_locale == "none" ? null : $desired_locale;
-      }
-
-      // An admin can change the admin status for any user but themselves
-      if ($user->id != user::active()->id) {
-        $user->admin = $form->edit_user->admin->checked;
-      }
-      $user->save();
-      module::event("user_edit_form_admin_completed", $user, $form);
-
-      message::success(t("Changed user %user_name", array("user_name" => $user->name)));
-      print json_encode(array("result" => "success"));
-    } else {
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-  }
-
-  public function edit_user_form($id) {
-    $user = user::lookup($id);
-    if (empty($user)) {
-      kohana::show_404();
-    }
-
-    $form = user::get_edit_form_admin($user);
-    // Don't allow the user to control their own admin bit, else you can lock yourself out
-    if ($user->id == user::active()->id) {
-      $form->edit_user->admin->disabled(1);
-    }
-    print $form;
-  }
-
-  public function add_user_to_group($user_id, $group_id) {
-    access::verify_csrf();
-    $group = group::lookup($group_id);
-    $user = user::lookup($user_id);
-    $group->add($user);
-    $group->save();
-  }
-
-  public function remove_user_from_group($user_id, $group_id) {
-    access::verify_csrf();
-    $group = group::lookup($group_id);
-    $user = user::lookup($user_id);
-    $group->remove($user);
-    $group->save();
-  }
-
-  public function group($group_id) {
-    $view = new View("admin_users_group.html");
-    $view->group = group::lookup($group_id);
-    print $view;
-  }
-
-  public function add_group() {
-    access::verify_csrf();
-
-    $form = group::get_add_form_admin();
-    $valid = $form->validate();
-    if ($valid) {
-      $new_name = $form->add_group->inputs["name"]->value;
-      $group = group::lookup_by_name($new_name);
-      if (!empty($group)) {
-        $form->add_group->inputs["name"]->add_error("in_use", 1);
-        $valid = false;
-      }
-    }
-
-    if ($valid) {
-      $group = group::create($new_name);
-      $group->save();
-      message::success(
-        t("Created group %group_name", array("group_name" => $group->name)));
-      print json_encode(array("result" => "success"));
-    } else {
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-  }
-
-  public function add_group_form() {
-    print group::get_add_form_admin();
-  }
-
-  public function delete_group($id) {
-    access::verify_csrf();
-
-    $group = group::lookup($id);
-    if (empty($group)) {
-      kohana::show_404();
-    }
-
-    $form = group::get_delete_form_admin($group);
-    if ($form->validate()) {
-      $name = $group->name;
-      $group->delete();
-    } else {
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-
-    $message = t("Deleted group %group_name", array("group_name" => $name));
-    log::success("group", $message);
-    message::success($message);
-    print json_encode(array("result" => "success"));
-  }
-
-  public function delete_group_form($id) {
-    $group = group::lookup($id);
-    if (empty($group)) {
-      kohana::show_404();
-    }
-
-    print group::get_delete_form_admin($group);
-  }
-
-  public function edit_group($id) {
-    access::verify_csrf();
-
-    $group = group::lookup($id);
-    if (empty($group)) {
-       kohana::show_404();
-    }
-
-    $form = group::get_edit_form_admin($group);
-    $valid = $form->validate();
-
-    if ($valid) {
-      $new_name = $form->edit_group->inputs["name"]->value;
-      $group = group::lookup_by_name($name);
-      if ($group->loaded) {
-        $form->edit_group->inputs["name"]->add_error("in_use", 1);
-        $valid = false;
-      }
-    }
-
-    if ($valid) {
-      $group->name = $form->edit_group->inputs["name"]->value;
-      $group->save();
-      message::success(
-        t("Changed group %group_name", array("group_name" => $group->name)));
-      print json_encode(array("result" => "success"));
-    } else {
-      message::error(
-        t("Failed to change group %group_name", array("group_name" => $group->name)));
-      print json_encode(array("result" => "error",
-                              "form" => $form->__toString()));
-    }
-  }
-
-  public function edit_group_form($id) {
-    $group = group::lookup($id);
-    if (empty($group)) {
-      kohana::show_404();
-    }
-
-    print group::get_edit_form_admin($group);
-  }
-
-}
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php
deleted file mode 100644
index 2c4bd557..00000000
--- a/modules/user/controllers/login.php
+++ /dev/null
@@ -1,81 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Login_Controller extends Controller {
-
-  public function ajax() {
-    $view = new View("login_ajax.html");
-    $view->form = user::get_login_form("login/auth_ajax");
-    print $view;
-  }
-
-  public function auth_ajax() {
-    access::verify_csrf();
-
-    list ($valid, $form) = $this->_auth("login/auth_ajax");
-    if ($valid) {
-      print json_encode(
-        array("result" => "success"));
-    } else {
-      print json_encode(
-        array("result" => "error",
-              "form" => $form->__toString()));
-    }
-  }
-
-  public function html() {
-    print user::get_login_form("login/auth_html");
-  }
-
-  public function auth_html() {
-    access::verify_csrf();
-
-    list ($valid, $form) = $this->_auth("login/auth_html");
-    if ($valid) {
-      url::redirect(item::root()->abs_url());
-    } else {
-      print $form;
-    }
-  }
-  private function _auth($url) {
-    $form = user::get_login_form($url);
-    $valid = $form->validate();
-    if ($valid) {
-      $user = user::lookup_by_name($form->login->inputs["name"]->value);
-      if (empty($user) || !user::is_correct_password($user, $form->login->password->value)) {
-        log::warning(
-          "user",
-          t("Failed login for %name",
-            array("name" => $form->login->inputs["name"]->value)));
-        $form->login->inputs["name"]->add_error("invalid_login", 1);
-        $valid = false;
-      }
-    }
-
-    if ($valid) {
-      user::login($user);
-      log::info("user", t("User %name logged in", array("name" => $user->name)));
-    }
-
-    // Either way, regenerate the session id to avoid session trapping
-    Session::instance()->regenerate();
-
-    return array($valid, $form);
-  }
-}
\ No newline at end of file
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
deleted file mode 100644
index 45d397ad..00000000
--- a/modules/user/controllers/logout.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Logout_Controller extends Controller {
-  public function index() {
-    //access::verify_csrf();
-
-    $user = user::active();
-    user::logout();
-    log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", html::clean($user->name)));
-    if ($continue_url = $this->input->get("continue")) {
-      $item = url::get_item_from_uri($continue_url);
-      if (access::can("view", $item)) {
-        // Don't use url::redirect() because it'll call url::site() and munge the continue url.
-        header("Location: $continue_url");
-      } else {
-        url::redirect(item::root()->abs_url());
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
deleted file mode 100644
index 817ff01c..00000000
--- a/modules/user/controllers/password.php
+++ /dev/null
@@ -1,133 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Password_Controller extends Controller {
-  public function reset() {
-    if (request::method() == "post") {
-      // @todo separate the post from get parts of this function
-      access::verify_csrf();
-      $this->_send_reset();
-    } else {
-      print $this->_reset_form();
-    }
-  }
-
-  public function do_reset() {
-    if (request::method() == "post") {
-      $this->_change_password();
-    } else {
-      $user = user::lookyp_by_hash(Input::instance()->get("key"));
-      if (!empty($user)) {
-        print $this->_new_password_form($user->hash);
-      } else {
-        throw new Exception("@todo FORBIDDEN", 503);
-      }
-    }
-  }
-
-  private function _send_reset() {
-    $form = $this->_reset_form();
-
-    $valid = $form->validate();
-    if ($valid) {
-      $user = user::lockup_by_name($form->reset->inputs["name"]->value);
-      if (!$user->loaded || empty($user->email)) {
-        $form->reset->inputs["name"]->add_error("no_email", 1);
-        $valid = false;
-      }
-    }
-
-    if ($valid) {
-      $user->hash = md5(rand());
-      $user->save();
-      $message = new View("reset_password.html");
-      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
-      $message->user = $user;
-
-      Sendmail::factory()
-        ->to($user->email)
-        ->subject(t("Password Reset Request"))
-        ->header("Mime-Version", "1.0")
-        ->header("Content-type", "text/html; charset=iso-8859-1")
-        ->message($message->render())
-        ->send();
-
-      log::success(
-        "user",
-        t("Password reset email sent for user %name", array("name" => $user->name)));
-    } else {
-      // Don't include the username here until you're sure that it's XSS safe
-      log::warning(
-        "user", "Password reset email requested for bogus user");
-    }
-
-    message::success(t("Password reset email sent"));
-    print json_encode(
-      array("result" => "success"));
-  }
-
-  private function _reset_form() {
-    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
-    $group = $form->group("reset")->label(t("Reset Password"));
-    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
-    $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
-    $group->submit("")->value(t("Reset"));
-
-    return $form;
-  }
-
-  private function _new_password_form($hash=null) {
-    $template = new Theme_View("page.html", "reset");
-
-    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
-    $group = $form->group("reset")->label(t("Change Password"));
-    $hidden = $group->hidden("hash");
-    if (!empty($hash)) {
-      $hidden->value($hash);
-    }
-    $group->password("password")->label(t("Password"))->id("g-password")
-      ->rules("required|length[1,40]");
-    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
-      ->matches($group->password);
-    $group->inputs["password2"]->error_messages(
-      "mistyped", t("The password and the confirm password must match"));
-    $group->submit("")->value(t("Update"));
-
-    $template->content = $form;
-    return $template;
-  }
-
-  private function _change_password() {
-    $view = $this->_new_password_form();
-    if ($view->content->validate()) {
-      $user = user::lookyp_by_hash(Input::instance()->get("key"));
-      if (empty($user)) {
-        throw new Exception("@todo FORBIDDEN", 503);
-      }
-
-      $user->password = $view->content->reset->password->value;
-      $user->hash = null;
-      $user->save();
-      message::success(t("Password reset successfully"));
-      url::redirect(item::root()->abs_url());
-    } else {
-      print $view;
-    }
-  }
-}
\ No newline at end of file
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
deleted file mode 100644
index 4ad704f0..00000000
--- a/modules/user/controllers/users.php
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Users_Controller extends REST_Controller {
-  protected $resource_type = "user";
-
-  public function _update($user) {
-    if ($user->guest || $user->id != user::active()->id) {
-      access::forbidden();
-    }
-
-    $form = user::get_edit_form($user);
-    $valid = $form->validate();
-    if ($valid) {
-      $user->full_name = $form->edit_user->full_name->value;
-      if ($form->edit_user->password->value) {
-        $user->password = $form->edit_user->password->value;
-      }
-      $user->email = $form->edit_user->email->value;
-      $user->url = $form->edit_user->url->value;
-      if ($form->edit_user->locale) {
-        $desired_locale = $form->edit_user->locale->value;
-        $new_locale = $desired_locale == "none" ? null : $desired_locale;
-        if ($new_locale != $user->locale) {
-          // Delete the session based locale preference
-          setcookie("g_locale", "", time() - 24 * 3600, "/");
-        }
-        $user->locale = $new_locale;
-      }
-      $user->save();
-      module::event("user_edit_form_completed", $user, $form);
-
-      message::success(t("User information updated."));
-      print json_encode(
-        array("result" => "success",
-              "resource" => url::site("users/{$user->id}")));
-    } else {
-      print json_encode(
-        array("result" => "error",
-              "form" => $form->__toString()));
-    }
-  }
-
-  public function _form_edit($user) {
-    if ($user->guest || $user->id != user::active()->id) {
-      access::forbidden();
-    }
-
-    print user::get_edit_form($user);
-  }
-}
diff --git a/modules/user/helpers/user_block.php b/modules/user/helpers/user_block.php
deleted file mode 100644
index f920b4c5..00000000
--- a/modules/user/helpers/user_block.php
+++ /dev/null
@@ -1,46 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class user_block_Core {
-  static function get_site_list() {
-    return array("language" => t("Language Preference"));
-  }
-
-  static function get($block_id, $theme) {
-    $block = "";
-    switch ($block_id) {
-    case "language":
-      $locales = locales::installed();
-      foreach ($locales as $locale => $display_name) {
-        $locales[$locale] = SafeString::of_safe_html($display_name);
-      }
-      if (count($locales) > 1) {
-        $block = new Block();
-        $block->css_id = "g-user-language-block";
-        $block->title = t("Language Preference");
-        $block->content = new View("user_languages_block.html");
-        $block->content->installed_locales =
-          array_merge(array("" => t("« none »")), $locales);
-        $block->content->selected = (string) user::cookie_locale();
-      }
-      break;
-    }
-    return $block;
-  }
-}
\ No newline at end of file
diff --git a/modules/user/helpers/user_event.php b/modules/user/helpers/user_event.php
deleted file mode 100644
index ede4e515..00000000
--- a/modules/user/helpers/user_event.php
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class user_event_Core {
-  /**
-   * Initialization.
-   */
-  static function gallery_ready() {
-    user::load_user();
-    self::set_request_locale();
-  }
-
-  static function admin_menu($menu, $theme) {
-    $menu->add_after("appearance_menu",
-                     Menu::factory("link")
-                     ->id("users_groups")
-                     ->label(t("Users/Groups"))
-                     ->url(url::site("admin/users")));
-  }
-
-  static function set_request_locale() {
-    // 1. Check the session specific preference (cookie)
-    $locale = user::cookie_locale();
-    // 2. Check the user's preference
-    if (!$locale) {
-      $locale = user::active()->locale;
-    }
-    // 3. Check the browser's / OS' preference
-    if (!$locale) {
-      $locale = locales::locale_from_http_request();
-    }
-    // If we have any preference, override the site's default locale
-    if ($locale) {
-      I18n::instance()->locale($locale);
-    }
-  }
-}
diff --git a/modules/user/helpers/user_theme.php b/modules/user/helpers/user_theme.php
deleted file mode 100644
index 69d63eaf..00000000
--- a/modules/user/helpers/user_theme.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class user_theme_Core {
-  static function head($theme) {
-    if (count(locales::installed())) {
-      // Needed by the languages block
-      $theme->script("jquery.cookie.js");
-    }
-    return "";
-  }
-
-  static function header_top($theme) {
-    if ($theme->page_type != "login") {
-      $view = new View("login.html");
-      $view->user = user::active();
-      return $view->render();
-    }
-  }
-}
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
deleted file mode 100644
index 28daff29..00000000
--- a/modules/user/views/admin_users.html.php
+++ /dev/null
@@ -1,128 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<script type="text/javascript">
-  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
-  $(document).ready(function(){
-    $("#g-user-admin-list .core-info").draggable({
-      helper: "clone"
-    });
-    $("#g-group-admin .g-group").droppable({
-      accept: ".core-info",
-      hoverClass: "g-selected",
-      drop: function(ev, ui) {
-        var user_id = $(ui.draggable).attr("id").replace("user-", "");
-        var group_id = $(this).attr("id").replace("group-", "");
-        $.get(add_user_to_group_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
-              {},
-              function() {
-                reload_group(group_id);
-              });
-      }
-    });
-    $("#group-1").droppable("destroy");
-    $("#group-2").droppable("destroy");
-  });
-
-  var reload_group = function(group_id) {
-    var reload_group_url = "<?= url::site("admin/users/group/__GROUPID__") ?>";
-    $.get(reload_group_url.replace("__GROUPID__", group_id),
-          {},
-          function(data) {
-            $("#group-" + group_id).html(data);
-            $("#group-" + group_id + " .g-dialog-link").gallery_dialog();
-          });
-  }
-
-  var remove_user = function(user_id, group_id) {
-    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
-    $.get(remove_user_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
-          {},
-          function() {
-            reload_group(group_id);
-          });
-  }
-</script>
-<div class="g-block">
-  <a href="<?= url::site("admin/users/add_user_form") ?>"
-      class="g-dialog-link g-button g-right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new user")->for_html_attr() ?>">
-    <span class="ui-icon ui-icon-circle-plus"></span>
-    <?= t("Add a new user") ?>
-  </a>
-
-  <h2>
-    <?= t("User Admin") ?>
-  </h2>
-
-  <div class="g-block-content">
-    <table id="g-user-admin-list">
-      <tr>
-        <th><?= t("Username") ?></th>
-        <th><?= t("Full name") ?></th>
-        <th><?= t("Email") ?></th>
-        <th><?= t("Last login") ?></th>
-        <th><?= t("Actions") ?></th>
-      </tr>
-
-      <? foreach ($users as $i => $user): ?>
-      <tr id="g-user-<?= $user->id ?>" class="<?= text::alternate("g-odd", "g-even") ?> user <?= $user->admin ? "admin" : "" ?>">
-        <td id="user-<?= $user->id ?>" class="core-info g-draggable">
-          <img src="<?= $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) ?>"
-               title="<?= t("Drag user onto group below to add as a new member")->for_html_attr() ?>"
-               alt="<?= html::clean_attribute($user->name) ?>"
-               width="20"
-               height="20" />
-          <?= html::clean($user->name) ?>
-        </td>
-        <td>
-          <?= html::clean($user->full_name) ?>
-        </td>
-        <td>
-          <?= html::clean($user->email) ?>
-        </td>
-        <td>
-          <?= ($user->last_login == 0) ? "" : gallery::date($user->last_login) ?>
-        </td>
-        <td class="g-actions">
-          <a href="<?= url::site("admin/users/edit_user_form/$user->id") ?>"
-              open_text="<?= t("close") ?>"
-              class="g-panel-link g-button ui-state-default ui-corner-all ui-icon-left">
-            <span class="ui-icon ui-icon-pencil"></span><span class="g-button-text"><?= t("edit") ?></span></a>
-          <? if (user::active()->id != $user->id && !$user->guest): ?>
-          <a href="<?= url::site("admin/users/delete_user_form/$user->id") ?>"
-              class="g-dialog-link g-button ui-state-default ui-corner-all ui-icon-left">
-            <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
-          <? else: ?>
-          <span title="<?= t("This user cannot be deleted")->for_html_attr() ?>"
-              class="g-button ui-state-disabled ui-corner-all ui-icon-left">
-            <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></span>
-          <? endif ?>
-        </td>
-      </tr>
-      <? endforeach ?>
-    </table>
-  </div>
-</div>
-
-<div id="g-group-admin" class="g-block">
-  <a href="<?= url::site("admin/users/add_group_form") ?>"
-      class="g-dialog-link g-button g-right ui-icon-left ui-state-default ui-corner-all"
-      title="<?= t("Create a new group")->for_html_attr() ?>">
-    <span class="ui-icon ui-icon-circle-plus"></span>
-    <?= t("Add a new group") ?>
-  </a>
-
-  <h2>
-    <?= t("Group Admin") ?>
-  </h2>
-
-  <div class="g-block-content">
-    <ul>
-      <? foreach ($groups as $i => $group): ?>
-      <li id="group-<?= $group->id ?>" class="g-group <?= ($group->special ? "g-default-group" : "") ?>" />
-        <? $v = new View("admin_users_group.html"); $v->group = $group; ?>
-        <?= $v ?>
-      </li>
-      <? endforeach ?>
-    </ul>
-  </div>
-</div>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
deleted file mode 100644
index db3645a0..00000000
--- a/modules/user/views/admin_users_group.html.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<h4>
-  <?= html::clean($group->name) ?>
-  <? if (!$group->special): ?>
-  <a href="<?= url::site("admin/users/delete_group_form/$group->id") ?>"
-    title="<?= t("Delete the %name group", array("name" => $group->name))->for_html_attr() ?>"
-    class="g-dialog-link g-button ui-state-default ui-corner-all">
-    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-  <? else: ?>
-  <a title="<?= t("This default group cannot be deleted")->for_html_attr() ?>"
-     class="g-dialog-link g-button ui-state-disabled ui-corner-all ui-icon-left">
-    <span class="ui-icon ui-icon-trash"><?= t("delete") ?></span></a>
-  <? endif ?>
-</h4>
-
-<? if ($group->users->count() > 0): ?>
-<ul>
-  <? foreach ($group->users as $i => $user): ?>
-  <li class="g-user">
-    <?= html::clean($user->name) ?>
-    <? if (!$group->special): ?>
-    <a href="javascript:remove_user(<?= $user->id ?>, <?= $group->id ?>)"
-       class="g-button ui-state-default ui-corner-all ui-icon-left"
-       title="<?= t("Remove %user from %group group",
-              array("user" => $user->name, "group" => $group->name))->for_html_attr() ?>">
-      <span class="ui-icon ui-icon-closethick"><?= t("remove") ?></span>
-    </a>
-    <? endif ?>
-  </li>
-  <? endforeach ?>
-</ul>
-<? else: ?>
-<div>
-  <p>
-    <?= t("Drag &amp; drop users from the User Admin above into this group box to add group members.") ?>
-  </p>
-</div>
-<? endif ?>
diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php
deleted file mode 100644
index 049ba043..00000000
--- a/modules/user/views/login.html.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<ul id="g-login-menu">
-  <? if ($user->guest): ?>
-  <li class="first">
-    <a href="<?= url::site("login/ajax") ?>"
-       title="<?= t("Login to Gallery")->for_html_attr() ?>"
-       id="g-login-link"><?= t("Login") ?></a>
-  </li>
-  <? else: ?>
-  <li class="first">
-    <?= t('Logged in as %name', array('name' => html::mark_clean(
-      '<a href="' . url::site("form/edit/users/{$user->id}") .
-      '" title="' . t("Edit Your Profile")->for_html_attr() .
-      '" id="g-user-profile-link" class="g-dialog-link">' .
-      html::clean($user->display_name()) . '</a>'))) ?>
-  </li>
-  <li>
-    <a href="<?= url::site("logout?csrf=$csrf&amp;continue=" . urlencode(url::current(true))) ?>"
-       id="g-logout-link"><?= t("Logout") ?></a>
-  </li>
-  <? endif ?>
-</ul>
diff --git a/modules/user/views/login_ajax.html.php b/modules/user/views/login_ajax.html.php
deleted file mode 100644
index d3364b46..00000000
--- a/modules/user/views/login_ajax.html.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<script type="text/javascript">
-  $("#g-login-form").ready(function() {
-    $("#g-password-reset").click(function() {
-      $.ajax({
-        url: "<?= url::site("password/reset") ?>",
-        success: function(data) {
-          $("#g-login").html(data);
-          $("#ui-dialog-title-g-dialog").html(<?= t("Reset Password")->for_js() ?>);
-          $(".submit").addClass("g-button ui-state-default ui-corner-all");
-          $(".submit").gallery_hover_init();
-          ajaxify_login_reset_form();
-        }
-      });
-    });
-  });
-
-  function ajaxify_login_reset_form() {
-    $("#g-login form").ajaxForm({
-      dataType: "json",
-      success: function(data) {
-        if (data.form) {
-          $("#g-login form").replaceWith(data.form);
-          ajaxify_login_reset_form();
-        }
-        if (data.result == "success") {
-          $("#g-dialog").dialog("close");
-          window.location.reload();
-        }
-      }
-    });
-  };
-</script>
-<div id="g-login">
-  <ul>
-    <li id="g-login-form">
-      <?= $form ?>
-    </li>
-    <li>
-      <a href="#" id="g-password-reset" class="g-right g-txt-small"><?= t("Forgot Your Password?") ?></a>
-    </li>
-  </ul>
-</div>
diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php
deleted file mode 100644
index 92ca4917..00000000
--- a/modules/user/views/reset_password.html.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<html>
-  <head>
-    <title><?= t("Password Reset Request") ?> </title>
-  </head>
-  <body>
-    <h2><?= t("Password Reset Request") ?> </h2>
-    <p>
-      <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?>
-    </p>
-    <p>
-  <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.",
-        array("site_url" => html::mark_clean(url::base(false, "http")),
-              "confirm_url" => $confirm_url)) ?>
-    </p>
-  </body>
-</html>
diff --git a/modules/user/views/user_languages_block.html.php b/modules/user/views/user_languages_block.html.php
deleted file mode 100644
index 89185967..00000000
--- a/modules/user/views/user_languages_block.html.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<?= form::dropdown("g-select-session-locale", $installed_locales, $selected) ?>
-<script type="text/javascript">
-  $("#g-select-session-locale").change(function() {
-    var old_locale_preference = <?= html::js_string($selected) ?>;
-    var locale = $(this).val();
-    if (old_locale_preference == locale) {
-      return;
-    }
-
-    var expires = -1;
-    if (locale) {
-      expires = 365;
-    }
-    $.cookie("g_locale", locale, {"expires": expires, "path": "/"});
-    window.location.reload(true);
-  });
-</script>
-
-- 
cgit v1.2.3


