Tag: invert behaviour of getCount and getOffset methods

Reviewed-on: Public/pics#55

composer.json

@@ -14,5 +14,14 @@
             "models/",
             "templates/"
         ]
+    },
+    "require": {
+        "ext-mysqli": "*",
+        "ext-imagick": "*",
+        "ext-gd": "*",
+        "ext-imagick": "*",
+        "ext-mysqli": "*",
+        "twbs/bootstrap": "^5.3",
+        "twbs/bootstrap-icons": "^1.10"
     }
 }

controllers/AccountSettings.php

@@ -0,0 +1,134 @@
+<?php
+/*****************************************************************************
+ * AccountSettings.php
+ * Contains the account settings controller.
+ *
+ * Kabuki CMS (C) 2013-2023, Aaron van Geffen
+ *****************************************************************************/
+
+class AccountSettings extends HTMLController
+{
+	public function __construct()
+	{
+		// Not logged in yet?
+		if (!Registry::get('user')->isLoggedIn())
+			throw new NotAllowedException('You need to be logged in to view this page.');
+
+		parent::__construct('Account settings');
+		$form_title = 'Account settings';
+
+		// Session checking!
+		if (empty($_POST))
+			Session::resetSessionToken();
+		else
+			Session::validateSession();
+
+		$fields = [
+			'first_name' => [
+				'type' => 'text',
+				'label' => 'First name',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'surname' => [
+				'type' => 'text',
+				'label' => 'Family name',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'emailaddress' => [
+				'type' => 'text',
+				'label' => 'Email address',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'password1' => [
+				'before_html' => '<div class="offset-sm-2 mt-4"><p>To change your password, please fill out the fields below.</p></div>',
+				'type' => 'password',
+				'label' => 'Password',
+				'size' => 50,
+				'maxlength' => 255,
+				'is_optional' => true,
+			],
+			'password2' => [
+				'type' => 'password',
+				'label' => 'Password (repeat)',
+				'size' => 50,
+				'maxlength' => 255,
+				'is_optional' => true,
+			],
+		];
+
+		$form = new Form([
+			'request_url' => BASEURL . '/' . $_GET['action'] . '/',
+			'fields' => $fields,
+			'submit_caption' => 'Save details',
+		]);
+
+		$user = Registry::get('user');
+
+		// Create the form, add in default values.
+		$form->setData(empty($_POST) ? $user->getProps() : $_POST);
+		$formview = new FormView($form, $form_title);
+		$this->page->adopt($formview);
+
+		// Fetch user tags
+		$tags = Tag::getAllByOwner($user->getUserId());
+		if (!empty($tags))
+			$this->page->adopt(new MyTagsView($tags));
+
+		// Left a message?
+		if (isset($_SESSION['account_msg']))
+		{
+			$alert = $_SESSION['account_msg'];
+			$formview->adopt(new Alert($alert[0], $alert[1], $alert[2]));
+			unset($_SESSION['account_msg']);
+		}
+
+		// Just updating account settings?
+		if (!empty($_POST))
+		{
+			$form->verify($_POST);
+
+			// Anything missing?
+			if (!empty($form->getMissing()))
+			{
+				$missingFields = array_intersect_key($fields, array_flip($form->getMissing()));
+				$missingFields = array_map(function($field) { return strtolower($field['label']); }, $missingFields);
+				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $missingFields), 'danger'));
+			}
+
+			$data = $form->getData();
+
+			// Just to be on the safe side.
+			$data['first_name'] = htmlspecialchars(trim($data['first_name']));
+			$data['surname'] = htmlspecialchars(trim($data['surname']));
+			$data['emailaddress'] = trim($data['emailaddress']);
+
+			// If it looks like an e-mail address...
+			if (!empty($data['emailaddress']) && !preg_match('~^[^ ]+@[^ ]+\.[a-z]+$~', $data['emailaddress']))
+				return $formview->adopt(new Alert('Email addresses invalid', 'The email address you entered is not a valid email address.', 'danger'));
+			// Check whether email address is already linked to an account in the database -- just not to the account we happen to be editing, of course.
+			elseif (!empty($data['emailaddress']) && $user->getEmailAddress() !== $data['emailaddress'] && Member::exists($data['emailaddress']))
+				return $formview->adopt(new Alert('Email address already in use', 'Another account is already using this e-mail address.', 'danger'));
+
+			// Changing passwords?
+			if (!empty($data['password1']) && !empty($data['password2']))
+			{
+				if (strlen($data['password1']) < 6 || !preg_match('~[^A-z]~', $data['password1']))
+					return $formview->adopt(new Alert('Password not acceptable', 'Please use a password that is at least six characters long and contains at least one non-alphabetic character (e.g. a number or symbol).', 'danger'));
+				elseif ($data['password1'] !== $data['password2'])
+					return $formview->adopt(new Alert('Passwords do not match', 'The passwords you entered do not match. Please try again.', 'danger'));
+
+				// Keep just the one.
+				$data['password'] = $data['password1'];
+				unset($data['password1'], $data['password2']);
+				$formview->adopt(new Alert('Your password has been changed', 'Next time you log in, you can use your new password to authenticate yourself.', 'success'));
+			}
+			else
+				$formview->adopt(new Alert('Your account settings have been saved', 'Thank you for keeping your information current.', 'success'));
+
+			$user->update($data);
+		}
+	}
+}

controllers/Download.php

@@ -21,22 +21,30 @@ class Download
 		$tag = (int)$_GET['tag'];
 		$album = Tag::fromId($tag);
 