From 098b57bf18112d0a3173dbe28b5ed76782431ff7 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Mon, 19 Oct 2009 12:53:44 -0700
Subject: Simplify the user interface by moving the password reset
 functionality into the user module Bagging the User_Definition and
 Group_Definition abstract classes and replacing them with interfaces with the
 same names. Make sure all the unit tests work.

---
 modules/gallery/controllers/password.php           | 133 --------------
 modules/gallery/helpers/access.php                 |   4 +-
 modules/gallery/libraries/Identity.php             |  34 +---
 modules/gallery/libraries/drivers/Identity.php     | 196 ++-------------------
 modules/gallery/tests/Albums_Controller_Test.php   |   1 +
 modules/gallery/tests/Photos_Controller_Test.php   |   2 +-
 modules/gallery/views/admin_identity.html.php      |   6 +-
 modules/gallery/views/reset_password.html.php      |  17 --
 modules/user/controllers/password.php              | 133 ++++++++++++++
 modules/user/helpers/group.php                     |   4 +-
 modules/user/helpers/user.php                      |  15 +-
 .../user/libraries/drivers/Identity/Gallery.php    |  99 ++---------
 modules/user/models/group.php                      |   2 +-
 modules/user/models/user.php                       |   2 +-
 modules/user/views/admin_users.html.php            |   2 +-
 modules/user/views/reset_password.html.php         |  17 ++
 16 files changed, 206 insertions(+), 461 deletions(-)
 delete mode 100644 modules/gallery/controllers/password.php
 delete mode 100644 modules/gallery/views/reset_password.html.php
 create mode 100644 modules/user/controllers/password.php
 create mode 100644 modules/user/views/reset_password.html.php

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/gallery/controllers/password.php b/modules/gallery/controllers/password.php
deleted file mode 100644
index ce6d67b1..00000000
--- a/modules/gallery/controllers/password.php
+++ /dev/null
@@ -1,133 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-class Password_Controller extends Controller {
-  public function reset() {
-    if (request::method() == "post") {
-      // @todo separate the post from get parts of this function
-      access::verify_csrf();
-      $this->_send_reset();
-    } else {
-      print $this->_reset_form();
-    }
-  }
-
-  public function do_reset() {
-    if (request::method() == "post") {
-      $this->_change_password();
-    } else {
-      $user = Identity::lookup_user_by_hash(Input::instance()->get("key"));
-      if (!empty($user)) {
-        print $this->_new_password_form($user->hash);
-      } else {
-        throw new Exception("@todo FORBIDDEN", 503);
-      }
-    }
-  }
-
-  private function _send_reset() {
-    $form = $this->_reset_form();
-
-    $valid = $form->validate();
-    if ($valid) {
-      $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value);
-      if (!$user->loaded || empty($user->email)) {
-        $form->reset->inputs["name"]->add_error("no_email", 1);
-        $valid = false;
-      }
-    }
-
-    if ($valid) {
-      $user->hash = md5(rand());
-      $user->save();
-      $message = new View("reset_password.html");
-      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
-      $message->user = $user;
-
-      Sendmail::factory()
-        ->to($user->email)
-        ->subject(t("Password Reset Request"))
-        ->header("Mime-Version", "1.0")
-        ->header("Content-type", "text/html; charset=iso-8859-1")
-        ->message($message->render())
-        ->send();
-
-      log::success(
-        "user",
-        t("Password reset email sent for user %name", array("name" => $user->name)));
-    } else {
-      // Don't include the username here until you're sure that it's XSS safe
-      log::warning(
-        "user", "Password reset email requested for bogus user");
-    }
-
-    message::success(t("Password reset email sent"));
-    print json_encode(
-      array("result" => "success"));
-  }
-
-  private function _reset_form() {
-    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
-    $group = $form->group("reset")->label(t("Reset Password"));
-    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
-    $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
-    $group->submit("")->value(t("Reset"));
-
-    return $form;
-  }
-
-  private function _new_password_form($hash=null) {
-    $template = new Theme_View("page.html", "reset");
-
-    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
-    $group = $form->group("reset")->label(t("Change Password"));
-    $hidden = $group->hidden("hash");
-    if (!empty($hash)) {
-      $hidden->value($hash);
-    }
-    $group->password("password")->label(t("Password"))->id("g-password")
-      ->rules("required|length[1,40]");
-    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
-      ->matches($group->password);
-    $group->inputs["password2"]->error_messages(
-      "mistyped", t("The password and the confirm password must match"));
-    $group->submit("")->value(t("Update"));
-
-    $template->content = $form;
-    return $template;
-  }
-
-  private function _change_password() {
-    $view = $this->_new_password_form();
-    if ($view->content->validate()) {
-      $user = Identity::lookup_user_by_hash(Input::instance()->get("key"));
-      if (empty($user)) {
-        throw new Exception("@todo FORBIDDEN", 503);
-      }
-
-      $user->password = $view->content->reset->password->value;
-      $user->hash = null;
-      $user->save();
-      message::success(t("Password reset successfully"));
-      url::redirect(item::root()->abs_url());
-    } else {
-      print $view;
-    }
-  }
-}
\ No newline at end of file
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 21f4de81..fba161e3 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -197,8 +197,8 @@ class access_Core {
    * @param  Item_Model  $item
    * @param  boolean     $value
    */
-  private static function _set(Group_Model $group, $perm_name, $album, $value) {
-    if (get_class($group) != "Group_Model") {
+  private static function _set(Group_Definition $group, $perm_name, $album, $value) {
+    if (!($group instanceof Group_Definition)) {
       throw new Exception("@todo PERMISSIONS_ONLY_WORK_ON_GROUPS");
     }
     if (!$album->loaded) {
diff --git a/modules/gallery/libraries/Identity.php b/modules/gallery/libraries/Identity.php
index 9e5f0bb5..e77fd2d2 100644
--- a/modules/gallery/libraries/Identity.php
+++ b/modules/gallery/libraries/Identity.php
@@ -133,37 +133,17 @@ class Identity_Core {
   }
 
   /**
-   * @see Identity_Driver::hash_password.
-   */
-  static function hash_password($password) {
-    return self::instance()->driver->hash_password($password);
-  }
-
-  /**
-   * Look up a user by id.
-   * @param integer      $id the user id
-   * @return User_Definition  the user object, or null if the id was invalid.
+   * @see Identity_Driver::lookup_user.
    */
   static function lookup_user($id) {
-    return self::instance()->driver->lookup_user_by_field("id", $id);
+    return self::instance()->driver->lookup_user($id);
   }
 
   /**
-   * Look up a user by name.
-   * @param integer      $name the user name
-   * @return User_Definition  the user object, or null if the name was invalid.
+   * @see Identity_Driver::lookup_user_by_name.
    */
   static function lookup_user_by_name($name) {
-    return self::instance()->driver->lookup_user_by_field("name", $name);
-  }
-
-  /**
-   * Look up a user by hash.
-   * @param string       $name the user name
-   * @return User_Definition  the user object, or null if the name was invalid.
-   */
-  static function lookup_user_by_hash($hash) {
-    return self::instance()->driver->lookup_user_by_field("hash", $hash);
+    return self::instance()->driver->lookup_user_by_name($name);
   }
 
   /**
@@ -188,12 +168,10 @@ class Identity_Core {
   }
 
   /**
-   * Look up a group by name.
-   * @param integer      $id the group name
-   * @return Group_Definition  the group object, or null if the name was invalid.
+   * @see Identity_Driver::lookup_group_by_name.
    */
   static function lookup_group_by_name($name) {
-    return self::instance()->driver->lookup_group_by_field("name", $name);
+    return self::instance()->driver->lookup_group_by_name($name);
   }
 
   /**
diff --git a/modules/gallery/libraries/drivers/Identity.php b/modules/gallery/libraries/drivers/Identity.php
index a9e1a75b..6ab001cb 100644
--- a/modules/gallery/libraries/drivers/Identity.php
+++ b/modules/gallery/libraries/drivers/Identity.php
@@ -45,19 +45,18 @@ interface Identity_Driver {
   public function is_correct_password($user, $password);
 
   /**
-   * Create the hashed passwords.
-   * @param string $password a plaintext password
-   * @return string hashed password
+   * Look up a user by id.
+   * @param integer     id
+   * @return User_Definition the user object, or null if the name was invalid.
    */
-  public function hash_password($password);
+  public function lookup_user($id);
 
   /**
-   * Look up a user by by search the specified field.
-   * @param string      search field
-   * @param string      search value
-   * @return User_Definition the user object, or null if the name was invalid.
+   * Look up a user by name.
+   * @param string      name
+  * @return User_Definition the user object, or null if the name was invalid.
    */
-  public function lookup_user_by_field($field, $value);
+  public function lookup_user_by_name($name);
 
   /**
    * Create a new group.
@@ -90,181 +89,6 @@ interface Identity_Driver {
 
 } // End Identity Driver Definition
 
-/**
- * User Data wrapper
- */
-abstract class User_Definition {
-  protected $user;
-  public function __get($column) {
-    switch ($column) {
-    case "id":
-    case "name":
-    case "full_name":
-    case "password":
-    case "login_count":
-    case "last_login":
-    case "email":
-    case "admin":
-    case "guest":
-    case "hash":
-    case "url":
-    case "locale":
-    case "groups":
-    case "hashed_password":
-      return $this->user->$column;
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  public function __set($column, $value) {
-    switch ($column) {
-    case "id":
-    case "groups":
-      throw new Exception("@todo READ ONLY FIELD: $column");
-      break;
-    case "name":
-    case "full_name":
-    case "hashed_password":
-    case "password":
-    case "login_count":
-    case "last_login":
-    case "email":
-    case "admin":
-    case "guest":
-    case "hash":
-    case "url":
-    case "locale":
-      $this->user->$column = $value;
-      break;
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  public function __isset($column) {
-    return isset($this->user->$column);
-  }
-
-  public function __unset($column) {
-    switch ($column) {
-    case "id":
-    case "groups":
-      throw new Exception("@todo READ ONLY FIELD: $column");
-      break;
-    case "name":
-    case "full_name":
-    case "password":
-    case "login_count":
-    case "last_login":
-    case "email":
-    case "admin":
-    case "guest":
-    case "hash":
-    case "url":
-    case "locale":
-    case "hashed_password":
-      unset($this->user->$column);
-      break;
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  /**
-   * Return a url to the user's avatar image.
-   * @param integer $size the target size of the image (default 80px)
-   * @return string a url
-   */
-  abstract public function avatar_url($size=80, $default=null);
-
-  /**
-   * Return the best version of the user's name.  Either their specified full name, or fall back
-   * to the user name.
-   * @return string
-   */
-  abstract public function display_name();
-
-  /**
-   * Return the internal user object without the wrapper.
-   * This method is used by implementing classes to access the internal user object.
-   * Consider it pseudo private and only declared public as PHP as not internal or friend modifier
-   */
-  public function _uncloaked() {
-    return $this->user;
-  }
-
-  abstract public function save();
-  abstract public function delete();
-}
-
-/**
- * Group Data wrapper
- */
-abstract class Group_Definition {
-  protected $group;
-
-  public function __get($column) {
-    switch ($column) {
-    case "id":
-    case "name":
-    case "special":
-    case "users":
-      return $this->group->$column;
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  public function __set($column, $value) {
-    switch ($column) {
-    case "id":
-    case "users":
-      throw new Exception("@todo READ ONLY FIELD: $column");
-      break;
-    case "name":
-    case "special":
-      $this->group->$column = $value;
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  public function __isset($column) {
-    return isset($this->group->$column);
-  }
-
-  public function __unset($column) {
-    switch ($column) {
-    case "id":
-    case "users":
-      throw new Exception("@todo READ ONLY FIELD: $column");
-      break;
-    case "name":
-    case "special":
-      unset($this->group->$column);
-    default:
-      throw new Exception("@todo UNSUPPORTED FIELD: $column");
-      break;
-    }
-  }
-
-  /**
-   * Return the internal group object without the wrapper.
-   * This method is used by implementing classes to access the internal group object.
-   * Consider it pseudo private and only declared public as PHP as not internal or friend modifier
-   */
-  public function _uncloaked() {
-    return $this->group;
-  }
+interface Group_Definition {}
 
-  abstract public function save();
-  abstract public function delete();
-  abstract public function add($user);
-  abstract public function remove($user);
-}
+interface User_Definition {}
diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php
index 046cb5ad..fa46d924 100644
--- a/modules/gallery/tests/Albums_Controller_Test.php
+++ b/modules/gallery/tests/Albums_Controller_Test.php
@@ -43,6 +43,7 @@ class Albums_Controller_Test extends Unit_Test_Case {
     $_POST["column"] = "weight";
     $_POST["direction"] = "ASC";
     $_POST["csrf"] = access::csrf_token();
+    $_POST["slug"] = "new_name";
     $_POST["_method"] = "put";
     access::allow(Identity::everybody(), "edit", $root);
 
diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php
index cdb4ae4f..59c3f78a 100644
--- a/modules/gallery/tests/Photos_Controller_Test.php
+++ b/modules/gallery/tests/Photos_Controller_Test.php
@@ -31,7 +31,7 @@ class Photos_Controller_Test extends Unit_Test_Case {
     $root = ORM::factory("item", 1);
     $photo = photo::create(
       $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg",
-      "test", "test", Session::active_user(), "slug");
+      "test", "test", Session::active_user()->id, "slug");
     $orig_name = $photo->name;
 
     $_POST["filename"] = "test.jpeg";
diff --git a/modules/gallery/views/admin_identity.html.php b/modules/gallery/views/admin_identity.html.php
index dcf1dbc1..1405cacb 100644
--- a/modules/gallery/views/admin_identity.html.php
+++ b/modules/gallery/views/admin_identity.html.php
@@ -15,11 +15,11 @@
           height:165,
           modal: true,
           overlay: {
-	    backgroundColor: '#000',
-	    opacity: 0.5
+            backgroundColor: '#000',
+            opacity: 0.5
           },
           buttons: {
-	    "Continue": function() {
+            "Continue": function() {
               $("##g-dialog form").submit();
             },
             Cancel: function() {
diff --git a/modules/gallery/views/reset_password.html.php b/modules/gallery/views/reset_password.html.php
deleted file mode 100644
index 92ca4917..00000000
--- a/modules/gallery/views/reset_password.html.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<html>
-  <head>
-    <title><?= t("Password Reset Request") ?> </title>
-  </head>
-  <body>
-    <h2><?= t("Password Reset Request") ?> </h2>
-    <p>
-      <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?>
-    </p>
-    <p>
-  <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.",
-        array("site_url" => html::mark_clean(url::base(false, "http")),
-              "confirm_url" => $confirm_url)) ?>
-    </p>
-  </body>
-</html>
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
new file mode 100644
index 00000000..a8f1c5ca
--- /dev/null
+++ b/modules/user/controllers/password.php
@@ -0,0 +1,133 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Password_Controller extends Controller {
+  public function reset() {
+    if (request::method() == "post") {
+      // @todo separate the post from get parts of this function
+      access::verify_csrf();
+      $this->_send_reset();
+    } else {
+      print $this->_reset_form();
+    }
+  }
+
+  public function do_reset() {
+    if (request::method() == "post") {
+      $this->_change_password();
+    } else {
+      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      if (!empty($user)) {
+        print $this->_new_password_form($user->hash);
+      } else {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+    }
+  }
+
+  private function _send_reset() {
+    $form = $this->_reset_form();
+
+    $valid = $form->validate();
+    if ($valid) {
+      $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value);
+      if (!$user->loaded || empty($user->email)) {
+        $form->reset->inputs["name"]->add_error("no_email", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      $user->hash = md5(rand());
+      $user->save();
+      $message = new View("reset_password.html");
+      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
+      $message->user = $user;
+
+      Sendmail::factory()
+        ->to($user->email)
+        ->subject(t("Password Reset Request"))
+        ->header("Mime-Version", "1.0")
+        ->header("Content-type", "text/html; charset=iso-8859-1")
+        ->message($message->render())
+        ->send();
+
+      log::success(
+        "user",
+        t("Password reset email sent for user %name", array("name" => $user->name)));
+    } else {
+      // Don't include the username here until you're sure that it's XSS safe
+      log::warning(
+        "user", "Password reset email requested for bogus user");
+    }
+
+    message::success(t("Password reset email sent"));
+    print json_encode(
+      array("result" => "success"));
+  }
+
+  private function _reset_form() {
+    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
+    $group = $form->group("reset")->label(t("Reset Password"));
+    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
+    $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
+    $group->submit("")->value(t("Reset"));
+
+    return $form;
+  }
+
+  private function _new_password_form($hash=null) {
+    $template = new Theme_View("page.html", "reset");
+
+    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
+    $group = $form->group("reset")->label(t("Change Password"));
+    $hidden = $group->hidden("hash");
+    if (!empty($hash)) {
+      $hidden->value($hash);
+    }
+    $group->password("password")->label(t("Password"))->id("g-password")
+      ->rules("required|length[1,40]");
+    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
+      ->matches($group->password);
+    $group->inputs["password2"]->error_messages(
+      "mistyped", t("The password and the confirm password must match"));
+    $group->submit("")->value(t("Update"));
+
+    $template->content = $form;
+    return $template;
+  }
+
+  private function _change_password() {
+    $view = $this->_new_password_form();
+    if ($view->content->validate()) {
+      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      if (empty($user)) {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+
+      $user->password = $view->content->reset->password->value;
+      $user->hash = null;
+      $user->save();
+      message::success(t("Password reset successfully"));
+      url::redirect(item::root()->abs_url());
+    } else {
+      print $view;
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/user/helpers/group.php b/modules/user/helpers/group.php
index cf5c050f..8ad52564 100644
--- a/modules/user/helpers/group.php
+++ b/modules/user/helpers/group.php
@@ -42,14 +42,14 @@ class group_Core {
    * @see Identity_Driver::everbody.
    */
   static function everybody() {
-    return Identity::instance()->everybody();
+    return model_cache::get("group", 1);
   }
 
   /**
    * @see Identity_Driver::registered_users.
    */
   static function registered_users() {
-    return Identity::instance()->everybody();
+    return model_cache::get("group", 2);
   }
 
   /**
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index fa7b320f..5ef2b726 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -25,14 +25,21 @@
  */
 class user_Core {
   /**
-   * @see Identity_Driver::guest.
+   * Return the guest user.
+   *
+   * @return User_Model the user object
    */
   static function guest() {
     return model_cache::get("user", 1);
   }
 
   /**
-   * @see Identity_Driver::create_user.
+   * Create a new user.
+   *
+   * @param string  $name
+   * @param string  $full_name
+   * @param string  $password
+   * @return User_Definition the user object
    */
   static function create($name, $full_name, $password) {
     $user = ORM::factory("user")->where("name", $name)->find();
@@ -53,7 +60,9 @@ class user_Core {
   }
 
   /**
-   * @see Identity_Driver::hash_password.
+   * Hash the password to the internal value
+   * @param string   $password the user password
+   * @param string   The hashed equivalent
    */
   static function hash_password($password) {
     require_once(MODPATH . "user/lib/PasswordHash.php");
diff --git a/modules/user/libraries/drivers/Identity/Gallery.php b/modules/user/libraries/drivers/Identity/Gallery.php
index 77db11a3..f405b710 100644
--- a/modules/user/libraries/drivers/Identity/Gallery.php
+++ b/modules/user/libraries/drivers/Identity/Gallery.php
@@ -25,14 +25,14 @@ class Identity_Gallery_Driver implements Identity_Driver {
    * @see Identity_Driver::guest.
    */
   public function guest() {
-    return new Gallery_User(user::guest());
+    return user::guest();
   }
 
   /**
    * @see Identity_Driver::create_user.
    */
   public function create_user($name, $full_name, $password) {
-    return new Gallery_User(user::create($name, $full_name, $password));
+    return user::create($name, $full_name, $password);
   }
 
   /**
@@ -67,122 +67,55 @@ class Identity_Gallery_Driver implements Identity_Driver {
   }
 
   /**
-   * @see Identity_Driver::hash_password.
+   * @see Identity_Driver::lookup_user.
    */
-  public function hash_password($password) {
-    return user::hash_password($password);
+  public function lookup_user($id) {
+    return user::lookup_by_field("id", $id);
   }
 
   /**
-   * @see Identity_Driver::lookup_user_by_field.
+   * @see Identity_Driver::lookup_user_by_name.
    */
-  public function lookup_user_by_field($field_name, $value) {
-    return new Gallery_User(user::lookup_by_field($field_name, $value));
+  public function lookup_user_by_name($name) {
+    return user::lookup_by_field("name", $name);
   }
 
   /**
    * @see Identity_Driver::create_group.
    */
   public function create_group($name) {
-    return new Gallery_Group(group::create($name));
+    return group::create($name);
   }
 
   /**
    * @see Identity_Driver::everybody.
    */
   public function everybody() {
-    return new Gallery_Group(group::everybody());
+    return group::everybody();
   }
 
   /**
    * @see Identity_Driver::registered_users.
    */
   public function registered_users() {
-    return new Gallery_Group(group::registered_users());
+    return group::registered_users();
   }
 
   /**
-   * @see Identity_Driver::lookup_group_by_field.
+   * @see Identity_Driver::lookup_group_by_name.
    */
-  public function lookup_group_by_field($field_name, $value) {
-    return new Gallery_Group(group::lookup_by_field($field_name, $value));
+  static function lookup_group_by_name($name) {
+    return group::lookup_by_field("name", $name);
   }
 
   /**
    * @see Identity_Driver::get_user_list.
    */
   public function get_user_list($ids) {
-    $results = ORM::factory("user")
+    return ORM::factory("user")
       ->in("id", ids)
       ->find_all()
-      ->as_array();;
-    $users = array();
-    foreach ($results as $user) {
-      $users[] = new Gallery_User($user);
-    }
-    return $users;
+      ->as_array();
   }
 } // End Identity Gallery Driver
 
-/**
- * User Data wrapper
- */
-class Gallery_User extends User_Definition {
-  /*
-   *  Not for general user, allows the back-end to easily create the interface object
-   */
-  function __construct($user) {
-    $this->user = $user;
-  }
-
-  /**
-   * @see User_Definition::avatar_url
-   */
-  public function avatar_url($size=80, $default=null) {
-    return $this->user->avatar_url($size, $default);
-  }
-
-  /**
-   * @see User_Definition::display_name
-   */
-  public function display_name() {
-    return $this->user->display_name();
-  }
-
-  public function save() {
-    $this->user->save();
-  }
-
-  public function delete() {
-    $this->user->delete();
-  }
-
-}
-
-/**
- * Group Data wrapper
- */
-class Gallery_Group extends Group_Definition {
-  /*
-   *  Not for general user, allows the back-end to easily create the interface object
-   */
-  function __construct($group) {
-    $this->group = $group;
-  }
-
-  public function save() {
-    $this->group->save();
-  }
-
-  public function delete() {
-    $this->group->delete();
-  }
-
-  public function add($user) {
-    $this->group->add($user->_uncloaked());
-  }
-
-  public function remove($user) {
-    $this->group->remove($user->_uncloaked());
-  }
-}
diff --git a/modules/user/models/group.php b/modules/user/models/group.php
index 8af78012..4432fc69 100644
--- a/modules/user/models/group.php
+++ b/modules/user/models/group.php
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class Group_Model extends ORM {
+class Group_Model extends ORM implements Group_Definition {
   protected $has_and_belongs_to_many = array("users");
 
   var $rules = array(
diff --git a/modules/user/models/user.php b/modules/user/models/user.php
index d99603b2..c51fc720 100644
--- a/modules/user/models/user.php
+++ b/modules/user/models/user.php
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class User_Model extends ORM {
+class User_Model extends ORM implements User_Definition {
   protected $has_and_belongs_to_many = array("groups");
 
   var $rules = array(
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 7c54d93d..ee8d413c 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -91,7 +91,7 @@
                   open_text="<?= t("close") ?>"
                   class="g-panel-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-pencil"></span><span class="g-button-text"><?= t("edit") ?></span></a>
-              <? if (user::active()->id != $user->id && !$user->guest): ?>
+              <? if (Session::active_user()->id != $user->id && !$user->guest): ?>
               <a href="<?= url::site("admin/users/delete_user_form/$user->id") ?>"
                   class="g-dialog-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php
new file mode 100644
index 00000000..92ca4917
--- /dev/null
+++ b/modules/user/views/reset_password.html.php
@@ -0,0 +1,17 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<html>
+  <head>
+    <title><?= t("Password Reset Request") ?> </title>
+  </head>
+  <body>
+    <h2><?= t("Password Reset Request") ?> </h2>
+    <p>
+      <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?>
+    </p>
+    <p>
+  <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.",
+        array("site_url" => html::mark_clean(url::base(false, "http")),
+              "confirm_url" => $confirm_url)) ?>
+    </p>
+  </body>
+</html>
-- 
cgit v1.2.3


From 3c936d661a088fb43b47eb5b208958180e8f65eb Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Thu, 22 Oct 2009 13:09:20 -0700
Subject: Change the name of identity library from Identity to
 IdentityProvider. Create a helper class called identity to simplify call the
 Identity Provider. Move the contents of MY_Session.php to the new helper
 class and remove the MY_Session class

---
 modules/akismet/tests/Akismet_Helper_Test.php      |   2 +-
 modules/comment/controllers/comments.php           |   8 +-
 modules/comment/helpers/comment.php                |   2 +-
 modules/comment/models/comment.php                 |   2 +-
 modules/comment/tests/Comment_Event_Test.php       |   2 +-
 modules/comment/tests/Comment_Helper_Test.php      |   4 +-
 modules/comment/tests/Comment_Model_Test.php       |   8 +-
 modules/digibug/controllers/digibug.php            |   2 +-
 modules/digibug/tests/Digibug_Controller_Test.php  |   4 +-
 modules/g2_import/helpers/g2_import.php            |  16 +-
 modules/gallery/controllers/admin.php              |   2 +-
 modules/gallery/controllers/admin_identity.php     |  10 +-
 modules/gallery/controllers/albums.php             |   4 +-
 modules/gallery/controllers/l10n_client.php        |   4 +-
 modules/gallery/controllers/login.php              |   8 +-
 modules/gallery/controllers/logout.php             |   2 +-
 modules/gallery/controllers/permissions.php        |   6 +-
 modules/gallery/controllers/upgrader.php           |   4 +-
 modules/gallery/controllers/welcome_message.php    |   4 +-
 modules/gallery/helpers/access.php                 |   4 +-
 modules/gallery/helpers/gallery.php                |   2 +-
 modules/gallery/helpers/gallery_event.php          |  10 +-
 modules/gallery/helpers/gallery_installer.php      |   2 +-
 modules/gallery/helpers/gallery_theme.php          |   2 +-
 modules/gallery/helpers/identity.php               | 225 +++++++++++++++++++++
 modules/gallery/helpers/item.php                   |   4 +-
 modules/gallery/helpers/locales.php                |   2 +-
 modules/gallery/helpers/log.php                    |   2 +-
 modules/gallery/helpers/movie.php                  |   2 +-
 modules/gallery/helpers/photo.php                  |   2 +-
 modules/gallery/helpers/site_status.php            |   2 +-
 modules/gallery/helpers/task.php                   |   2 +-
 modules/gallery/libraries/Admin_View.php           |   4 +-
 modules/gallery/libraries/Identity.php             | 222 --------------------
 modules/gallery/libraries/IdentityProvider.php     | 200 ++++++++++++++++++
 modules/gallery/libraries/MY_Session.php           |  93 ---------
 modules/gallery/libraries/Theme_View.php           |   6 +-
 modules/gallery/libraries/drivers/Identity.php     | 123 -----------
 .../gallery/libraries/drivers/IdentityProvider.php | 123 +++++++++++
 modules/gallery/models/item.php                    |   2 +-
 modules/gallery/models/log.php                     |   2 +-
 modules/gallery/models/task.php                    |   2 +-
 modules/gallery/tests/Access_Helper_Test.php       | 144 ++++++-------
 modules/gallery/tests/Albums_Controller_Test.php   |   4 +-
 modules/gallery/tests/Item_Helper_Test.php         |   6 +-
 modules/gallery/tests/Photos_Controller_Test.php   |   6 +-
 modules/gallery/views/kohana_error_page.php        |   2 +-
 modules/gallery/views/login.html.php               |   2 +-
 modules/gallery/views/login_ajax.html.php          |   2 +-
 modules/notification/helpers/notification.php      |  10 +-
 .../notification/helpers/notification_event.php    |   2 +-
 modules/search/helpers/search.php                  |   4 +-
 modules/server_add/controllers/server_add.php      |   4 +-
 modules/server_add/helpers/server_add_event.php    |   2 +-
 modules/server_add/helpers/server_add_theme.php    |   2 +-
 modules/user/controllers/admin_users.php           |   6 +-
 modules/user/controllers/password.php              |   2 +-
 modules/user/controllers/users.php                 |   4 +-
 modules/user/helpers/group.php                     |  18 +-
 .../user/libraries/drivers/Identity/Gallery.php    | 150 --------------
 .../libraries/drivers/IdentityProvider/Gallery.php | 150 ++++++++++++++
 modules/user/views/admin_users.html.php            |   2 +-
 62 files changed, 885 insertions(+), 769 deletions(-)
 create mode 100644 modules/gallery/helpers/identity.php
 delete mode 100644 modules/gallery/libraries/Identity.php
 create mode 100644 modules/gallery/libraries/IdentityProvider.php
 delete mode 100644 modules/gallery/libraries/MY_Session.php
 delete mode 100644 modules/gallery/libraries/drivers/Identity.php
 create mode 100644 modules/gallery/libraries/drivers/IdentityProvider.php
 delete mode 100644 modules/user/libraries/drivers/Identity/Gallery.php
 create mode 100644 modules/user/libraries/drivers/IdentityProvider/Gallery.php

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/akismet/tests/Akismet_Helper_Test.php b/modules/akismet/tests/Akismet_Helper_Test.php
index 6788e7a3..745b455c 100644
--- a/modules/akismet/tests/Akismet_Helper_Test.php
+++ b/modules/akismet/tests/Akismet_Helper_Test.php
@@ -26,7 +26,7 @@ class Akismet_Helper_Test extends Unit_Test_Case {
 
     $root = ORM::factory("item", 1);
     $this->_comment = comment::create(
-      $root, Identity::guest(), "This is a comment",
+      $root, identity::guest(), "This is a comment",
       "John Doe", "john@gallery2.org", "http://gallery2.org");
     foreach ($this->_comment->list_fields("comments") as $name => $field) {
       if (strpos($name, "server_") === 0) {
diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index c0658cc1..09b9c607 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -65,7 +65,7 @@ class Comments_Controller extends REST_Controller {
     $form = comment::get_add_form($item);
     $valid = $form->validate();
     if ($valid) {
-      if (Session::active_user()->guest && !$form->add_comment->inputs["name"]->value) {
+      if (identity::active_user()->guest && !$form->add_comment->inputs["name"]->value) {
         $form->add_comment->inputs["name"]->add_error("missing", 1);
         $valid = false;
       }
@@ -78,13 +78,13 @@ class Comments_Controller extends REST_Controller {
 
     if ($valid) {
       $comment = comment::create(
-        $item, Session::active_user(),
+        $item, identity::active_user(),
         $form->add_comment->text->value,
         $form->add_comment->inputs["name"]->value,
         $form->add_comment->email->value,
         $form->add_comment->url->value);
 
-      $active = Session::active_user();
+      $active = identity::active_user();
       if ($active->guest) {
         $form->add_comment->inputs["name"]->value("");
         $form->add_comment->email->value("");
@@ -192,7 +192,7 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::form_edit($resource)
    */
   public function _form_edit($comment) {
-    if (!Session::active_user()->admin) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
     print comment::get_edit_form($comment);
diff --git a/modules/comment/helpers/comment.php b/modules/comment/helpers/comment.php
index e741266d..53d58afa 100644
--- a/modules/comment/helpers/comment.php
+++ b/modules/comment/helpers/comment.php
@@ -75,7 +75,7 @@ class comment_Core {
     module::event("comment_add_form", $form);
     $group->submit("")->value(t("Add"));
 