+		if (isset($_GET['by']) && ($user = Member::fromSlug($_GET['by'])) !== false)
+			$id_user_uploaded = $user->getUserId();
+		else
+			$id_user_uploaded = null;
+
 		if (isset($_SESSION['current_export']))
 			throw new UserFacingException('You can only export one album at the same time. Please wait until the other download finishes, or try again later.');
 
 		// So far so good?
-		$this->exportAlbum($album);
+		$this->exportAlbum($album, $id_user_uploaded);
 		exit;
 	}
 
-	private function exportAlbum(Tag $album)
+	private function exportAlbum(Tag $album, $id_user_uploaded)
 	{
 		$files = [];
 
 		$album_ids = array_merge([$album->id_tag], $this->getChildAlbumIds($album->id_tag));
 		foreach ($album_ids as $album_id)
 		{
-			$iterator = AssetIterator::getByOptions(['id_tag' => $album_id]);
+			$iterator = AssetIterator::getByOptions([
+				'id_tag' => $album_id,
+				'id_user_uploaded' => $id_user_uploaded,
+			]);
 			while ($asset = $iterator->next())
 				$files[] = join(DIRECTORY_SEPARATOR, [$asset->getSubdir(), $asset->getFilename()]);
 		}
@@ -71,6 +79,9 @@ class Download
 		// STDOUT should not block.
 		stream_set_blocking($pipes[1], 0);
 
+		// Allow this the download to take its time...
+		set_time_limit(0);
+
 		header('Pragma: no-cache');
 		header('Content-Description: File Download');
 		header('Content-disposition: attachment; filename="' . $album->tag . '.tar"');

controllers/EditAlbum.php

@@ -6,8 +6,14 @@
  * Kabuki CMS (C) 2013-2017, Aaron van Geffen
  *****************************************************************************/
 
+// TODO: extend EditTag?
 class EditAlbum extends HTMLController
 {
+	private $form;
+	private $formview;
+
+	const THUMBS_PER_PAGE = 20;
+
 	public function __construct()
 	{
 		// Ensure it's just admins at this point.
@@ -18,6 +24,9 @@ class EditAlbum extends HTMLController
 		if (empty($id_tag) && !isset($_GET['add']) && $_GET['action'] !== 'addalbum')
 			throw new UnexpectedValueException('Requested album not found or not requesting a new album.');
 
+		if (!empty($id_tag))
+			$album = Tag::fromId($id_tag);
+
 		// Adding an album?
 		if (isset($_GET['add']) || $_GET['action'] === 'addalbum')
 		{
@@ -29,21 +38,19 @@ class EditAlbum extends HTMLController
 		elseif (isset($_GET['delete']))
 		{
 			// So far so good?
-			$album = Tag::fromId($id_tag);
 			if (Session::validateSession('get') && $album->kind === 'Album' && $album->delete())
 			{
 				header('Location: ' . BASEURL . '/managealbums/');
 				exit;
 			}
 			else
-				trigger_error('Cannot delete album: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete album: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else
 		{
-			$album = Tag::fromId($id_tag);
 			if ($album->kind !== 'Album')
-				trigger_error('Cannot edit album: not an album.', E_USER_ERROR);
+				throw new Exception('Cannot edit album: not an album.');
 
 			parent::__construct('Edit album \'' . $album->tag . '\'');
 			$form_title = 'Edit album \'' . $album->tag . '\'';
@@ -61,41 +68,50 @@ class EditAlbum extends HTMLController
 		elseif (!$id_tag)
 			$after_form = '<button name="submit_and_new" class="btn">Save and add another</button>';
 
-		$form = new Form([
-			'request_url' => BASEURL . '/editalbum/?' . ($id_tag ? 'id=' . $id_tag : 'add'),
-			'content_below' => $after_form,
-			'fields' => [
-				'id_parent' => [
-					'type' => 'numeric',
-					'label' => 'Parent album ID',
-				],
-				'id_asset_thumb' => [
-					'type' => 'numeric',
-					'label' => 'Thumbnail asset ID',
-					'is_optional' => true,
-				],
-				'tag' => [
-					'type' => 'text',
-					'label' => 'Album title',
-					'size' => 50,
-					'maxlength' => 255,
-				],
-				'slug' => [
-					'type' => 'text',
-					'label' => 'URL slug',
-					'size' => 50,
-					'maxlength' => 255,
-				],
-				'description' => [
-					'type' => 'textbox',
-					'label' => 'Description',
-					'size' => 50,
-					'maxlength' => 255,
-					'is_optional' => true,
-				],
+		// Gather possible parents for this album to be filed into
+		$parentChoices = [0 => '-root-'];
+		foreach (Tag::getOffset(0, 9999, 'tag', 'up', true) as $parent)
+		{
+			if (!empty($id_tag) && $parent['id_tag'] == $id_tag)
+				continue;
+
+			$parentChoices[$parent['id_tag']] = $parent['tag'];
+		}
+
+		$fields = [
+			'id_parent' => [
+				'type' => 'select',
+				'label' => 'Parent album',
+				'options' => $parentChoices,
 			],
+			'tag' => [
+				'type' => 'text',
+				'label' => 'Album title',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'slug' => [
+				'type' => 'text',
+				'label' => 'URL slug',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'description' => [
+				'type' => 'textbox',
+				'label' => 'Description',
+				'size' => 50,
+				'maxlength' => 255,
+				'is_optional' => true,
+			],
+		];
+
+		$this->form = new Form([
+			'request_url' => BASEURL . '/editalbum/?' . ($id_tag ? 'id=' . $id_tag : 'add'),
+			'buttons_extra' => $after_form,
+			'fields' => $fields,
 		]);
 
+		// Add defaults for album if none present
 		if (empty($_POST) && isset($_GET['tag']))
 		{
 			$parentTag = Tag::fromId($_GET['tag']);
@@ -108,28 +124,96 @@ class EditAlbum extends HTMLController
 				];
 			}
 		}
-
-		if (!isset($formDefaults))
-			$formDefaults = isset($album) ? get_object_vars($album) : $_POST;
+		elseif (empty($_POST) && isset($album))
+		{
+			$formDefaults = get_object_vars($album);
+		}
+		elseif (empty($_POST) && count($parentChoices) > 1)
+		{
+			// Choose the first non-root album as the default parent
+			reset($parentChoices);
+			next($parentChoices);
+			$formDefaults = ['id_parent' => key($parentChoices)];
+		}
+		else
+			$formDefaults = $_POST;
 
 		// Create the form, add in default values.
-		$form->setData($formDefaults);
-		$formview = new FormView($form, $form_title ?? '');
-		$this->page->adopt($formview);
+		$this->form->setData($formDefaults);
+		$this->formview = new FormView($this->form, $form_title ?? '');
+		$this->page->adopt($this->formview);
 
+		if (!empty($id_tag))
+		{
+			$current_page = isset($_GET['page']) ? (int) $_GET['page'] : 1;
+
+			list($assets, $num_assets) = AssetIterator::getByOptions([
+				'direction' => 'desc',
+				'limit' => self::THUMBS_PER_PAGE,
+				'page' => $current_page,
+				'id_tag' => $id_tag,
+			], true);
+
+			// If we have asset images, show the thumbnail manager
+			if ($num_assets > 0)
+			{
+				$manager = new FeaturedThumbnailManager($assets, $id_tag ? $album->id_asset_thumb : 0);
+				$this->page->adopt($manager);
+
+				// Make a page index as needed, while we're at it.
+				if ($num_assets > self::THUMBS_PER_PAGE)
+				{
+					$index = new PageIndex([
+						'recordCount' => $num_assets,
+						'items_per_page' => self::THUMBS_PER_PAGE,
+						'start' => ($current_page - 1) * self::THUMBS_PER_PAGE,
+						'base_url' => BASEURL . '/editalbum/?id=' . $id_tag,
+						'page_slug' => '&page=%PAGE%',
+					]);
+					$manager->adopt(new PageIndexWidget($index));
+				}
+			}
+		}
+
+		if (isset($_POST['changeThumbnail']))
+			$this->processThumbnail($album);
+		elseif (!empty($_POST))
+			$this->processTagDetails($id_tag, $album ?? null);
+	}
+
+	private function processThumbnail($tag)
+	{
+		if (empty($_POST))
+			return;
+
+		$tag->id_asset_thumb = $_POST['featuredThumbnail'];
+		$tag->save();
+
+		header('Location: ' . BASEURL . '/editalbum/?id=' . $tag->id_tag);
+		exit;
+	}
+
+	private function processTagDetails($id_tag, $album)
+	{
 		if (!empty($_POST))
 		{
-			$form->verify($_POST);
+			$this->form->verify($_POST);
 
 			// Anything missing?
-			if (!empty($form->getMissing()))
-				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $form->getMissing()), 'error'));
+			if (!empty($this->form->getMissing()))
+				return $this->formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $this->form->getMissing()), 'danger'));
 