-    $active = Session::active_user();
+    $active = identity::active_user();
     if (!$active->guest) {
       $group->inputs["name"]->value($active->full_name)->disabled("disabled");
       $group->email->value($active->email)->disabled("disabled");
diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php
index 5e29e778..bb9b8833 100644
--- a/modules/comment/models/comment.php
+++ b/modules/comment/models/comment.php
@@ -23,7 +23,7 @@ class Comment_Model extends ORM {
   }
 
   function author() {
-    return Identity::lookup_user($this->author_id);
+    return identity::lookup_user($this->author_id);
   }
 
   function author_name() {
diff --git a/modules/comment/tests/Comment_Event_Test.php b/modules/comment/tests/Comment_Event_Test.php
index eb301893..f650cabf 100644
--- a/modules/comment/tests/Comment_Event_Test.php
+++ b/modules/comment/tests/Comment_Event_Test.php
@@ -22,7 +22,7 @@ class Comment_Event_Test extends Unit_Test_Case {
     $rand = rand();
     $album = album::create(ORM::factory("item", 1), "test_$rand", "test_$rand");
     $comment = comment::create(
-      $album, Identity::guest(), "text_$rand", "name_$rand", "email_$rand", "url_$rand");
+      $album, identity::guest(), "text_$rand", "name_$rand", "email_$rand", "url_$rand");
 
     $album->delete();
 
diff --git a/modules/comment/tests/Comment_Helper_Test.php b/modules/comment/tests/Comment_Helper_Test.php
index e8ab7c79..c635c3b7 100644
--- a/modules/comment/tests/Comment_Helper_Test.php
+++ b/modules/comment/tests/Comment_Helper_Test.php
@@ -48,7 +48,7 @@ class Comment_Helper_Test extends Unit_Test_Case {
     $rand = rand();
     $root = ORM::factory("item", 1);
     $comment = comment::create(
-      $root, Identity::guest(), "text_$rand", "name_$rand", "email_$rand", "url_$rand");
+      $root, identity::guest(), "text_$rand", "name_$rand", "email_$rand", "url_$rand");
 
     $this->assert_equal("name_$rand", $comment->author_name());
     $this->assert_equal("email_$rand", $comment->author_email());
@@ -77,7 +77,7 @@ class Comment_Helper_Test extends Unit_Test_Case {
   public function create_comment_for_user_test() {
     $rand = rand();
     $root = ORM::factory("item", 1);
-    $admin = Identity::lookup_user(2);
+    $admin = identity::lookup_user(2);
     $comment = comment::create(
       $root, $admin, "text_$rand", "name_$rand", "email_$rand", "url_$rand");
 
diff --git a/modules/comment/tests/Comment_Model_Test.php b/modules/comment/tests/Comment_Model_Test.php
index 84532a96..de19648d 100644
--- a/modules/comment/tests/Comment_Model_Test.php
+++ b/modules/comment/tests/Comment_Model_Test.php
@@ -22,17 +22,17 @@ class Comment_Model_Test extends Unit_Test_Case {
   public function cant_view_comments_for_unviewable_items_test() {
     $root = ORM::factory("item", 1);
     $album = album::create($root, rand(), rand(), rand());
-    $comment = comment::create($album, Identity::guest(), "text", "name", "email", "url");
-    Session::set_active_user(Identity::guest());
+    $comment = comment::create($album, identity::guest(), "text", "name", "email", "url");
+    identity::set_active_user(identity::guest());
 
     // We can see the comment when permissions are granted on the album
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
     $this->assert_equal(
       1,
       ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
 
     // We can't see the comment when permissions are denied on the album
-    access::deny(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $album);
     $this->assert_equal(
       0,
       ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php
index 8ea83601..1bb2691b 100644
--- a/modules/digibug/controllers/digibug.php
+++ b/modules/digibug/controllers/digibug.php
@@ -23,7 +23,7 @@ class Digibug_Controller extends Controller {
     $item = ORM::factory("item", $id);
     access::required("view", $item);
 
-    if (access::group_can(Identity::everybody(), "view_full", $item)) {
+    if (access::group_can(identity::everybody(), "view_full", $item)) {
       $full_url = $item->file_url(true);
       $thumb_url = $item->thumb_url(true);
     } else {
diff --git a/modules/digibug/tests/Digibug_Controller_Test.php b/modules/digibug/tests/Digibug_Controller_Test.php
index 19f57972..a56d58bb 100644
--- a/modules/digibug/tests/Digibug_Controller_Test.php
+++ b/modules/digibug/tests/Digibug_Controller_Test.php
@@ -35,8 +35,8 @@ class Digibug_Controller_Test extends Unit_Test_Case {
 
     $root = ORM::factory("item", 1);
     $this->_album = album::create($root,  rand(), "test album");
-    access::deny(Identity::everybody(), "view_full", $this->_album);
-    access::deny(Identity::registered_users(), "view_full", $this->_album);
+    access::deny(identity::everybody(), "view_full", $this->_album);
+    access::deny(identity::registered_users(), "view_full", $this->_album);
 
     $rand = rand();
     $this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg",
diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php
index d24aab93..f55e7f32 100644
--- a/modules/g2_import/helpers/g2_import.php
+++ b/modules/g2_import/helpers/g2_import.php
@@ -230,16 +230,16 @@ class g2_import_Core {
     switch ($g2_group->getGroupType()) {
     case GROUP_NORMAL:
       try {
-        $group = Identity::create_group($g2_group->getGroupName());
+        $group = identity::create_group($g2_group->getGroupName());
       } catch (Exception $e) {
         // @todo For now we assume this is a "duplicate group" exception
-        $group = Identity::lookup_user_by_name($g2_group->getGroupname());
+        $group = identity::lookup_user_by_name($g2_group->getGroupname());
       }
       $message = t("Group '%name' was imported", array("name" => $g2_group->getGroupname()));
       break;
 
     case GROUP_ALL_USERS:
-      $group = Identity::registered_users();
+      $group = identity::registered_users();
       $message = t("Group 'Registered' was converted to '%name'", array("name" => $group->name));
       break;
 
@@ -248,7 +248,7 @@ class g2_import_Core {
       break;  // This is not a group in G3
 
     case GROUP_EVERYBODY:
-      $group = Identity::everybody();
+      $group = identity::everybody();
       $message = t("Group 'Everybody' was converted to '%name'", array("name" => $group->name));
       break;
     }
@@ -270,7 +270,7 @@ class g2_import_Core {
     }
 
     if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) {
-      self::set_map($g2_user_id, Identity::guest()->id);
+      self::set_map($g2_user_id, identity::guest()->id);
       return t("Skipping Anonymous User");
     }
 
@@ -285,11 +285,11 @@ class g2_import_Core {
     $g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId()));
 
     try {
-      $user = Identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), "");
+      $user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), "");
       $message = t("Created user: '%name'.", array("name" => $user->name));
     } catch (Exception $e) {
       // @todo For now we assume this is a "duplicate user" exception
-      $user = Identity::lookup_user_by_name($g2_user->getUsername());
+      $user = identity::lookup_user_by_name($g2_user->getUsername());
       $message = t("Loaded existing user: '%name'.", array("name" => $user->name));
     }
 
@@ -301,7 +301,7 @@ class g2_import_Core {
         $user->admin = true;
         $message .= t("\n\tAdded 'admin' flag to user");
       } else {
-        $group = Identity::lookup_group(self::map($g2_group_id));
+        $group = identity::lookup_group(self::map($g2_group_id));
         $user->add($group);
         $message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name));
       }
diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php
index 24eebe7d..98cac557 100644
--- a/modules/gallery/controllers/admin.php
+++ b/modules/gallery/controllers/admin.php
@@ -21,7 +21,7 @@ class Admin_Controller extends Controller {
   private $theme;
 
   public function __construct($theme=null) {
-    if (!(Session::active_user()->admin)) {
+    if (!(identity::active_user()->admin)) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/admin_identity.php b/modules/gallery/controllers/admin_identity.php
index 9d756a5c..d06132ff 100644
--- a/modules/gallery/controllers/admin_identity.php
+++ b/modules/gallery/controllers/admin_identity.php
@@ -21,7 +21,7 @@ class Admin_Identity_Controller extends Admin_Controller {
   public function index() {
     $view = new Admin_View("admin.html");
     $view->content = new View("admin_identity.html");
-    $view->content->available = Identity::providers();
+    $view->content->available = identity::providers();
     $view->content->active = module::get_var("gallery", "identity_provider", "user");
     print $view;
   }
@@ -39,7 +39,7 @@ class Admin_Identity_Controller extends Admin_Controller {
     access::verify_csrf();
 
     $active_provider = module::get_var("gallery", "identity_provider", "user");
-    $providers = Identity::providers();
+    $providers = identity::providers();
 
     $new_provider = $this->input->post("provider");
 
@@ -47,13 +47,13 @@ class Admin_Identity_Controller extends Admin_Controller {
 
       module::event("pre_identity_change", $active_provider, $new_provider);
 
-      Identity::deactivate();
+      identity::deactivate();
 
       // Switch authentication
       module::set_var("gallery", "identity_provider", $new_provider);
-      Identity::reset();
+      identity::reset();
 
-      Identity::activate();
+      identity::activate();
 
       // @todo this type of collation is questionable from an i18n perspective
       message::success(t("Changed to %description",
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index fabf67ce..24ceb0c9 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -111,7 +111,7 @@ class Albums_Controller extends Items_Controller {
         $this->input->post("name"),
         $this->input->post("title", $this->input->post("name")),
         $this->input->post("description"),
-        Session::active_user()->id,
+        identity::active_user()->id,
         $this->input->post("slug"));
 
       log::success("content", "Created an album",
@@ -146,7 +146,7 @@ class Albums_Controller extends Items_Controller {
         $_FILES["file"]["name"],
         $this->input->post("title", $this->input->post("name")),
         $this->input->post("description"),
-        Session::active_user()->id);
+        identity::active_user()->id);
 
       log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo"));
       message::success(t("Added photo %photo_title",
diff --git a/modules/gallery/controllers/l10n_client.php b/modules/gallery/controllers/l10n_client.php
index 2ab73102..6db67d3b 100644
--- a/modules/gallery/controllers/l10n_client.php
+++ b/modules/gallery/controllers/l10n_client.php
@@ -20,7 +20,7 @@
 class L10n_Client_Controller extends Controller {
   public function save() {
     access::verify_csrf();
-    if (!Session::active_user()->admin) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
 
@@ -85,7 +85,7 @@ class L10n_Client_Controller extends Controller {
 
   public function toggle_l10n_mode() {
     access::verify_csrf();
-    if (!Session::active_user()->admin) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
index 4c83d647..86e2b0a4 100644
--- a/modules/gallery/controllers/login.php
+++ b/modules/gallery/controllers/login.php
@@ -58,8 +58,8 @@ class Login_Controller extends Controller {
     $form = login::get_login_form($url);
     $valid = $form->validate();
     if ($valid) {
-      $user = Identity::lookup_user_by_name($form->login->inputs["name"]->value);
-      if (empty($user) || !Identity::is_correct_password($user, $form->login->password->value)) {
+      $user = identity::lookup_user_by_name($form->login->inputs["name"]->value);
+      if (empty($user) || !identity::is_correct_password($user, $form->login->password->value)) {
         log::warning(
           "user",
           t("Failed login for %name",
@@ -70,12 +70,12 @@ class Login_Controller extends Controller {
     }
 
     if ($valid) {
-      if (Identity::is_writable()) {
+      if (identity::is_writable()) {
         $user->login_count += 1;
         $user->last_login = time();
         $user->save();
       }
-      Session::set_active_user($user);
+      identity::set_active_user($user);
       log::info("user", t("User %name logged in", array("name" => $user->name)));
     }
 
diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php
index 058860fa..1b0364fd 100644
--- a/modules/gallery/controllers/logout.php
+++ b/modules/gallery/controllers/logout.php
@@ -19,7 +19,7 @@
  */
 class Logout_Controller extends Controller {
   public function index() {
-    $user = Session::active_user();
+    $user = identity::active_user();
     if (!$user->guest) {
       try {
         Session::instance()->destroy();
diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php
index 58c5b816..99943fbb 100644
--- a/modules/gallery/controllers/permissions.php
+++ b/modules/gallery/controllers/permissions.php
@@ -51,7 +51,7 @@ class Permissions_Controller extends Controller {
   function change($command, $group_id, $perm_id, $item_id) {
     access::verify_csrf();
 
-    $group = Identity::lookup_group($group_id);
+    $group = identity::lookup_group($group_id);
     $perm = ORM::factory("permission", $perm_id);
     $item = ORM::factory("item", $item_id);
     access::required("view", $item);
@@ -74,7 +74,7 @@ class Permissions_Controller extends Controller {
 
       // If the active user just took away their own edit permissions, give it back.
       if ($perm->name == "edit") {
-        if (!access::user_can(Session::active_user(), "edit", $item)) {
+        if (!access::user_can(identity::active_user(), "edit", $item)) {
           access::allow($group, $perm->name, $item);
         }
       }
@@ -84,7 +84,7 @@ class Permissions_Controller extends Controller {
   private function _get_form($item) {
     $view = new View("permissions_form.html");
     $view->item = $item;
-    $view->groups = Identity::groups();
+    $view->groups = identity::groups();
     $view->permissions = ORM::factory("permission")->find_all();
     return $view;
   }
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index e0c5d340..1aa607ef 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -40,7 +40,7 @@ class Upgrader_Controller extends Controller {
     }
 
     $view = new View("upgrader.html");
-    $view->can_upgrade = Session::active_user()->admin || $session->get("can_upgrade");
+    $view->can_upgrade = identity::active_user()->admin || $session->get("can_upgrade");
     $view->upgrade_token = $upgrade_token;
     $view->available = module::available();
     $view->done = ($available_upgrades == 0);
@@ -52,7 +52,7 @@ class Upgrader_Controller extends Controller {
       // @todo this may screw up some module installers, but we don't have a better answer at
       // this time.
       $_SERVER["HTTP_HOST"] = "example.com";
-    } else if (!Session::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
+    } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
       access::forbidden();
     }
 
diff --git a/modules/gallery/controllers/welcome_message.php b/modules/gallery/controllers/welcome_message.php
index cfdc3976..af0d6997 100644
--- a/modules/gallery/controllers/welcome_message.php
+++ b/modules/gallery/controllers/welcome_message.php
@@ -19,12 +19,12 @@
  */
 class Welcome_Message_Controller extends Controller {
   public function index() {
-    if (!Session::active_user()->admin) {
+    if (!identity::active_user()->admin) {
       url::redirect(item::root()->abs_url());
     }
 
     $v = new View("welcome_message.html");
-    $v->user = Session::active_user();
+    $v->user = identity::active_user();
     print $v;
   }
 }
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 4e7491e3..a3abbe2e 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -79,7 +79,7 @@ class access_Core {
    * @return boolean
    */
   static function can($perm_name, $item) {
-    return self::user_can(Session::active_user(), $perm_name, $item);
+    return self::user_can(identity::active_user(), $perm_name, $item);
   }
 
   /**
@@ -423,7 +423,7 @@ class access_Core {
     // This is ok at packaging time, so work around it.
     $config = module::get_var("gallery", "identity_provider");
     if (!empty($config)) {
-      return Identity::groups();
+      return identity::groups();
     } else {
       return array();
     }
diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php
index 18bb2609..84f8a7fb 100644
--- a/modules/gallery/helpers/gallery.php
+++ b/modules/gallery/helpers/gallery.php
@@ -27,7 +27,7 @@ class gallery_Core {
   static function maintenance_mode() {
     $maintenance_mode = Kohana::config("core.maintenance_mode", false, false);
 
-    if (Router::$controller != "login" && !empty($maintenance_mode) && !Session::active_user()->admin) {
+    if (Router::$controller != "login" && !empty($maintenance_mode) && !identity::active_user()->admin) {
       Router::$controller = "maintenance";
       Router::$controller_path = MODPATH . "gallery/controllers/maintenance.php";
       Router::$method = "index";
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 95be4813..b6afa2c8 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -23,11 +23,7 @@ class gallery_event_Core {
    * Initialization.
    */
   static function gallery_ready() {
-    // Call Identity::instance() now to force the load of the user interface classes.
-    // Session::load_user will attempt to load the active user from the session and needs
-    // the user definition class, which can't be reached by Kohana's heiracrchical lookup.
-    Identity::instance();
-    Session::load_user();
+    identity::load_user();
     locales::set_request_locale();
   }
 