-			$data = $form->getData();
+			$data = $this->form->getData();
+
+			// Sanity check: don't let an album be its own parent
+			if ($data['id_parent'] == $id_tag)
+			{
+				return $this->formview->adopt(new Alert('Invalid parent', 'An album cannot be its own parent.', 'danger'));
+			}
 
 			// Quick stripping.
-			$data['tag'] = htmlentities($data['tag']);
-			$data['description'] = htmlentities($data['description']);
+			$data['tag'] = htmlspecialchars($data['tag']);
+			$data['description'] = htmlspecialchars($data['description']);
 			$data['slug'] = strtr($data['slug'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '\\' => '-']);
 
 			// TODO: when updating slug, update slug for all photos in this album.
@@ -140,7 +224,7 @@ class EditAlbum extends HTMLController
 				$data['kind'] = 'Album';
 				$newTag = Tag::createNew($data);
 				if ($newTag === false)
-					return $formview->adopt(new Alert('Cannot create this album', 'Something went wrong while creating the album...', 'error'));
+					return $this->formview->adopt(new Alert('Cannot create this album', 'Something went wrong while creating the album...', 'danger'));
 
 				if (isset($_POST['submit_and_new']))
 				{

controllers/EditAsset.php

@@ -10,10 +10,6 @@ class EditAsset extends HTMLController
 {
 	public function __construct()
 	{
-		// Ensure it's just admins at this point.
-		if (!Registry::get('user')->isAdmin())
-			throw new NotAllowedException();
-
 		if (empty($_GET['id']))
 			throw new Exception('Invalid request.');
 
@@ -21,8 +17,72 @@ class EditAsset extends HTMLController
 		if (empty($asset))
 			throw new NotFoundException('Asset not found');
 
-		if (isset($_REQUEST['delete']))
-			throw new Exception('Not implemented.');
+		// Can we edit this asset?
+		$user = Registry::get('user');
+		if (!($user->isAdmin() || $asset->isOwnedBy($user)))
+			throw new NotAllowedException();
+
+		if (isset($_REQUEST['delete']) && Session::validateSession('get'))
+		{
+			$redirectUrl = BASEURL . '/' . $asset->getSubdir();
+			$asset->delete();
+
+			header('Location: ' . $redirectUrl);
+			exit;
+		}
+		else
+		{
+			$isPrioChange = isset($_REQUEST['inc_prio']) || isset($_REQUEST['dec_prio']);
+			$isCoverChange = isset($_REQUEST['album_cover'], $_REQUEST['in']);
+			$madeChanges = false;
+
+			if ($user->isAdmin() && $isPrioChange && Session::validateSession('get'))
+			{
+				if (isset($_REQUEST['inc_prio']))
+					$priority = $asset->priority + 1;
+				else
+					$priority = $asset->priority - 1;
+
+				$asset->priority = max(0, min(100, $priority));
+				$asset->save();
+				$madeChanges = true;
+			}
+			elseif ($user->isAdmin() && $isCoverChange && Session::validateSession('get'))
+			{
+				$tag = Tag::fromId($_REQUEST['in']);
+				$tag->id_asset_thumb = $asset->getId();
+				$tag->save();
+				$madeChanges = true;
+			}
+
+			if ($madeChanges)
+			{
+				if (isset($_SERVER['HTTP_REFERER']))
+					header('Location: ' . $_SERVER['HTTP_REFERER']);
+				else
+					header('Location: ' . BASEURL . '/' . $asset->getSubdir());
+				exit;
+			}
+		}
+
+		// Get a list of available photo albums
+		$allAlbums = [];
+		foreach (Tag::getOffset(0, 9999, 'tag', 'up', true) as $album)
+			$allAlbums[$album['id_tag']] = $album['tag'];
+
+		// Figure out the current album id
+		$currentAlbumId = 0;
+		$currentAlbumSlug = '';
+		$currentTags = $asset->getTags();
+		foreach ($currentTags as $tag)
+		{
+			if ($tag->kind === 'Album')
+			{
+				$currentAlbumId = $tag->id_tag;
+				$currentAlbumSlug = $tag->slug;
+				break;
+			}
+		}
 
 		if (!empty($_POST))
 		{
@@ -35,17 +95,46 @@ class EditAsset extends HTMLController
 			// Key info
 			if (isset($_POST['title'], $_POST['slug'], $_POST['date_captured'], $_POST['priority']))
 			{
-				$date_captured = !empty($_POST['date_captured']) ? new DateTime($_POST['date_captured']) : null;
-				$slug = strtr($_POST['slug'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '\\' => '-']);
-				$asset->setKeyData(htmlentities($_POST['title']), $slug, $date_captured, intval($_POST['priority']));
+				$asset->date_captured = !empty($_POST['date_captured']) ?
+					new DateTime(str_replace('T', ' ', $_POST['date_captured'])) : null;
+				$asset->slug = Asset::cleanSlug($_POST['slug']);
+				$asset->title = htmlspecialchars($_POST['title']);
+				$asset->priority = intval($_POST['priority']);
+				$asset->save();
+			}
+
+			// Changing parent album?
+			if ($_POST['id_album'] != $currentAlbumId)
+			{
+				$targetAlbum = Tag::fromId($_POST['id_album']);
+
+				// First move the asset, then sort out the album tag
+				if (($retCode = $asset->moveToSubDir($targetAlbum->slug)) === true)
+				{
+					if (!isset($_POST['tag']))
+						$_POST['tag'] = [];
+
+					// Unset tag for current parent album
+					if (isset($_POST['tag'][$currentAlbumId]))
+						unset($_POST['tag'][$currentAlbumId]);
+
+					// Set tag for new parent album
+					$_POST['tag'][$_POST['id_album']] = true;
+				}
+			}
+			else
+			{
+				$_POST['tag'][$currentAlbumId] = true;
 			}
 
 			// Handle tags
 			$new_tags = [];
 			if (isset($_POST['tag']) && is_array($_POST['tag']))
+			{
 				foreach ($_POST['tag'] as $id_tag => $bool)
 					if (is_numeric($id_tag))
 						$new_tags[] = $id_tag;
+			}
 
 			$current_tags = array_keys($asset->getTags());
 
@@ -88,16 +177,15 @@ class EditAsset extends HTMLController
 			header('Location: ' . BASEURL . '/editasset/?id=' . $asset->getId());
 		}
 
-		// Get list of thumbnails
-		$thumbs = $this->getThumbs($asset);
+		$page = new EditAssetForm([
+			'asset' => $asset,
+			'thumbs' => $this->getThumbs($asset),
+			'allAlbums' => $allAlbums,
+			'currentAlbumId' => $currentAlbumId,
+		]);
 
-		$page = new EditAssetForm($asset, $thumbs);
 		parent::__construct('Edit asset \'' . $asset->getTitle() . '\' (' . $asset->getFilename() . ') - ' . SITE_TITLE);
 		$this->page->adopt($page);
-
-		// Add a view button to the admin bar for photos.
-		if ($asset->isImage())
-			$this->admin_bar->appendItem($asset->getImage()->getPageUrl(), 'View this photo');
 	}
 
 	private function getThumbs(Asset $asset)

controllers/EditTag.php

@@ -8,16 +8,22 @@
 
 class EditTag extends HTMLController
 {
+	const THUMBS_PER_PAGE = 20;
+
 	public function __construct()
 	{
-		// Ensure it's just admins at this point.
-		if (!Registry::get('user')->isAdmin())
-			throw new NotAllowedException();
-
 		$id_tag = isset($_GET['id']) ? (int) $_GET['id'] : 0;
 		if (empty($id_tag) && !isset($_GET['add']))
 			throw new UnexpectedValueException('Requested tag not found or not requesting a new tag.');
 
+		if (!empty($id_tag))
+			$tag = Tag::fromId($id_tag);
+
+		// Are we allowed to edit this tag?
+		$user = Registry::get('user');
+		if (!($user->isAdmin() || $user->getUserId() == $tag->id_user_owner))
+			throw new NotAllowedException();
+
 		// Adding an tag?
 		if (isset($_GET['add']))
 		{
@@ -29,21 +35,19 @@ class EditTag extends HTMLController
 		elseif (isset($_GET['delete']))
 		{
 			// So far so good?
-			$tag = Tag::fromId($id_tag);
 			if (Session::validateSession('get') && $tag->kind !== 'Album' && $tag->delete())
 			{
 				header('Location: ' . BASEURL . '/managetags/');
 				exit;
 			}
 			else
-				trigger_error('Cannot delete tag: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete tag: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else
 		{
-			$tag = Tag::fromId($id_tag);
 			if ($tag->kind === 'Album')
-				trigger_error('Cannot edit tag: is actually an album.', E_USER_ERROR);
+				throw new Exception('Cannot edit tag: is actually an album.');
 
 			parent::__construct('Edit tag \'' . $tag->tag . '\'');
 			$form_title = 'Edit tag \'' . $tag->tag . '\'';
@@ -61,47 +65,51 @@ class EditTag extends HTMLController
 		elseif (!$id_tag)
 			$after_form = '<button name="submit_and_new" class="btn">Save and add another</button>';
 