@@ -139,7 +135,7 @@ class gallery_event_Core {
         }
       }
 
-      if (Session::active_user()->admin) {
+      if (identity::active_user()->admin) {
         $menu->append($admin_menu = Menu::factory("submenu")
                 ->id("admin_menu")
                 ->label(t("Admin")));
@@ -191,7 +187,7 @@ class gallery_event_Core {
                         ->id("sidebar")
                         ->label(t("Manage Sidebar"))
                         ->url(url::site("admin/sidebar"))));
-    if (count(Identity::providers()) > 1) {
+    if (count(identity::providers()) > 1) {
       $menu
         ->append(Menu::factory("submenu")
                  ->id("identity_menu")
diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php
index 10e796fd..9c19eaed 100644
--- a/modules/gallery/helpers/gallery_installer.php
+++ b/modules/gallery/helpers/gallery_installer.php
@@ -317,7 +317,7 @@ class gallery_installer {
     }
 
     if ($version == 7) {
-      $groups = Identity::groups();
+      $groups = identity::groups();
       $permissions = ORM::factory("permission")->find_all();
       foreach($groups as $group) {
         foreach($permissions as $permission) {
diff --git a/modules/gallery/helpers/gallery_theme.php b/modules/gallery/helpers/gallery_theme.php
index d21cb124..5f3eb2a9 100644
--- a/modules/gallery/helpers/gallery_theme.php
+++ b/modules/gallery/helpers/gallery_theme.php
@@ -54,7 +54,7 @@ class gallery_theme_Core {
   static function header_top($theme) {
     if ($theme->page_type != "login") {
       $view = new View("login.html");
-      $view->user = Session::active_user();
+      $view->user = identity::active_user();
       return $view->render();
     }
   }
diff --git a/modules/gallery/helpers/identity.php b/modules/gallery/helpers/identity.php
new file mode 100644
index 00000000..cf84c8a9
--- /dev/null
+++ b/modules/gallery/helpers/identity.php
@@ -0,0 +1,225 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+class identity_Core {
+  protected static $available;
+
+  /**
+   * Return a list of installed Identity Drivers.
+   *
+   * @return boolean true if the driver supports updates; false if read only
+   */
+  static function providers() {
+    if (empty(self::$available)) {
+      $drivers = new ArrayObject(array(), ArrayObject::ARRAY_AS_PROPS);
+      foreach (module::available() as $module_name => $module) {
+        if (file_exists(MODPATH . "{$module_name}/config/identity.php")) {
+          $drivers->$module_name = $module->description;
+        }
+      }
+      self::$available = $drivers;
+    }
+    return self::$available;
+  }
+
+  /**
+   * Make sure that we have a session and group_ids cached in the session.
+   */
+  static function load_user() {
+    //try {
+      // Call IdentityProvider::instance() now to force the load of the user interface classes.
+      // We are about to load the active user from the session and which needs the user definition
+      // class, which can't be reached by Kohana's heiracrchical lookup.
+      IdentityProvider::instance();
+
+      $session = Session::instance();
+      if (!($user = $session->get("user"))) {
+        self::set_active_user($user = self::guest());
+      }
+
+      // The installer cannot set a user into the session, so it just sets an id which we should
+      // upconvert into a user.
+      // @todo set the user name into the session instead of 2 and then use it to get the user object
+      if ($user === 2) {
+        $user = IdentityProvider::instance()->lookup_user_by_name("admin");
+        self::set_active_user($user);
+        $session->set("user", $user);
+      }
+
+      if (!$session->get("group_ids")) {
+        $ids = array();
+        foreach ($user->groups as $group) {
+          $ids[] = $group->id;
+        }
+        $session->set("group_ids", $ids);
+      }
+      //} catch (Exception $e) {
+      //try {
+      //Session::instance()->destroy();
+      //} catch (Exception $e) {
+        // We don't care if there was a problem destroying the session.
+      //}
+      //url::redirect(item::root()->abs_url());
+      //}
+  }
+
+  /**
+   * Return the array of group ids this user belongs to
+   *
+   * @return array
+   */
+  static function group_ids_for_active_user() {
+    return Session::instance()->get("group_ids", array(1));
+  }
+
+  /**
+   * Return the active user.  If there's no active user, return the guest user.
+   *
+   * @return User_Definition
+   */
+  static function active_user() {
+    // @todo (maybe) cache this object so we're not always doing session lookups.
+    $user = Session::instance()->get("user", null);
+    if (!isset($user)) {
+      // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary
+      // work.
+      $user = identity::guest();
+    }
+    return $user;
+  }
+
+  /**
+   * Change the active user.
+   * @param User_Definition $user
+   */
+  static function set_active_user($user) {
+    $session = Session::instance();
+    $session->set("user", $user);
+    $session->delete("group_ids");
+    self::load_user();
+  }
+
+  /**
+   * Determine if if the current driver supports updates.
+   *
+   * @return boolean true if the driver supports updates; false if read only
+   */
+  static function is_writable() {
+    return IdentityProvider::instance()->is_writable();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::activate.
+   */
+  static function activate() {
+    IdentityProvider::instance()->activate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::deactivate.
+   */
+  static function deactivate() {
+    IdentityProvider::instance()->deactivate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::guest.
+   */
+  static function guest() {
+    return IdentityProvider::instance()->guest();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_user.
+   */
+  static function create_user($name, $full_name, $password) {
+    return IdentityProvider::instance()->create_user($name, $full_name, $password);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::is_correct_password.
+   */
+  static function is_correct_password($user, $password) {
+    return IdentityProvider::instance()->is_correct_password($user, $password);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user.
+   */
+  static function lookup_user($id) {
+    return IdentityProvider::instance()->lookup_user($id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user_by_name.
+   */
+  static function lookup_user_by_name($name) {
+    return IdentityProvider::instance()->lookup_user_by_name($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_group.
+   */
+  static function create_group($name) {
+    return IdentityProvider::instance()->create_group($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::everybody.
+   */
+  static function everybody() {
+    return IdentityProvider::instance()->everybody();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::registered_users.
+   */
+  static function registered_users() {
+    return IdentityProvider::instance()->everybody();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group.
+   */
+  static function lookup_group($id) {
+    return IdentityProvider::instance()->lookup_group($id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group_by_name.
+   */
+  static function lookup_group_by_name($name) {
+    return IdentityProvider::instance()->lookup_group_by_name($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::get_user_list.
+   */
+  static function get_user_list($ids) {
+    return IdentityProvider::instance()->get_user_list($ids);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::groups.
+   */
+  static function groups() {
+    return IdentityProvider::instance()->groups();
+  }
+}
\ No newline at end of file
diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php
index 3d36a324..b3b6d0bb 100644
--- a/modules/gallery/helpers/item.php
+++ b/modules/gallery/helpers/item.php
@@ -158,8 +158,8 @@ class item_Core {
    */
   static function viewable($model) {
     $view_restrictions = array();
-    if (!Session::active_user()->admin) {
-      foreach (Session::group_ids_for_active_user() as $id) {
+    if (!identity::active_user()->admin) {
+      foreach (identity::group_ids_for_active_user() as $id) {
         // Separate the first restriction from the rest to make it easier for us to formulate
         // our where clause below
         if (empty($view_restrictions)) {
diff --git a/modules/gallery/helpers/locales.php b/modules/gallery/helpers/locales.php
index f80fce03..c2a606cd 100644
--- a/modules/gallery/helpers/locales.php
+++ b/modules/gallery/helpers/locales.php
@@ -141,7 +141,7 @@ class locales_Core {
     $locale = self::cookie_locale();
     // 2. Check the user's preference
     if (!$locale) {
-      $locale = Session::active_user()->locale;
+      $locale = identity::active_user()->locale;
     }
     // 3. Check the browser's / OS' preference
     if (!$locale) {
diff --git a/modules/gallery/helpers/log.php b/modules/gallery/helpers/log.php
index d1b34e3a..184b0b97 100644
--- a/modules/gallery/helpers/log.php
+++ b/modules/gallery/helpers/log.php
@@ -80,7 +80,7 @@ class log_Core {
     $log->url = substr(url::abs_current(true), 0, 255);
     $log->referer = request::referrer(null);
     $log->timestamp = time();
-    $log->user_id = Session::active_user()->id;
+    $log->user_id = identity::active_user()->id;
     $log->save();
   }
 
diff --git a/modules/gallery/helpers/movie.php b/modules/gallery/helpers/movie.php
index 9541f20e..6dac0803 100644
--- a/modules/gallery/helpers/movie.php
+++ b/modules/gallery/helpers/movie.php
@@ -77,7 +77,7 @@ class movie_Core {
     $movie->title = $title;
     $movie->description = $description;
     $movie->name = $name;
-    $movie->owner_id = $owner_id ? $owner_id : Session::active_user()->id;
+    $movie->owner_id = $owner_id ? $owner_id : identity::active_user()->id;
     $movie->width = $movie_info[0];
     $movie->height = $movie_info[1];
     $movie->mime_type = strtolower($pi["extension"]) == "mp4" ? "video/mp4" : "video/x-flv";
diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php
index 193293e8..01cf5278 100644
--- a/modules/gallery/helpers/photo.php
+++ b/modules/gallery/helpers/photo.php
@@ -76,7 +76,7 @@ class photo_Core {
     $photo->title = $title;
     $photo->description = $description;
     $photo->name = $name;
-    $photo->owner_id = $owner_id ? $owner_id : Session::active_user()->id;
+    $photo->owner_id = $owner_id ? $owner_id : identity::active_user()->id;
     $photo->width = $image_info[0];
     $photo->height = $image_info[1];
     $photo->mime_type = empty($image_info['mime']) ? "application/unknown" : $image_info['mime'];
diff --git a/modules/gallery/helpers/site_status.php b/modules/gallery/helpers/site_status.php
index 06b29fda..2b090776 100644
--- a/modules/gallery/helpers/site_status.php
+++ b/modules/gallery/helpers/site_status.php
@@ -95,7 +95,7 @@ class site_status_Core {
    * @return html text
    */
   static function get() {
-    if (!Session::active_user()->admin) {
+    if (!identity::active_user()->admin) {
       return;
     }
     $buf = array();
diff --git a/modules/gallery/helpers/task.php b/modules/gallery/helpers/task.php
index f84fd10e..dac5f9d3 100644
--- a/modules/gallery/helpers/task.php
+++ b/modules/gallery/helpers/task.php
@@ -42,7 +42,7 @@ class task_Core {
     $task->percent_complete = 0;
     $task->status = "";
     $task->state = "started";
-    $task->owner_id = Session::active_user()->id;
+    $task->owner_id = identity::active_user()->id;
     $task->context = serialize($context);
     $task->save();
 
diff --git a/modules/gallery/libraries/Admin_View.php b/modules/gallery/libraries/Admin_View.php
index 74a08c77..6eedec0d 100644
--- a/modules/gallery/libraries/Admin_View.php
+++ b/modules/gallery/libraries/Admin_View.php
@@ -36,12 +36,12 @@ class Admin_View_Core extends Gallery_View {
     parent::__construct($name);
 
     $this->theme_name = module::get_var("gallery", "active_admin_theme");
-    if (Session::active_user()->admin) {
+    if (identity::active_user()->admin) {
       $this->theme_name = Input::instance()->get("theme", $this->theme_name);
     }
     $this->sidebar = "";
     $this->set_global("theme", $this);
-    $this->set_global("user", Session::active_user());
+    $this->set_global("user", identity::active_user());
   }
 
   public function admin_menu() {
diff --git a/modules/gallery/libraries/Identity.php b/modules/gallery/libraries/Identity.php
deleted file mode 100644
index 1dd5d23b..00000000
--- a/modules/gallery/libraries/Identity.php
+++ /dev/null
@@ -1,222 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-
-/**
- * Provides a driver-based interface for managing users and groups.
- */
-class Identity_Core {
-  protected static $instance;
-
-  protected static $active;
-
-  // Configuration
-  protected $config;
-
-  // Driver object
-  protected $driver;
-
-  /**
-   * Returns a singleton instance of Identity.
-   * There can only be one Identity driver configured at a given point
-   *
-   * @param   string  configuration
-   * @return  Identity_Core
-   */
-  static function & instance() {
-   if (!isset(self::$instance)) {
-      // Create a new instance
-      self::$instance = new Identity();
-    }
-
-    return self::$instance;
-  }
-
-  /**
-   * Returns a singleton instance of Identity.
-   * There can only be one Identity driver configured at a given point
-   *
-   * @param   string  configuration
-   * @return  Identity_Core
-   */
-  static function reset() {
-    self::$instance = new Identity();
-  }
-
-  /**
-   * Loads the configured driver and validates it.
-   *
-   * @return  void
-   */
-  public function __construct() {
-    $config = module::get_var("gallery", "identity_provider", "user");
-
-    // Test the config group name
-    if (($this->config = Kohana::config("identity.".$config)) === NULL) {
-      throw new Exception("@todo NO USER LIBRARY CONFIGURATION FOR: $config");
-    }
-
-    // Set driver name
-    $driver = "Identity_".ucfirst($this->config["driver"])."_Driver";
-
-    // Load the driver
-    if ( ! Kohana::auto_load($driver)) {
-      throw new Kohana_Exception("core.driver_not_found", $this->config["driver"],
-                                 get_class($this));
-    }
-
-    // Initialize the driver
-    $this->driver = new $driver($this->config["params"]);
-
-    // Validate the driver
-    if ( !($this->driver instanceof Identity_Driver)) {
-      throw new Kohana_Exception("core.driver_implements", $this->config["driver"],
-                                 get_class($this), "Identity_Driver");
-    }
-
-    Kohana::log("debug", "Identity Library initialized");
-  }
-
-  /**
-   * Return a list of installed Identity Drivers.
-   *
-   * @return boolean true if the driver supports updates; false if read only
-   */
-  static function providers() {
-    if (empty(self::$active)) {
-      $drivers = new ArrayObject(array(), ArrayObject::ARRAY_AS_PROPS);
-      foreach (module::active() as $module) {
-        $module_name = $module->name;
-        if (file_exists(MODPATH . "{$module->name}/config/identity.php") &&
-            ($info = module::info($module_name))) {
-          $drivers->$module_name = $info->description;
-        }
-      }
-      self::$active = $drivers;
-    }
-    return self::$active;
-  }
-
-  /**
-   * @see Identity_Driver::activate.
-   */
-  static function activate() {
-    self::instance()->driver->activate();
-  }
-
-  /**
-   * @see Identity_Driver::deactivate.
-   */
-  static function deactivate() {
-    self::instance()->driver->deactivate();
-  }
-
-  /**
-   * Determine if if the current driver supports updates.
-   *
-   * @return boolean true if the driver supports updates; false if read only
-   */
-  static function is_writable() {
-    return !empty(self::instance()->config["allow_updates"]);
-  }
-
-  /**
-   * @see Identity_Driver::guest.
-   */
-  static function guest() {
-    return self::instance()->driver->guest();
-  }
-
-  /**
-   * @see Identity_Driver::create_user.
-   */
-  static function create_user($name, $full_name, $password) {
-    return self::instance()->driver->create_user($name, $full_name, $password);
-  }
-
-  /**
-   * @see Identity_Driver::is_correct_password.
-   */
-  static function is_correct_password($user, $password) {
-    return self::instance()->driver->is_correct_password($user, $password);
-  }
-
-  /**
-   * @see Identity_Driver::lookup_user.
-   */
-  static function lookup_user($id) {
-    return self::instance()->driver->lookup_user($id);
-  }
-
-  /**
-   * @see Identity_Driver::lookup_user_by_name.
-   */
-  static function lookup_user_by_name($name) {
-    return self::instance()->driver->lookup_user_by_name($name);
-  }
-
-  /**
-   * @see Identity_Driver::create_group.
-   */
-  static function create_group($name) {
-    return self::instance()->driver->create_group($name);
-  }
-
-  /**
-   * @see Identity_Driver::everybody.
-   */
-  static function everybody() {
-    return self::instance()->driver->everybody();
-  }
-
-  /**
-   * @see Identity_Driver::registered_users.
-   */
-  static function registered_users() {
-    return self::instance()->driver->everybody();
-  }
-
-  /**
-   * @see Identity_Driver::lookup_group.
-   */
-  static function lookup_group($id) {
-    return self::instance()->driver->lookup_group($id);
-  }
-
-  /**
-   * @see Identity_Driver::lookup_group_by_name.
-   */
-  static function lookup_group_by_name($name) {
-    return self::instance()->driver->lookup_group_by_name($name);
-  }
-
-  /**
-   * @see Identity_Driver::get_user_list.
-   */
-  static function get_user_list($ids) {
-    return self::instance()->driver->get_user_list($ids);
-  }
-
-  /**
-   * @see Identity_Driver::groups.
-   */
-  static function groups() {
-    return self::instance()->driver->groups();
-  }
-} // End Identity
diff --git a/modules/gallery/libraries/IdentityProvider.php b/modules/gallery/libraries/IdentityProvider.php
new file mode 100644
index 00000000..512f28eb
--- /dev/null
+++ b/modules/gallery/libraries/IdentityProvider.php
@@ -0,0 +1,200 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+/**
+ * Provides a driver-based interface for managing users and groups.
+ */
+class IdentityProvider_Core {
+  protected static $instance;
+
+  // Configuration
+  protected $config;
+
+  // Driver object
+  protected $driver;
+
+  /**
+   * Returns a singleton instance of Identity.
+   * There can only be one Identity driver configured at a given point
+   *
+   * @param   string  configuration
+   * @return  Identity_Core
+   */
+  static function & instance() {
+   if (!isset(self::$instance)) {
+      // Create a new instance
+      self::$instance = new IdentityProvider();
+    }
+
+    return self::$instance;
+  }
+
+  /**
+   * Returns a singleton instance of Identity.
+   * There can only be one Identity driver configured at a given point
+   *
+   * @param   string  configuration
+   * @return  Identity_Core
+   */
+  static function reset() {
+    self::$instance = new IdentityProvider();
+  }
+
+  /**
+   * Loads the configured driver and validates it.
+   *
+   * @return  void
+   */
+  public function __construct() {
+    $config = module::get_var("gallery", "identity_provider", "user");
+
+    // Test the config group name
+    if (($this->config = Kohana::config("identity.".$config)) === NULL) {
+      throw new Exception("@todo NO USER LIBRARY CONFIGURATION FOR: $config");
+    }
+
+    // Set driver name
+    $driver = "IdentityProvider_".ucfirst($this->config["driver"])."_Driver";
+
+    // Load the driver
+    if ( ! Kohana::auto_load($driver)) {
+      throw new Kohana_Exception("core.driver_not_found", $this->config["driver"],
+                                 get_class($this));
+    }
+
+    // Initialize the driver
+    $this->driver = new $driver($this->config["params"]);
+
+    // Validate the driver
+    if ( !($this->driver instanceof IdentityProvider_Driver)) {
+      throw new Kohana_Exception("core.driver_implements", $this->config["driver"],
+                                 get_class($this), "IdentityProvider_Driver");
+    }
+
+    Kohana::log("debug", "Identity Library initialized");
+  }
+
+  /**
+   * Determine if if the current driver supports updates.
+   *
+   * @return boolean true if the driver supports updates; false if read only
+   */
+  public function is_writable() {
+    return !empty($this->config["allow_updates"]);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::activate.
+   */
+  public function activate() {
+    $this->driver->activate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::deactivate.
+   */
+  public function deactivate() {
+    $this->driver->deactivate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::guest.
+   */
+  public function guest() {
+    return $this->driver->guest();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_user.
+   */
+  public function create_user($name, $full_name, $password) {
+    return $this->driver->create_user($name, $full_name, $password);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::is_correct_password.
+   */
+  public function is_correct_password($user, $password) {
+    return $this->driver->is_correct_password($user, $password);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user.
+   */
+  public function lookup_user($id) {
+    return $this->driver->lookup_user($id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user_by_name.
+   */
+  public function lookup_user_by_name($name) {
+    return $this->driver->lookup_user_by_name($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_group.
+   */
+  public function create_group($name) {
+    return $this->driver->create_group($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::everybody.
+   */
+  public function everybody() {
+    return $this->driver->everybody();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::registered_users.
+   */
+  public function registered_users() {
+    return $this->driver->everybody();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group.
+   */
+  public function lookup_group($id) {
+    return $this->driver->lookup_group($id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group_by_name.
+   */
+  public function lookup_group_by_name($name) {
+    return $this->driver->lookup_group_by_name($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::get_user_list.
+   */
+  public function get_user_list($ids) {
+    return $this->driver->get_user_list($ids);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::groups.
+   */
+  public function groups() {
+    return $this->driver->groups();
+  }
+} // End Identity
diff --git a/modules/gallery/libraries/MY_Session.php b/modules/gallery/libraries/MY_Session.php
deleted file mode 100644
index 1a3ae801..00000000
--- a/modules/gallery/libraries/MY_Session.php
+++ /dev/null
@@ -1,93 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-
-class Session extends Session_Core {
-  /**
-   * Make sure that we have a session and group_ids cached in the session.
-   */
-  static function load_user() {
-    try {
-      $session = Session::instance();
-      if (!($user = $session->get("user"))) {
-        $session->set("user", $user = Identity::guest());
-      }
-
-      // The installer cannot set a user into the session, so it just sets an id which we should
-      // upconvert into a user.
-      // @todo set the user name into the session instead of 2 and then use it to get the user object
-      if ($user === 2) {
-        $user = Instance::lookup_user_by_name("admin");
-        self::set_active_user($user);
-        $session->set("user", $user);
-      }
-
-      if (!$session->get("group_ids")) {
-        $ids = array();
-        foreach ($user->groups as $group) {
-          $ids[] = $group->id;
-        }
-        $session->set("group_ids", $ids);
-      }
-    } catch (Exception $e) {
-      try {
-        Session::instance()->destroy();
-      } catch (Exception $e) {
-        // We don't care if there was a problem destroying the session.
-      }
-      url::redirect(item::root()->abs_url());
-    }
-  }
-
-  /**
-   * Return the array of group ids this user belongs to
-   *
-   * @return array
-   */
-  static function group_ids_for_active_user() {
-    return self::instance()->get("group_ids", array(1));
-  }
-
-  /**
-   * Return the active user.  If there's no active user, return the guest user.
-   *
-   * @return User_Definition
-   */
-  static function active_user() {
-    // @todo (maybe) cache this object so we're not always doing session lookups.
-    $user = self::instance()->get("user", null);
-    if (!isset($user)) {
-      // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary
-      // work.
-      $user = Identity::guest();
-    }
-    return $user;
-  }
-
-  /**
-   * Change the active user.
-   * @param User_Definition $user
-   */
-  static function set_active_user($user) {
-    $session = Session::instance();
-    $session->set("user", $user);
-    $session->delete("group_ids");
-    self::load_user();
-  }
-}
\ No newline at end of file
diff --git a/modules/gallery/libraries/Theme_View.php b/modules/gallery/libraries/Theme_View.php
index 2fdc7531..68ec325f 100644
--- a/modules/gallery/libraries/Theme_View.php
+++ b/modules/gallery/libraries/Theme_View.php
@@ -37,13 +37,13 @@ class Theme_View_Core extends Gallery_View {
     parent::__construct($name);
 