-		$form = new Form([
-			'request_url' => BASEURL . '/edittag/?' . ($id_tag ? 'id=' . $id_tag : 'add'),
-			'content_below' => $after_form,
-			'fields' => [
-				'id_parent' => [
-					'type' => 'numeric',
-					'label' => 'Parent tag ID',
-				],
-				'id_asset_thumb' => [
-					'type' => 'numeric',
-					'label' => 'Thumbnail asset ID',
-					'is_optional' => true,
-				],
-				'kind' => [
-					'type' => 'select',
-					'label' => 'Kind of tag',
-					'options' => [
-						'Location' => 'Location',
-						'Person' => 'Person',
-					],
-				],
-				'tag' => [
-					'type' => 'text',
-					'label' => 'Tag title',
-					'size' => 50,
-					'maxlength' => 255,
-				],
-				'slug' => [
-					'type' => 'text',
-					'label' => 'URL slug',
-					'size' => 50,
-					'maxlength' => 255,
-				],
-				'description' => [
-					'type' => 'textbox',
-					'label' => 'Description',
-					'size' => 50,
-					'maxlength' => 255,
-					'is_optional' => true,
+		$fields = [
+			'kind' => [
+				'type' => 'select',
+				'label' => 'Kind of tag',
+				'options' => [
+					'Location' => 'Location',
+					'Person' => 'Person',
 				],
 			],
+			'id_user_owner' => [
+				'type' => 'select',
+				'label' => 'Owner',
+				'options' => [0 => '(nobody)'] + Member::getMemberMap(),
+			],
+			'tag' => [
+				'type' => 'text',
+				'label' => 'Tag title',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'slug' => [
+				'type' => 'text',
+				'label' => 'URL slug',
+				'size' => 50,
+				'maxlength' => 255,
+			],
+			'description' => [
+				'type' => 'textbox',
+				'label' => 'Description',
+				'size' => 50,
+				'maxlength' => 255,
+				'is_optional' => true,
+			],
+		];
+
+		if (!$user->isAdmin())
+		{
+			unset($fields['kind']);
+			unset($fields['id_user_owner']);
+		}
+
+		$form = new Form([
+			'request_url' => BASEURL . '/edittag/?' . ($id_tag ? 'id=' . $id_tag : 'add'),
+			'buttons_extra' => $after_form,
+			'fields' => $fields,
 		]);
 
 		// Create the form, add in default values.
@@ -109,15 +117,68 @@ class EditTag extends HTMLController
 		$formview = new FormView($form, $form_title ?? '');
 		$this->page->adopt($formview);
 
+		if (!empty($id_tag))
+		{
+			$current_page = isset($_GET['page']) ? (int) $_GET['page'] : 1;
+
+			list($assets, $num_assets) = AssetIterator::getByOptions([
+				'direction' => 'desc',
+				'limit' => self::THUMBS_PER_PAGE,
+				'page' => $current_page,
+				'id_tag' => $id_tag,
+			], true);
+
+			// If we have asset images, show the thumbnail manager
+			if ($num_assets > 0)
+			{
+				$manager = new FeaturedThumbnailManager($assets, $id_tag ? $tag->id_asset_thumb : 0);
+				$this->page->adopt($manager);
+
+				// Make a page index as needed, while we're at it.
+				if ($num_assets > self::THUMBS_PER_PAGE)
+				{
+					$index = new PageIndex([
+						'recordCount' => $num_assets,
+						'items_per_page' => self::THUMBS_PER_PAGE,
+						'start' => ($current_page - 1) * self::THUMBS_PER_PAGE,
+						'base_url' => BASEURL . '/edittag/?id=' . $id_tag,
+						'page_slug' => '&page=%PAGE%',
+					]);
+					$manager->adopt(new PageIndexWidget($index));
+				}
+			}
+		}
+
+		if (isset($_POST['changeThumbnail']))
+			$this->processThumbnail($tag);
+		elseif (!empty($_POST))
+			$this->processTagDetails($form, $id_tag, $tag ?? null);
+	}
+
+	private function processThumbnail($tag)
+	{
+		if (empty($_POST))
+			return;
+
+		$tag->id_asset_thumb = $_POST['featuredThumbnail'];
+		$tag->save();
+
+		header('Location: ' . BASEURL . '/edittag/?id=' . $tag->id_tag);
+		exit;
+	}
+
+	private function processTagDetails($form, $id_tag, $tag)
+	{
 		if (!empty($_POST))
 		{
 			$form->verify($_POST);
 
 			// Anything missing?
 			if (!empty($form->getMissing()))
-				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $form->getMissing()), 'error'));
+				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $form->getMissing()), 'danger'));
 
 			$data = $form->getData();
+			$data['id_parent'] = 0;
 
 			// Quick stripping.
 			$data['slug'] = strtr($data['slug'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '/' => '-', '\\' => '-']);
@@ -127,7 +188,7 @@ class EditTag extends HTMLController
 			{
 				$return = Tag::createNew($data);
 				if ($return === false)
-					return $formview->adopt(new Alert('Cannot create this tag', 'Something went wrong while creating the tag...', 'error'));
+					return $formview->adopt(new Alert('Cannot create this tag', 'Something went wrong while creating the tag...', 'danger'));
 
 				if (isset($_POST['submit_and_new']))
 				{
@@ -144,8 +205,11 @@ class EditTag extends HTMLController
 				$tag->save();
 			}
 
-			// Redirect to the tag management page.
-			header('Location: ' . BASEURL . '/managetags/');
+			// Redirect to a clean page
+			if (Registry::get('user')->isAdmin())
+				header('Location: ' . BASEURL . '/managetags/');
+			else
+				header('Location: ' . BASEURL . '/edittag/?id=' . $id_tag);
 			exit;
 		}
 	}

controllers/EditUser.php

@@ -33,7 +33,7 @@ class EditUser extends HTMLController
 		{
 			// Don't be stupid.
 			if ($current_user->getUserId() == $id_user)
-				trigger_error('Sorry, I cannot allow you to delete yourself.', E_USER_ERROR);
+				throw new Exception('Sorry, I cannot allow you to delete yourself.');
 
 			// So far so good?
 			$user = Member::fromId($id_user);
@@ -43,7 +43,7 @@ class EditUser extends HTMLController
 				exit;
 			}
 			else
-				trigger_error('Cannot delete user: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete user: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else
@@ -69,7 +69,7 @@ class EditUser extends HTMLController
 
 		$form = new Form([
 			'request_url' => BASEURL . '/edituser/?' . ($id_user ? 'id=' . $id_user : 'add'),
-			'content_below' => $after_form,
+			'buttons_extra' => $after_form,
 			'fields' => [
 				'first_name' => [
 					'type' => 'text',
@@ -129,13 +129,13 @@ class EditUser extends HTMLController
 
 			// Anything missing?
 			if (!empty($form->getMissing()))
-				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $form->getMissing()), 'error'));
+				return $formview->adopt(new Alert('Some data missing', 'Please fill out the following fields: ' . implode(', ', $form->getMissing()), 'danger'));
 
 			$data = $form->getData();
 
 			// Just to be on the safe side.
-			$data['first_name'] = htmlentities(trim($data['first_name']));
-			$data['surname'] = htmlentities(trim($data['surname']));
+			$data['first_name'] = htmlspecialchars(trim($data['first_name']));
+			$data['surname'] = htmlspecialchars(trim($data['surname']));
 			$data['emailaddress'] = trim($data['emailaddress']);
 
 			// Make sure there's a slug.
@@ -150,18 +150,18 @@ class EditUser extends HTMLController
 
 			// If it looks like an e-mail address...
 			if (!empty($data['emailaddress']) && !preg_match('~^[^ ]+@[^ ]+\.[a-z]+$~', $data['emailaddress']))
-				return $formview->adopt(new Alert('Email addresses invalid', 'The email address you entered is not a valid email address.', 'error'));
+				return $formview->adopt(new Alert('Email addresses invalid', 'The email address you entered is not a valid email address.', 'danger'));
 			// Check whether email address is already linked to an account in the database -- just not to the account we happen to be editing, of course.
 			elseif (!empty($data['emailaddress']) && Member::exists($data['emailaddress']) && !($id_user && $user->getEmailAddress() == $data['emailaddress']))
-				return $formview->adopt(new Alert('Email address already in use', 'Another account is already using the e-mail address you entered.', 'error'));
+				return $formview->adopt(new Alert('Email address already in use', 'Another account is already using the e-mail address you entered.', 'danger'));
 
 			// Setting passwords? We'll need two!
 			if (!$id_user || !empty($data['password1']) && !empty($data['password2']))
 			{
 				if (strlen($data['password1']) < 6 || !preg_match('~[^A-z]~', $data['password1']))
-					return $formview->adopt(new Alert('Password not acceptable', 'Please fill in a password that is at least six characters long and contains at least one non-alphabetic character (e.g. a number or symbol).', 'error'));
+					return $formview->adopt(new Alert('Password not acceptable', 'Please fill in a password that is at least six characters long and contains at least one non-alphabetic character (e.g. a number or symbol).', 'danger'));
 				elseif ($data['password1'] !== $data['password2'])
-					return $formview->adopt(new Alert('Passwords do not match', 'The passwords you entered do not match. Please try again.', 'error'));
+					return $formview->adopt(new Alert('Passwords do not match', 'The passwords you entered do not match. Please try again.', 'danger'));
 				else
 					$data['password'] = $data['password1'];
 
@@ -173,7 +173,7 @@ class EditUser extends HTMLController
 			{
 				$return = Member::createNew($data);
 				if ($return === false)
-					return $formview->adopt(new Alert('Cannot create this user', 'Something went wrong while creating the user...', 'error'));
+					return $formview->adopt(new Alert('Cannot create this user', 'Something went wrong while creating the user...', 'danger'));
 
 				if (isset($_POST['submit_and_new']))
 				{

controllers/HTMLController.php

@@ -12,7 +12,6 @@
 abstract class HTMLController
 {
 	protected $page;
-	protected $admin_bar;
 
 	public function __construct($title)
 	{
@@ -22,8 +21,6 @@ abstract class HTMLController
 		if (Registry::get('user')->isAdmin())
 		{
 			$this->page->appendStylesheet(BASEURL . '/css/admin.css');
-			$this->admin_bar = new AdminBar();
-			$this->page->adopt($this->admin_bar);
 		}
 	}
 