     $this->theme_name = module::get_var("gallery", "active_site_theme");
-    if (Session::active_user()->admin) {
+    if (identity::active_user()->admin) {
       $this->theme_name = Input::instance()->get("theme", $this->theme_name);
     }
     $this->item = null;
     $this->tag = null;
     $this->set_global("theme", $this);
-    $this->set_global("user", Session::active_user());
+    $this->set_global("user", identity::active_user());
     $this->set_global("page_type", $page_type);
     $this->set_global("page_title", null);
     if ($page_type == "album") {
@@ -158,7 +158,7 @@ class Theme_View_Core extends Gallery_View {
    */
   public function sidebar_blocks() {
     $sidebar = block_manager::get_html("site.sidebar", $this);
-    if (empty($sidebar) && Session::active_user()->admin) {
+    if (empty($sidebar) && identity::active_user()->admin) {
       $sidebar = new View("no_sidebar.html");
     }
     return $sidebar;
diff --git a/modules/gallery/libraries/drivers/Identity.php b/modules/gallery/libraries/drivers/Identity.php
deleted file mode 100644
index 39b2a9c7..00000000
--- a/modules/gallery/libraries/drivers/Identity.php
+++ /dev/null
@@ -1,123 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-interface Identity_Driver {
-  /**
-   * Initialize the provider so it is ready to use
-   */
-  public function activate();
-
-  /**
-   * Cleanup up this provider so it is unavailable for use and won't conflict with the current driver
-   */
-  public function deactivate();
-
-  /**
-   * Return the guest user.
-   *
-   * @return User_Definition the user object
-   */
-  public function guest();
-
-  /**
-   * Create a new user.
-   *
-   * @param string  $name
-   * @param string  $full_name
-   * @param string  $password
-   * @return User_Definition the user object
-   */
-  public function create_user($name, $full_name, $password);
-
-  /**
-   * Is the password provided correct?
-   *
-   * @param user User_Definition the user object
-   * @param string $password a plaintext password
-   * @return boolean true if the password is correct
-   */
-  public function is_correct_password($user, $password);
-
-  /**
-   * Look up a user by id.
-   * @param integer     id
-   * @return User_Definition the user object, or null if the name was invalid.
-   */
-  public function lookup_user($id);
-
-  /**
-   * Look up a user by name.
-   * @param string      name
-  * @return User_Definition the user object, or null if the name was invalid.
-   */
-  public function lookup_user_by_name($name);
-
-  /**
-   * Create a new group.
-   *
-   * @param string  $name
-   * @return Group_Definition the group object
-   */
-  public function create_group($name);
-
-  /**
-   * The group of all possible visitors.  This includes the guest user.
-   *
-   * @return Group_Definition the group object
-   */
-  public function everybody();
-
-  /**
-   * The group of all logged-in visitors.  This does not include guest users.
-   *
-   * @return Group_Definition the group object
-   */
-  public function registered_users();
-
-  /**
-   * List the users
-   * @param array      array of ids to return the user objects for
-   * @return array     the user list.
-   */
-  public function get_user_list($ids);
-
-  /**
-   * Look up a group by id.
-   * @param integer     id
-   * @return Group_Definition the user object, or null if the name was invalid.
-   */
-  public function lookup_group($id);
-
-  /**
-   * Look up the group by name.
-   * @param string     $name the name of the group to locate
-   * @return Group_Definition
-   */
-  public function lookup_group_by_name($name);
-
-  /**
-   * List the groups defined in the Identity Provider
-   */
-  public function groups();
-
-} // End Identity Driver Definition
-
-interface Group_Definition {}
-
-interface User_Definition {}
diff --git a/modules/gallery/libraries/drivers/IdentityProvider.php b/modules/gallery/libraries/drivers/IdentityProvider.php
new file mode 100644
index 00000000..8a578d1b
--- /dev/null
+++ b/modules/gallery/libraries/drivers/IdentityProvider.php
@@ -0,0 +1,123 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+interface IdentityProvider_Driver {
+  /**
+   * Initialize the provider so it is ready to use
+   */
+  public function activate();
+
+  /**
+   * Cleanup up this provider so it is unavailable for use and won't conflict with the current driver
+   */
+  public function deactivate();
+
+  /**
+   * Return the guest user.
+   *
+   * @return User_Definition the user object
+   */
+  public function guest();
+
+  /**
+   * Create a new user.
+   *
+   * @param string  $name
+   * @param string  $full_name
+   * @param string  $password
+   * @return User_Definition the user object
+   */
+  public function create_user($name, $full_name, $password);
+
+  /**
+   * Is the password provided correct?
+   *
+   * @param user User_Definition the user object
+   * @param string $password a plaintext password
+   * @return boolean true if the password is correct
+   */
+  public function is_correct_password($user, $password);
+
+  /**
+   * Look up a user by id.
+   * @param integer     id
+   * @return User_Definition the user object, or null if the name was invalid.
+   */
+  public function lookup_user($id);
+
+  /**
+   * Look up a user by name.
+   * @param string      name
+  * @return User_Definition the user object, or null if the name was invalid.
+   */
+  public function lookup_user_by_name($name);
+
+  /**
+   * Create a new group.
+   *
+   * @param string  $name
+   * @return Group_Definition the group object
+   */
+  public function create_group($name);
+
+  /**
+   * The group of all possible visitors.  This includes the guest user.
+   *
+   * @return Group_Definition the group object
+   */
+  public function everybody();
+
+  /**
+   * The group of all logged-in visitors.  This does not include guest users.
+   *
+   * @return Group_Definition the group object
+   */
+  public function registered_users();
+
+  /**
+   * List the users
+   * @param array      array of ids to return the user objects for
+   * @return array     the user list.
+   */
+  public function get_user_list($ids);
+
+  /**
+   * Look up a group by id.
+   * @param integer     id
+   * @return Group_Definition the user object, or null if the name was invalid.
+   */
+  public function lookup_group($id);
+
+  /**
+   * Look up the group by name.
+   * @param string     $name the name of the group to locate
+   * @return Group_Definition
+   */
+  public function lookup_group_by_name($name);
+
+  /**
+   * List the groups defined in the Identity Provider
+   */
+  public function groups();
+
+} // End Identity Driver Definition
+
+interface Group_Definition {}
+
+interface User_Definition {}
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index ba44709f..db89c6df 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -333,7 +333,7 @@ class Item_Model extends ORM_MPTT {
       // This relationship depends on an outside module, which may not be present so handle
       // failures gracefully.
       try {
-        return Identity::lookup_user($this->owner_id);
+        return identity::lookup_user($this->owner_id);
       } catch (Exception $e) {
         return null;
       }
diff --git a/modules/gallery/models/log.php b/modules/gallery/models/log.php
index 1d639857..4f6b8c4b 100644
--- a/modules/gallery/models/log.php
+++ b/modules/gallery/models/log.php
@@ -26,7 +26,7 @@ class Log_Model extends ORM {
       // This relationship depends on an outside module, which may not be present so handle
       // failures gracefully.
       try {
-        return Identity::lookup_user($this->user_id);
+        return identity::lookup_user($this->user_id);
       } catch (Exception $e) {
         return null;
       }
diff --git a/modules/gallery/models/task.php b/modules/gallery/models/task.php
index 548e5f9c..f40be492 100644
--- a/modules/gallery/models/task.php
+++ b/modules/gallery/models/task.php
@@ -46,7 +46,7 @@ class Task_Model extends ORM {
   }
 
   public function owner() {
-    return Identity::lookup_user($this->owner_id);
+    return identity::lookup_user($this->owner_id);
   }
 
   /**
diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php
index dac431a7..e9e5cb26 100644
--- a/modules/gallery/tests/Access_Helper_Test.php
+++ b/modules/gallery/tests/Access_Helper_Test.php
@@ -22,7 +22,7 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function teardown() {
     try {
-      $group = Identity::lookup_group_by_name("access_test");
+      $group = identity::lookup_group_by_name("access_test");
       if (!empty($group)) {
         $group->delete();
       }
@@ -33,7 +33,7 @@ class Access_Helper_Test extends Unit_Test_Case {
     } catch (Exception $e) { }
 
     try {
-      $user = Identity::lookup_user_by_name("access_test");
+      $user = identity::lookup_user_by_name("access_test");
       if (!empty($user)) {
         $user->delete();
       }
@@ -41,16 +41,16 @@ class Access_Helper_Test extends Unit_Test_Case {
 
     // Reset some permissions that we mangle below
     $root = ORM::factory("item", 1);
-    access::allow(Identity::everybody(), "view", $root);
+    access::allow(identity::everybody(), "view", $root);
   }
 
   public function setup() {
-    Session::set_active_user(Identity::guest());
+    identity::set_active_user(identity::guest());
   }
 
   public function groups_and_permissions_are_bound_to_columns_test() {
     access::register_permission("access_test", "Access Test");
-    $group = Identity::create_group("access_test");
+    $group = identity::create_group("access_test");
 
     // We have a new column for this perm / group combo
     $fields = Database::instance()->list_fields("access_caches");
@@ -65,17 +65,17 @@ class Access_Helper_Test extends Unit_Test_Case {
   }
 
   public function user_can_access_test() {
-    $access_test = Identity::create_group("access_test");
+    $access_test = identity::create_group("access_test");
 
     $root = ORM::factory("item", 1);
     access::allow($access_test, "view", $root);
 
     $item = album::create($root,  rand(), "test album");
 
-    access::deny(Identity::everybody(), "view", $item);
-    access::deny(Identity::registered_users(), "view", $item);
+    access::deny(identity::everybody(), "view", $item);
+    access::deny(identity::registered_users(), "view", $item);
 
-    $user = Identity::create_user("access_test", "Access Test", "");
+    $user = identity::create_user("access_test", "Access Test", "");
     foreach ($user->groups as $group) {
       $user->remove($group);
     }
@@ -89,10 +89,10 @@ class Access_Helper_Test extends Unit_Test_Case {
     $root = ORM::factory("item", 1);
     $item = album::create($root,  rand(), "test album");
 
-    access::deny(Identity::everybody(), "view", $item);
-    access::deny(Identity::registered_users(), "view", $item);
+    access::deny(identity::everybody(), "view", $item);
+    access::deny(identity::registered_users(), "view", $item);
 
-    $user = Identity::create_user("access_test", "Access Test", "");
+    $user = identity::create_user("access_test", "Access Test", "");
     foreach ($user->groups as $group) {
       $user->remove($group);
     }
@@ -121,11 +121,11 @@ class Access_Helper_Test extends Unit_Test_Case {
     $root = ORM::factory("item", 1);
 
     $album = album::create($root, rand(), "test album");
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
 
     $photo = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "");
 
-    $this->assert_true($photo->__get("view_" . Identity::everybody()->id));
+    $this->assert_true($photo->__get("view_" . identity::everybody()->id));
   }
 
   public function can_allow_deny_and_reset_intent_test() {
@@ -134,23 +134,23 @@ class Access_Helper_Test extends Unit_Test_Case {
     $intent = ORM::factory("access_intent")->where("item_id", $album)->find();
 
     // Allow
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
     $this->assert_same(access::ALLOW, $intent->reload()->view_1);
 
     // Deny
-    access::deny(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $album);
     $this->assert_same(
       access::DENY,
       ORM::factory("access_intent")->where("item_id", $album)->find()->view_1);
 
     // Allow again.  If the initial value was allow, then the first Allow clause above may not
     // have actually changed any values.
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
     $this->assert_same(
       access::ALLOW,
       ORM::factory("access_intent")->where("item_id", $album)->find()->view_1);
 
-    access::reset(Identity::everybody(), "view", $album);
+    access::reset(identity::everybody(), "view", $album);
     $this->assert_same(
       null,
       ORM::factory("access_intent")->where("item_id", $album)->find()->view_1);
@@ -158,7 +158,7 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function cant_reset_root_item_test() {
     try {
-      access::reset(Identity::everybody(), "view", ORM::factory("item", 1));
+      access::reset(identity::everybody(), "view", ORM::factory("item", 1));
     } catch (Exception $e) {
       return;
     }
@@ -167,17 +167,17 @@ class Access_Helper_Test extends Unit_Test_Case {
 
   public function can_view_item_test() {
     $root = ORM::factory("item", 1);
-    access::allow(Identity::everybody(), "view", $root);
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $root));
+    access::allow(identity::everybody(), "view", $root);
+    $this->assert_true(access::group_can(identity::everybody(), "view", $root));
   }
 
   public function can_always_fails_on_unloaded_items_test() {
     $root = ORM::factory("item", 1);
-    access::allow(Identity::everybody(), "view", $root);
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $root));
+    access::allow(identity::everybody(), "view", $root);
+    $this->assert_true(access::group_can(identity::everybody(), "view", $root));
 
     $bogus = ORM::factory("item", -1);
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $bogus));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $bogus));
   }
 
   public function cant_view_child_of_hidden_parent_test() {
@@ -185,21 +185,21 @@ class Access_Helper_Test extends Unit_Test_Case {
     $album = album::create($root, rand(), "test album");
 
     $root->reload();
-    access::deny(Identity::everybody(), "view", $root);
-    access::reset(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $root);
+    access::reset(identity::everybody(), "view", $album);
 
     $album->reload();
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $album));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $album));
   }
 
   public function view_permissions_propagate_down_test() {
     $root = ORM::factory("item", 1);
     $album = album::create($root, rand(), "test album");
 
-    access::allow(Identity::everybody(), "view", $root);
-    access::reset(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $root);
+    access::reset(identity::everybody(), "view", $album);
     $album->reload();
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $album));
+    $this->assert_true(access::group_can(identity::everybody(), "view", $album));
   }
 
   public function can_toggle_view_permissions_propagate_down_test() {
@@ -214,18 +214,18 @@ class Access_Helper_Test extends Unit_Test_Case {
     $album3->reload();
     $album4->reload();
 
-    access::allow(Identity::everybody(), "view", $root);
-    access::deny(Identity::everybody(), "view", $album1);
-    access::reset(Identity::everybody(), "view", $album2);
-    access::reset(Identity::everybody(), "view", $album3);
-    access::reset(Identity::everybody(), "view", $album4);
+    access::allow(identity::everybody(), "view", $root);
+    access::deny(identity::everybody(), "view", $album1);
+    access::reset(identity::everybody(), "view", $album2);
+    access::reset(identity::everybody(), "view", $album3);
+    access::reset(identity::everybody(), "view", $album4);
 
     $album4->reload();
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $album4));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $album4));
 
-    access::allow(Identity::everybody(), "view", $album1);
+    access::allow(identity::everybody(), "view", $album1);
     $album4->reload();
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $album4));
+    $this->assert_true(access::group_can(identity::everybody(), "view", $album4));
   }
 
   public function revoked_view_permissions_cant_be_allowed_lower_down_test() {
@@ -234,29 +234,29 @@ class Access_Helper_Test extends Unit_Test_Case {
     $album2 = album::create($album1, rand(), "test album");
 
     $root->reload();
-    access::deny(Identity::everybody(), "view", $root);
-    access::allow(Identity::everybody(), "view", $album2);
+    access::deny(identity::everybody(), "view", $root);
+    access::allow(identity::everybody(), "view", $album2);
 
     $album1->reload();
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $album1));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $album1));
 
     $album2->reload();
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $album2));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $album2));
   }
 
   public function can_edit_item_test() {
     $root = ORM::factory("item", 1);
-    access::allow(Identity::everybody(), "edit", $root);
-    $this->assert_true(access::group_can(Identity::everybody(), "edit", $root));
+    access::allow(identity::everybody(), "edit", $root);
+    $this->assert_true(access::group_can(identity::everybody(), "edit", $root));
   }
 
   public function non_view_permissions_propagate_down_test() {
     $root = ORM::factory("item", 1);
     $album = album::create($root, rand(), "test album");
 
-    access::allow(Identity::everybody(), "edit", $root);
-    access::reset(Identity::everybody(), "edit", $album);
-    $this->assert_true(access::group_can(Identity::everybody(), "edit", $album));
+    access::allow(identity::everybody(), "edit", $root);
+    access::reset(identity::everybody(), "edit", $album);
+    $this->assert_true(access::group_can(identity::everybody(), "edit", $album));
   }
 
   public function non_view_permissions_can_be_revoked_lower_down_test() {
@@ -276,36 +276,36 @@ class Access_Helper_Test extends Unit_Test_Case {
     $outer->reload();
     $inner->reload();
 
-    access::allow(Identity::everybody(), "edit", $root);
-    access::deny(Identity::everybody(), "edit", $outer);
-    access::allow(Identity::everybody(), "edit", $inner);
+    access::allow(identity::everybody(), "edit", $root);
+    access::deny(identity::everybody(), "edit", $outer);
+    access::allow(identity::everybody(), "edit", $inner);
 
     // Outer album is not editable, inner one is.
-    $this->assert_false(access::group_can(Identity::everybody(), "edit", $outer_photo));
-    $this->assert_true(access::group_can(Identity::everybody(), "edit", $inner_photo));
+    $this->assert_false(access::group_can(identity::everybody(), "edit", $outer_photo));
+    $this->assert_true(access::group_can(identity::everybody(), "edit", $inner_photo));
   }
 
   public function i_can_edit_test() {
     // Create a new user that belongs to no groups
-    $user = Identity::create_user("access_test", "Access Test", "");
+    $user = identity::create_user("access_test", "Access Test", "");
     foreach ($user->groups as $group) {
       $user->remove($group);
     }
     $user->save();
-    Session::set_active_user($user);
+    identity::set_active_user($user);
 
     // This user can't edit anything
     $root = ORM::factory("item", 1);
     $this->assert_false(access::can("edit", $root));
 
     // Now add them to a group that has edit permission
-    $group = Identity::create_group("access_test");
+    $group = identity::create_group("access_test");
     $group->add($user);
     $group->save();
     access::allow($group, "edit", $root);
 
-    $user = Identity::lookup_user($user->id);  // reload() does not flush related columns
-    Session::set_active_user($user);
+    $user = identity::lookup_user($user->id);  // reload() does not flush related columns
+    identity::set_active_user($user);
 
     // And verify that the user can edit.
     $this->assert_true(access::can("edit", $root));
@@ -317,16 +317,16 @@ class Access_Helper_Test extends Unit_Test_Case {
 
     $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
 
-    access::deny(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $album);
     $this->assert_true(file_exists($album->file_path() . "/.htaccess"));
 
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
     $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
 
-    access::deny(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $album);
     $this->assert_true(file_exists($album->file_path() . "/.htaccess"));
 
-    access::reset(Identity::everybody(), "view", $album);
+    access::reset(identity::everybody(), "view", $album);
     $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
   }
 
@@ -338,44 +338,44 @@ class Access_Helper_Test extends Unit_Test_Case {
     $this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
 
-    access::deny(Identity::everybody(), "view_full", $album);
+    access::deny(identity::everybody(), "view_full", $album);
     $this->assert_true(file_exists($album->file_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
 
-    access::allow(Identity::everybody(), "view_full", $album);
+    access::allow(identity::everybody(), "view_full", $album);
     $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
 
-    access::deny(Identity::everybody(), "view_full", $album);
+    access::deny(identity::everybody(), "view_full", $album);
     $this->assert_true(file_exists($album->file_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
 
-    access::reset(Identity::everybody(), "view_full", $album);
+    access::reset(identity::everybody(), "view_full", $album);
     $this->assert_false(file_exists($album->file_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->resize_path() . "/.htaccess"));
     $this->assert_false(file_exists($album->thumb_path() . "/.htaccess"));
   }
 
   public function moved_items_inherit_new_permissions_test() {
-    Session::set_active_user(Identity::lookup_user_by_name("admin"));
+    identity::set_active_user(identity::lookup_user_by_name("admin"));
 
     $root = ORM::factory("item", 1);
     $public_album = album::create($root, rand(), "public album");
     $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", "");
-    access::allow(Identity::everybody(), "view", $public_album);
+    access::allow(identity::everybody(), "view", $public_album);
 
     $root->reload();  // Account for MPTT changes
 
     $private_album = album::create($root, rand(), "private album");
-    access::deny(Identity::everybody(), "view", $private_album);
+    access::deny(identity::everybody(), "view", $private_album);
     $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", "");
 
     // Make sure that we now have a public photo and private photo.
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $public_photo));
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $private_photo));
+    $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
 
     // Swap the photos
     item::move($public_photo, $private_album);
@@ -391,7 +391,7 @@ class Access_Helper_Test extends Unit_Test_Case {
     $public_photo->reload();
 
     // Make sure that the public_photo is now private, and the private_photo is now public.
-    $this->assert_false(access::group_can(Identity::everybody(), "view", $public_photo));
-    $this->assert_true(access::group_can(Identity::everybody(), "view", $private_photo));
+    $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
+    $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
   }
 }
diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php
index fa46d924..b85b5258 100644
--- a/modules/gallery/tests/Albums_Controller_Test.php
+++ b/modules/gallery/tests/Albums_Controller_Test.php
@@ -45,7 +45,7 @@ class Albums_Controller_Test extends Unit_Test_Case {
     $_POST["csrf"] = access::csrf_token();
     $_POST["slug"] = "new_name";
     $_POST["_method"] = "put";
-    access::allow(Identity::everybody(), "edit", $root);
+    access::allow(identity::everybody(), "edit", $root);
 
     ob_start();
     $controller->_update($this->_album);
@@ -69,7 +69,7 @@ class Albums_Controller_Test extends Unit_Test_Case {
     $_POST["name"] = "new name";
     $_POST["title"] = "new title";
     $_POST["description"] = "new description";
-    access::allow(Identity::everybody(), "edit", $root);
+    access::allow(identity::everybody(), "edit", $root);
 
     try {
       $controller->_update($this->_album);
diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php
index fc01db91..a364423a 100644
--- a/modules/gallery/tests/Item_Helper_Test.php
+++ b/modules/gallery/tests/Item_Helper_Test.php
@@ -23,16 +23,16 @@ class Item_Helper_Test extends Unit_Test_Case {
     $root = ORM::factory("item", 1);
     $album = album::create($root, rand(), rand(), rand());
     $item = self::_create_random_item($album);
-    Session::set_active_user(Identity::guest());
+    identity::set_active_user(identity::guest());
 
     // We can see the item when permissions are granted
-    access::allow(Identity::everybody(), "view", $album);
+    access::allow(identity::everybody(), "view", $album);
     $this->assert_equal(
       1,
       ORM::factory("item")->viewable()->where("id", $item->id)->count_all());
 
     // We can't see the item when permissions are denied
-    access::deny(Identity::everybody(), "view", $album);
+    access::deny(identity::everybody(), "view", $album);
     $this->assert_equal(
       0,
       ORM::factory("item")->viewable()->where("id", $item->id)->count_all());
diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php
index 59c3f78a..2e5d7fe3 100644
--- a/modules/gallery/tests/Photos_Controller_Test.php
+++ b/modules/gallery/tests/Photos_Controller_Test.php
@@ -31,7 +31,7 @@ class Photos_Controller_Test extends Unit_Test_Case {
     $root = ORM::factory("item", 1);
     $photo = photo::create(
       $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg",
-      "test", "test", Session::active_user()->id, "slug");
+      "test", "test", identity::active_user()->id, "slug");
     $orig_name = $photo->name;
 
     $_POST["filename"] = "test.jpeg";
@@ -40,7 +40,7 @@ class Photos_Controller_Test extends Unit_Test_Case {
     $_POST["description"] = "new description";
     $_POST["slug"] = "new-slug";
     $_POST["csrf"] = access::csrf_token();
-    access::allow(Identity::everybody(), "edit", $root);
+    access::allow(identity::everybody(), "edit", $root);
 
     ob_start();
     $controller->_update($photo);
@@ -64,7 +64,7 @@ class Photos_Controller_Test extends Unit_Test_Case {
     $_POST["name"] = "new name";
     $_POST["title"] = "new title";
     $_POST["description"] = "new description";
-    access::allow(Identity::everybody(), "edit", $root);
+    access::allow(identity::everybody(), "edit", $root);
 
     try {
       $controller->_update($photo);
diff --git a/modules/gallery/views/kohana_error_page.php b/modules/gallery/views/kohana_error_page.php
index 0256fabb..0d8801e5 100644
--- a/modules/gallery/views/kohana_error_page.php
+++ b/modules/gallery/views/kohana_error_page.php
@@ -57,7 +57,7 @@
     <title><?= t("Something went wrong!") ?></title>
   </head>
   <body>
-    <? try { $user = Session::active_user(); } catch (Exception $e) { } ?>
+    <? try { $user = identity::active_user(); } catch (Exception $e) { } ?>
     <? $admin = php_sapi_name() == "cli" || isset($user) && $user->admin ?>
     <div class="big_box" id="framework_error">
       <h1>
diff --git a/modules/gallery/views/login.html.php b/modules/gallery/views/login.html.php
index 6695d564..961f44fa 100644
--- a/modules/gallery/views/login.html.php
+++ b/modules/gallery/views/login.html.php
@@ -8,7 +8,7 @@
   </li>
   <? else: ?>
   <li class="first">
-    <? if (Identity::is_writable()): ?>
+    <? if (identity::is_writable()): ?>
     <?= t('Logged in as %name', array('name' => html::mark_clean(
       '<a href="' . url::site("form/edit/users/{$user->id}") .
       '" title="' . t("Edit Your Profile")->for_html_attr() .
diff --git a/modules/gallery/views/login_ajax.html.php b/modules/gallery/views/login_ajax.html.php
index 6ed40571..a9a9ef11 100644
--- a/modules/gallery/views/login_ajax.html.php
+++ b/modules/gallery/views/login_ajax.html.php
@@ -36,7 +36,7 @@
     <li id="g-login-form">
       <?= $form ?>
     </li>
-    <? if (Identity::is_writable()): ?>
+    <? if (identity::is_writable()): ?>
     <li>
       <a href="#" id="g-password-reset" class="g-right g-txt-small"><?= t("Forgot Your Password?") ?></a>
     </li>
diff --git a/modules/notification/helpers/notification.php b/modules/notification/helpers/notification.php
index 080f154b..9a40b0b9 100644
--- a/modules/notification/helpers/notification.php
+++ b/modules/notification/helpers/notification.php
@@ -20,7 +20,7 @@
 class notification {
   static function get_subscription($item_id, $user=null) {
     if (empty($user)) {
-      $user = Session::active_user();
+      $user = identity::active_user();
     }
 
     return ORM::factory("subscription")
@@ -31,7 +31,7 @@ class notification {
 
   static function is_watching($item, $user=null) {
     if (empty($user)) {
-      $user = Session::active_user();
+      $user = identity::active_user();
     }
 
     return ORM::factory("subscription")
@@ -44,7 +44,7 @@ class notification {
   static function add_watch($item, $user=null) {
     if ($item->is_album()) {
       if (empty($user)) {
-        $user = Session::active_user();
+        $user = identity::active_user();
       }
       $subscription = ORM::factory("subscription");
       $subscription->item_id = $item->id;
@@ -56,7 +56,7 @@ class notification {
   static function remove_watch($item, $user=null) {
     if ($item->is_album()) {
       if (empty($user)) {
-        $user = Session::active_user();
+        $user = identity::active_user();
       }
 
       $subscription = ORM::factory("subscription")
@@ -81,7 +81,7 @@ class notification {
     if (empty($subscriber_ids)) {
       return array();
     }
-    $users = Identity::get_user_list($subscriber_ids);
+    $users = identity::get_user_list($subscriber_ids);
 
     $subscribers = array();
     foreach ($users as $user) {
diff --git a/modules/notification/helpers/notification_event.php b/modules/notification/helpers/notification_event.php
index f0530cd9..3a369155 100644
--- a/modules/notification/helpers/notification_event.php
+++ b/modules/notification/helpers/notification_event.php
@@ -95,7 +95,7 @@ class notification_event_Core {
   }
 
   static function site_menu($menu, $theme) {
-    if (!Session::active_user()->guest) {
+    if (!identity::active_user()->guest) {
       $item = $theme->item();
 
       if ($item && $item->is_album() && access::can("view", $item)) {
diff --git a/modules/search/helpers/search.php b/modules/search/helpers/search.php
index 8b14cfa9..f9da9a16 100644
--- a/modules/search/helpers/search.php
+++ b/modules/search/helpers/search.php
@@ -22,8 +22,8 @@ class search_Core {
     $db = Database::instance();
     $q = $db->escape_str($q);
 
-    if (!Session::active_user()->admin) {
-      foreach (Session::group_ids_for_active_user() as $id) {
+    if (!identity::active_user()->admin) {
+      foreach (identity::group_ids_for_active_user() as $id) {
         $fields[] = "`view_$id` = TRUE"; // access::ALLOW
       }
       $access_sql = "AND (" . join(" AND ", $fields) . ")";
diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php
index 428065f6..53a3d091 100644
--- a/modules/server_add/controllers/server_add.php
+++ b/modules/server_add/controllers/server_add.php
@@ -103,7 +103,7 @@ class Server_Add_Controller extends Admin_Controller {
     access::verify_csrf();
 
     $task = ORM::factory("task", $task_id);
-    if (!$task->loaded || $task->owner_id != Session::active_user()->id) {
+    if (!$task->loaded || $task->owner_id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -207,7 +207,7 @@ class Server_Add_Controller extends Admin_Controller {
         $task->set("mode", "done");
       }
 
-      $owner_id = Session::active_user()->id;
+      $owner_id = identity::active_user()->id;
       foreach ($entries as $entry) {
         if (microtime(true) - $start > 0.5) {
           break;
diff --git a/modules/server_add/helpers/server_add_event.php b/modules/server_add/helpers/server_add_event.php
index 8f8b0016..1d883a71 100644
--- a/modules/server_add/helpers/server_add_event.php
+++ b/modules/server_add/helpers/server_add_event.php
@@ -30,7 +30,7 @@ class server_add_event_Core {
     $item = $theme->item();
     $paths = unserialize(module::get_var("server_add", "authorized_paths"));
 
-    if ($item && Session::active_user()->admin && $item->is_album() && !empty($paths) &&
+    if ($item && identity::active_user()->admin && $item->is_album() && !empty($paths) &&
         is_writable($item->is_album() ? $item->file_path() : $item->parent()->file_path())) {
       $menu->get("add_menu")
         ->append(Menu::factory("dialog")
diff --git a/modules/server_add/helpers/server_add_theme.php b/modules/server_add/helpers/server_add_theme.php
index 44681d36..9da8969a 100644
--- a/modules/server_add/helpers/server_add_theme.php
+++ b/modules/server_add/helpers/server_add_theme.php
@@ -19,7 +19,7 @@
  */
 class server_add_theme_Core {
   static function head($theme) {
-    if (Session::active_user()->admin) {
+    if (identity::active_user()->admin) {
       $theme->script("server_add.js");
     }
   }
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 258de843..8b96ebd2 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -69,7 +69,7 @@ class Admin_Users_Controller extends Admin_Controller {
   public function delete_user($id) {
     access::verify_csrf();
 
-    if ($id == Session::active_user()->id || $id == user::guest()->id) {
+    if ($id == identity::active_user()->id || $id == user::guest()->id) {
       access::forbidden();
     }
 
@@ -136,7 +136,7 @@ class Admin_Users_Controller extends Admin_Controller {
       }
 
       // An admin can change the admin status for any user but themselves
-      if ($user->id != Session::active_user()->id) {
+      if ($user->id != identity::active_user()->id) {
         $user->admin = $form->edit_user->admin->checked;
       }
       $user->save();
@@ -158,7 +158,7 @@ class Admin_Users_Controller extends Admin_Controller {
 
     $form = $this->_get_user_edit_form_admin($user);
     // Don't allow the user to control their own admin bit, else you can lock yourself out
-    if ($user->id == Session::active_user()->id) {
+    if ($user->id == identity::active_user()->id) {
       $form->edit_user->admin->disabled(1);
     }
     print $form;
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index a8f1c5ca..6bef1a17 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -46,7 +46,7 @@ class Password_Controller extends Controller {
 
     $valid = $form->validate();
     if ($valid) {
-      $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value);
+      $user = identity::lookup_user_by_name($form->reset->inputs["name"]->value);
       if (!$user->loaded || empty($user->email)) {
         $form->reset->inputs["name"]->add_error("no_email", 1);
         $valid = false;
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 0ccf3e2a..dee54f63 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -21,7 +21,7 @@ class Users_Controller extends Controller {
   public function update($id) {
     $user = user::lookup($id);
 
-    if ($user->guest || $user->id != Session::active_user()->id) {
+    if ($user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
@@ -59,7 +59,7 @@ class Users_Controller extends Controller {
 
   public function form_edit($id) {
     $user = user::lookup($id);
-    if ($user->guest || $user->id != Session::active_user()->id) {
+    if ($user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
diff --git a/modules/user/helpers/group.php b/modules/user/helpers/group.php
index 8ad52564..567b2ee4 100644
--- a/modules/user/helpers/group.php
+++ b/modules/user/helpers/group.php
@@ -25,7 +25,10 @@
  */
 class group_Core {
   /**
-   * @see Identity_Driver::create.
+   * Create a new group.
+   *
+   * @param string  $name
+   * @return Group_Definition the group object
    */
   static function create($name) {
     $group = ORM::factory("group")->where("name", $name)->find();
@@ -39,14 +42,18 @@ class group_Core {
   }
 
   /**
-   * @see Identity_Driver::everbody.
+   * The group of all possible visitors.  This includes the guest user.
+   *
+   * @return Group_Definition the group object
    */
   static function everybody() {
     return model_cache::get("group", 1);
   }
 
   /**
-   * @see Identity_Driver::registered_users.
+   * The group of all logged-in visitors.  This does not include guest users.
+   *
+   * @return Group_Definition the group object
    */
   static function registered_users() {
     return model_cache::get("group", 2);
@@ -71,7 +78,10 @@ class group_Core {
   }
 
   /**
-   * @see Identity_Driver::get_group_list.
+   * Search the groups by the field and value.
+   * @param string      $field_name column to look up the user by
+   * @param string      $value value to match
+   * @return Group_Definition  the group object, or null if the name was invalid.
    */
   static function lookup_by_field($field_name, $value) {
     try {
diff --git a/modules/user/libraries/drivers/Identity/Gallery.php b/modules/user/libraries/drivers/Identity/Gallery.php
deleted file mode 100644
index 36f37543..00000000
--- a/modules/user/libraries/drivers/Identity/Gallery.php
+++ /dev/null
@@ -1,150 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.");
-/**
- * Gallery - a web based photo album viewer and editor
- * Copyright (C) 2000-2009 Bharat Mediratta
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at
- * your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
- */
-/*
- * Based on the Cache_Sqlite_Driver developed by the Kohana Team
- */
-class Identity_Gallery_Driver implements Identity_Driver {
-  /**
-   * @see Identity_Driver::activate.
-   */
-  public function activate() {
-    user::activate();
-  }
-
-  /**
-   * @see Identity_Driver::deactivate.
-   */
-  public function deactivate() {
-    user::deactivate();
-  }
-
-  /**
-   * @see Identity_Driver::guest.
-   */
-  public function guest() {
-    return user::guest();
-  }
-
-  /**
-   * @see Identity_Driver::create_user.
-   */
-  public function create_user($name, $full_name, $password) {
-    return user::create($name, $full_name, $password);
-  }
-
-  /**
-   * @see Identity_Driver::is_correct_password.
-   */
-  public function is_correct_password($user, $password) {
-    $valid = $user->password;
-
-    // Try phpass first, since that's what we generate.
-    if (strlen($valid) == 34) {
-      require_once(MODPATH . "user/lib/PasswordHash.php");
-      $hashGenerator = new PasswordHash(10, true);
-      return $hashGenerator->CheckPassword($password, $valid);
-    }
-
-    $salt = substr($valid, 0, 4);
-    // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes:
-    $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
-    if (!strcmp($guess, $valid)) {
-      return true;
-    }
-
-    // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities
-    $sanitizedPassword = html::specialchars($password, false);
-    $guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
-          : ($salt . md5($salt . $sanitizedPassword));
-    if (!strcmp($guess, $valid)) {
-      return true;
-    }
-
-    return false;
-  }
-
-  /**
-   * @see Identity_Driver::lookup_user.
-   */
-  public function lookup_user($id) {
-    return user::lookup_by_field("id", $id);
-  }
-
-  /**
-   * @see Identity_Driver::lookup_user_by_name.
-   */
-  public function lookup_user_by_name($name) {
-    return user::lookup_by_field("name", $name);
-  }
-
-  /**
-   * @see Identity_Driver::create_group.
-   */
-  public function create_group($name) {
-    return group::create($name);
-  }
-
-  /**
-   * @see Identity_Driver::everybody.
-   */
-  public function everybody() {
-    return group::everybody();
-  }
-
-  /**
-   * @see Identity_Driver::registered_users.
-   */
-  public function registered_users() {
-    return group::registered_users();
-  }
-
-  /**
-   * @see Identity_Driver::lookup_group.
-   */
-  public function lookup_group($id) {
-    return group::lookup_by_field("id", $id);
-  }
-
-  /**
-   * @see Identity_Driver::lookup_group_by_name.
-   */
-  public function lookup_group_by_name($name) {
-    return group::lookup_by_field("name", $name);
-  }
-
-  /**
-   * @see Identity_Driver::get_user_list.
-   */
-  public function get_user_list($ids) {
-    return ORM::factory("user")
-      ->in("id", $ids)
-      ->find_all()
-      ->as_array();
-  }
-
-  /**
-   * @see Identity_Driver::groups.
-   */
-  public function groups() {
-    return ORM::factory("group")->find_all();
-  }
-
-} // End Identity Gallery Driver
-
diff --git a/modules/user/libraries/drivers/IdentityProvider/Gallery.php b/modules/user/libraries/drivers/IdentityProvider/Gallery.php
new file mode 100644
index 00000000..5941abb7
--- /dev/null
+++ b/modules/user/libraries/drivers/IdentityProvider/Gallery.php
@@ -0,0 +1,150 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+/*
+ * Based on the Cache_Sqlite_Driver developed by the Kohana Team
+ */
+class Identity_Gallery_Driver implements IdentityProvider_Driver {
+  /**
+   * @see IdentityProvider_Driver::activate.
+   */
+  public function activate() {
+    user::activate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::deactivate.
+   */
+  public function deactivate() {
+    user::deactivate();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::guest.
+   */
+  public function guest() {
+    return user::guest();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_user.
+   */
+  public function create_user($name, $full_name, $password) {
+    return user::create($name, $full_name, $password);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::is_correct_password.
+   */
+  public function is_correct_password($user, $password) {
+    $valid = $user->password;
+
+    // Try phpass first, since that's what we generate.
+    if (strlen($valid) == 34) {
+      require_once(MODPATH . "user/lib/PasswordHash.php");
+      $hashGenerator = new PasswordHash(10, true);
+      return $hashGenerator->CheckPassword($password, $valid);
+    }
+
+    $salt = substr($valid, 0, 4);
+    // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes:
+    $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
+    if (!strcmp($guess, $valid)) {
+      return true;
+    }
+
+    // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities
+    $sanitizedPassword = html::specialchars($password, false);
+    $guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
+          : ($salt . md5($salt . $sanitizedPassword));
+    if (!strcmp($guess, $valid)) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user.
+   */
+  public function lookup_user($id) {
+    return user::lookup_by_field("id", $id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_user_by_name.
+   */
+  public function lookup_user_by_name($name) {
+    return user::lookup_by_field("name", $name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::create_group.
+   */
+  public function create_group($name) {
+    return group::create($name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::everybody.
+   */
+  public function everybody() {
+    return group::everybody();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::registered_users.
+   */
+  public function registered_users() {
+    return group::registered_users();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group.
+   */
+  public function lookup_group($id) {
+    return group::lookup_by_field("id", $id);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::lookup_group_by_name.
+   */
+  public function lookup_group_by_name($name) {
+    return group::lookup_by_field("name", $name);
+  }
+
+  /**
+   * @see IdentityProvider_Driver::get_user_list.
+   */
+  public function get_user_list($ids) {
+    return ORM::factory("user")
+      ->in("id", $ids)
+      ->find_all()
+      ->as_array();
+  }
+
+  /**
+   * @see IdentityProvider_Driver::groups.
+   */
+  public function groups() {
+    return ORM::factory("group")->find_all();
+  }
+
+} // End Identity Gallery Driver
+
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index ee8d413c..fed92c5e 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -91,7 +91,7 @@
                   open_text="<?= t("close") ?>"
                   class="g-panel-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-pencil"></span><span class="g-button-text"><?= t("edit") ?></span></a>
-              <? if (Session::active_user()->id != $user->id && !$user->guest): ?>
+              <? if (identity::active_user()->id != $user->id && !$user->guest): ?>
               <a href="<?= url::site("admin/users/delete_user_form/$user->id") ?>"
                   class="g-dialog-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
-- 
cgit v1.2.3


From 2dcd8f8a25fc698f2279a09752cc7bb9dfe1d7ec Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Mon, 26 Oct 2009 11:37:03 -0700
Subject: When we are changing the password using the change password from as
 part of the password reset, the input value is in the post[hash] variable as
 opposed to the get(key) value.  This should fix ticket #850.

---
 modules/user/controllers/password.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 6bef1a17..b76a5e92 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -116,7 +116,7 @@ class Password_Controller extends Controller {
   private function _change_password() {
     $view = $this->_new_password_form();
     if ($view->content->validate()) {
-      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      $user = user::lookup_by_hash(Input::instance()->post("hash"));
       if (empty($user)) {
         throw new Exception("@todo FORBIDDEN", 503);
       }
-- 
cgit v1.2.3


From 156a99beef968a22167502bb6389b4df7526feb0 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Tue, 27 Oct 2009 10:13:40 -0700
Subject: Set the minimum password length to 5.  The gallery owner can change
 this in the advance settings.

---
 modules/user/controllers/admin_users.php |  5 ++++-
 modules/user/controllers/password.php    |  5 +++--
 modules/user/controllers/users.php       |  5 +++++
 modules/user/helpers/user_installer.php  | 12 +++++++++++-
 modules/user/module.info                 |  2 +-
 5 files changed, 24 insertions(+), 5 deletions(-)

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 4d80521e..55a525ba 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -308,7 +308,6 @@ class Admin_Users_Controller extends Admin_Controller {
     $group->input("url")->label(t("URL"))->id("g-url")->value($user->url);
     $group->checkbox("admin")->label(t("Admin"))->id("g-admin")->checked($user->admin);
     $form->add_rules_from($user);
-    $form->edit_user->password->rules("-required");
 
     module::event("user_edit_form_admin", $user, $form);
     $group->submit("")->value(t("Modify User"));
@@ -330,6 +329,10 @@ class Admin_Users_Controller extends Admin_Controller {
     $group->checkbox("admin")->label(t("Admin"))->id("g-admin");
     $form->add_rules_from(ORM::factory("user"));
 
+    $minimum_length = module::get_var("user", "mininum_password_length", 5);
+    $form->edit_user->password
+      ->rules($minimum_length ? "length[$minimum_length, 40]" : "length[40]");
+
     module::event("user_add_form_admin", $user, $form);
     $group->submit("")->value(t("Add User"));
     return $form;
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index b76a5e92..888fb37d 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -101,8 +101,9 @@ class Password_Controller extends Controller {
     if (!empty($hash)) {
       $hidden->value($hash);
     }
-    $group->password("password")->label(t("Password"))->id("g-password")
-      ->rules("required|length[1,40]");
+    $minimum_length = module::get_var("user", "mininum_password_length", 5);
+    $input_password = $group->password("password")->label(t("Password"))->id("g-password")
+      ->rules($minimum_length ? "required|length[$minimum_length, 40]" : "length[40]");
     $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
       ->matches($group->password);
     $group->inputs["password2"]->error_messages(
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 28164e9c..3507ec6d 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -78,6 +78,11 @@ class Users_Controller extends Controller {
     $group->input("url")->label(t("URL"))->id("g-url")->value($user->url);
     $form->add_rules_from($user);
 
+    $minimum_length = module::get_var("user", "mininum_password_length", 5);
+    $form->edit_user->password
+      ->rules($minimum_length ? "length[$minimum_length, 40]" : "length[40]");
+
+
     module::event("user_edit_form", $user, $form);
     $group->submit("")->value(t("Save"));
     return $form;
diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php
index cc8e71ea..9aad4130 100644
--- a/modules/user/helpers/user_installer.php
+++ b/modules/user/helpers/user_installer.php
@@ -80,7 +80,17 @@ class user_installer {
     access::allow($registered, "view", $root);
     access::allow($registered, "view_full", $root);
 
-    module::set_version("user", 1);
+    module::set_var("user", "mininum_password_length", 5);
+
+    module::set_version("user", 2);
+  }
+
+  static function upgrade($version) {
+    if ($version == 1) {
+      module::set_var("user", "mininum_password_length", 5);
+
+      module::set_version("user", $version = 2);
+    }
   }
 
   static function uninstall() {
diff --git a/modules/user/module.info b/modules/user/module.info
index 36a2179a..7178f108 100644
--- a/modules/user/module.info
+++ b/modules/user/module.info
@@ -1,6 +1,6 @@
 name = "Users and Groups"
 description = "Gallery 3 user and group management"
-version = 1
+version = 2
 
 ; Don't show this module on the module administration screen
 no_module_admin = 1
-- 
cgit v1.2.3


From 1347a300509b2ab3083bb88193987c18b33187ad Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Tue, 27 Oct 2009 12:23:48 -0700
Subject: Add a password strength meter.

---
 modules/user/controllers/admin_users.php |  13 +++++++----
 modules/user/controllers/password.php    |  11 +++++----
 modules/user/controllers/users.php       |   4 +++-
 modules/user/css/progressImg1.png        | Bin 0 -> 390 bytes
 modules/user/css/user.css                |  36 ++++++++++++++++++++++++++++
 modules/user/helpers/user_theme.php      |   2 ++
 modules/user/js/password_strength.js     |  39 +++++++++++++++++++++++++++++++
 modules/user/views/user_form.html.php    |   7 ++++++
 8 files changed, 101 insertions(+), 11 deletions(-)
 create mode 100644 modules/user/css/progressImg1.png
 create mode 100644 modules/user/js/password_strength.js
 create mode 100644 modules/user/views/user_form.html.php

(limited to 'modules/user/controllers/password.php')

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 55a525ba..ac5dc33c 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -63,7 +63,9 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function add_user_form() {
-    print $this->_get_user_add_form_admin();
+    $v = new View("user_form.html");
+    $v->form = $this->_get_user_add_form_admin();
+    print $v;
   }
 
   public function delete_user($id) {
@@ -156,12 +158,13 @@ class Admin_Users_Controller extends Admin_Controller {
       kohana::show_404();
     }
 
-    $form = $this->_get_user_edit_form_admin($user);
+    $v = new View("user_form.html");
+    $v->form = $this->_get_user_edit_form_admin($user);
     // Don't allow the user to control their own admin bit, else you can lock yourself out
     if ($user->id == identity::active_user()->id) {
-      $form->edit_user->admin->disabled(1);
+      $v->form->edit_user->admin->disabled(1);
     }
-    print $form;
+    print $v;
   }
 
   public function add_user_to_group($user_id, $group_id) {
@@ -330,7 +333,7 @@ class Admin_Users_Controller extends Admin_Controller {
     $form->add_rules_from(ORM::factory("user"));
 
     $minimum_length = module::get_var("user", "mininum_password_length", 5);
-    $form->edit_user->password
+    $form->add_user->password
       ->rules($minimum_length ? "length[$minimum_length, 40]" : "length[40]");
 
     module::event("user_add_form_admin", $user, $form);
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index 888fb37d..5f36b554 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -32,7 +32,7 @@ class Password_Controller extends Controller {
     if (request::method() == "post") {
       $this->_change_password();
     } else {
-      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      $user = user::lookup_by_hash(Input::instance()->get("key"));
       if (!empty($user)) {
         print $this->_new_password_form($user->hash);
       } else {
@@ -46,7 +46,7 @@ class Password_Controller extends Controller {
 
     $valid = $form->validate();
     if ($valid) {
-      $user = identity::lookup_user_by_name($form->reset->inputs["name"]->value);
+      $user = user::lookup_by_name($form->reset->inputs["name"]->value);
       if (!$user->loaded || empty($user->email)) {
         $form->reset->inputs["name"]->add_error("no_email", 1);
         $valid = false;
@@ -110,19 +110,20 @@ class Password_Controller extends Controller {
       "mistyped", t("The password and the confirm password must match"));
     $group->submit("")->value(t("Update"));
 
-    $template->content = $form;
+    $template->content = new View("user_form.html");
+    $template->content->form = $form;
     return $template;
   }
 
   private function _change_password() {
     $view = $this->_new_password_form();
-    if ($view->content->validate()) {
+    if ($view->content->form->validate()) {
       $user = user::lookup_by_hash(Input::instance()->post("hash"));
       if (empty($user)) {
         throw new Exception("@todo FORBIDDEN", 503);
       }
 
-      $user->password = $view->content->reset->password->value;
+      $user->password = $view->content->form->reset->password->value;
       $user->hash = null;
       $user->save();
       message::success(t("Password reset successfully"));
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 3507ec6d..7bcc74d7 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -63,7 +63,9 @@ class Users_Controller extends Controller {
       access::forbidden();
     }
 
-    print $this->_get_edit_form($user);
+    $v = new View("user_form.html");
+    $v->form = $this->_get_edit_form($user);
+    print $v;
   }
 
   private function _get_edit_form($user) {
diff --git a/modules/user/css/progressImg1.png b/modules/user/css/progressImg1.png
new file mode 100644
index 00000000..a9093647
Binary files /dev/null and b/modules/user/css/progressImg1.png differ
diff --git a/modules/user/css/user.css b/modules/user/css/user.css
index 3b5e7ac2..67d4f196 100644
--- a/modules/user/css/user.css
+++ b/modules/user/css/user.css
@@ -54,3 +54,39 @@ li.g-group .g-user .g-button {
 li.g-default-group h4, li.g-default-group .g-user {
   color: gray;
 }
+
+.g-password-strength0 {
+  background: url(progressImg1.png) no-repeat 0 0;
+  width: 138px;
+  height: 7px;
+}
+.g-password-strength10 {
+  background-position:0 -7px;
+}
+.g-password-strength20 {
+  background-position:0 -14px;
+}
+.g-password-strength30 {
+  background-position:0 -21px;
+}
+.g-password-strength40 {
+  background-position:0 -28px;
+}
+.g-password-strength50 {
+  background-position:0 -35px;
+}
+.g-password-strength60 {
+  background-position:0 -42px;
+}
+.g-password-strength70 {
+  background-position:0 -49px;
+}
+.g-password-strength80 {
+  background-position:0 -56px;
+}
+.g-password-strength90 {
+  background-position:0 -63px;
+}
+.g-password-strength100 {
+  background-position:0 -70px;
+}
diff --git a/modules/user/helpers/user_theme.php b/modules/user/helpers/user_theme.php
index 191fd15a..31e2e8c0 100644
--- a/modules/user/helpers/user_theme.php
+++ b/modules/user/helpers/user_theme.php
@@ -20,9 +20,11 @@
 class user_theme_Core {
   static function head($theme) {
     $theme->css("user.css");
+    $theme->script("password_strength.js");
   }
 
   static function admin_head($theme) {
     $theme->css("user.css");
+    $theme->script("password_strength.js");
   }
 }
\ No newline at end of file
diff --git a/modules/user/js/password_strength.js b/modules/user/js/password_strength.js
new file mode 100644
index 00000000..2442b8de
--- /dev/null
+++ b/modules/user/js/password_strength.js
@@ -0,0 +1,39 @@
+(function($) {
+   // Based on the Password Strength Indictor By Benjamin Sterling
+   // http://benjaminsterling.com/password-strength-indicator-and-generator/
+   $.widget("ui.user_password_strength",  {
+     _init: function() {
+       var self = this;
+       $(this.element).keyup(function() {
+	 var strength = self.calculateStrength (this.value);
+	 var index = Math.min(Math.floor( strength / 10 ), 10);
+         $("#g-password-gauge")
+           .removeAttr('class')
+	   .addClass( "g-password-strength0" )
+	   .addClass( self.options.classes[ index ] );
+       }).after("<div id='g-password-gauge' class='g-password-strength0'></div>");
+     },
+
+     calculateStrength: function(value) {
+       // Factor in the length of the password
+       var strength = Math.min(5, value.length) * 10 - 20;
+       // Factor in the number of numbers
+       strength += Math.min(3, value.length - value.replace(/[0-9]/g,"").length) * 10;
+       // Factor in the number of non word characters
+       strength += Math.min(3, value.length - value.replace(/\W/g,"").length) * 15;
+       // Factor in the number of Upper case letters
+       strength += Math.min(3, value.length - value.replace(/[A-Z]/g,"").length) * 10;
+
+       // Normalizxe between 0 and 100
+       return Math.max(0, Math.min(100, strength));
+     }
+   });
+   $.extend($.ui.user_password_strength,  {
+     defaults: {
+	classes : ['g-password-strength10', 'g-password-strength20', 'g-password-strength30',
+                   'g-password-strength40', 'g-password-strength50', 'g-password-strength60',
+                   'g-password-strength70',' g-password-strength80',' g-password-strength90',
+                   'g-password-strength100']
+     }
+   });
+ })(jQuery);
diff --git a/modules/user/views/user_form.html.php b/modules/user/views/user_form.html.php
new file mode 100644
index 00000000..039ae8a5
--- /dev/null
+++ b/modules/user/views/user_form.html.php
@@ -0,0 +1,7 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<script  type="text/javascript">
+  $("form").ready(function(){
+    $('input[name="password"]').user_password_strength();
+  });
+</script>
+<?= $form ?>
-- 
cgit v1.2.3