controllers/Login.php

@@ -24,7 +24,9 @@ class Login extends HTMLController
 			if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password']))
 			{
 				parent::__construct('Login');
-				$_SESSION['user_id'] = Authentication::getUserId($_POST['emailaddress']);
+
+				$user = Member::fromEmailAddress($_POST['emailaddress']);
+				$_SESSION['user_id'] = $user->getUserId();
 
 				if (isset($_POST['redirect_url']))
 					header('Location: ' . base64_decode($_POST['redirect_url']));
@@ -44,7 +46,7 @@ class Login extends HTMLController
 		parent::__construct('Log in - ' . SITE_TITLE);
 		$form = new LogInForm('Log in');
 		if ($login_error)
-			$form->adopt(new Alert('', 'Invalid email address or password.', 'error'));
+			$form->adopt(new Alert('', 'Invalid email address or password.', 'danger'));
 
 		// Tried anything? Be helpful, at least.
 		if (isset($_POST['emailaddress']))

controllers/Logout.php

@@ -11,7 +11,7 @@ class Logout extends HTMLController
 	public function __construct()
 	{
 		// Clear the entire sesssion.
-		$_SESSION = [];
+		Session::clear();
 
 		// Back to the frontpage you go.
 		header('Location: ' . BASEURL);

controllers/ManageAlbums.php

@@ -18,8 +18,7 @@ class ManageAlbums extends HTMLController
 			'form' => [
 				'action' => BASEURL . '/editalbum/',
 				'method' => 'get',
-				'class' => 'floatright',
-				'buttons' => [
+				'controls' => [
 					'add' => [
 						'type' => 'submit',
 						'caption' => 'Add new album',
@@ -35,18 +34,14 @@ class ManageAlbums extends HTMLController
 				'tag' => [
 					'header' => 'Album',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/editalbum/?id={ID_TAG}',
-						'data' => 'tag',
-					],
+					'link' => BASEURL . '/editalbum/?id={ID_TAG}',
+					'value' => 'tag',
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/editalbum/?id={ID_TAG}',
-						'data' => 'slug',
-					],
+					'link' => BASEURL . '/editalbum/?id={ID_TAG}',
+					'value' => 'slug',
 				],
 				'count' => [
 					'header' => '# Photos',
@@ -54,51 +49,20 @@ class ManageAlbums extends HTMLController
 					'value' => 'count',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : null,
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : null,
+			'default_sort_order' => 'tag',
+			'default_sort_direction' => 'up',
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage albums',
 			'no_items_label' => 'No albums meet the requirements of the current filter.',
 			'items_per_page' => 9999,
-			'index_class' => 'floatleft',
 			'base_url' => BASEURL . '/managealbums/',
-			'get_data' => function($offset = 0, $limit = 9999, $order = '', $direction = 'up') {
-				if (!in_array($order, ['id_tag', 'tag', 'slug', 'count']))
-					$order = 'tag';
-				if (!in_array($direction, ['up', 'down']))
-					$direction = 'up';
-
-				$db = Registry::get('db');
-				$res = $db->query('
-					SELECT *
-					FROM tags
-					WHERE kind = {string:album}
-					ORDER BY id_parent, {raw:order}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'album' => 'Album',
-					]);
-
-				$albums_by_parent = [];
-				while ($row = $db->fetch_assoc($res))
-				{
-					if (!isset($albums_by_parent[$row['id_parent']]))
-						$albums_by_parent[$row['id_parent']] = [];
-
-					$albums_by_parent[$row['id_parent']][] = $row + ['children' => []];
-				}
-
-				$albums = self::getChildrenRecursively(0, 0, $albums_by_parent);
-				$rows = self::flattenChildrenRecursively($albums);
-
-				return [
-					'rows' => $rows,
-					'order' => $order,
-					'direction' => ($direction == 'up' ? 'up' : 'down'),
-				];
+			'get_data' => function($offset, $limit, $order, $direction) {
+				return Tag::getOffset($offset, $limit, $order, $direction);
 			},
 			'get_count' => function() {
-				return 9999;
+				return Tag::getCount(false, 'Album');
 			}
 		];
 
@@ -106,42 +70,4 @@ class ManageAlbums extends HTMLController
 		parent::__construct('Album management - Page ' . $table->getCurrentPage() .' - ' . SITE_TITLE);
 		$this->page->adopt(new TabularData($table));
 	}
-
-	private static function getChildrenRecursively($id_parent, $level, &$albums_by_parent)
-	{
-		$children = [];
-		if (!isset($albums_by_parent[$id_parent]))
-			return $children;
-
-		foreach ($albums_by_parent[$id_parent] as $child)
-		{
-			if (isset($albums_by_parent[$child['id_tag']]))
-				$child['children'] = self::getChildrenRecursively($child['id_tag'], $level + 1, $albums_by_parent);
-
-			$child['tag'] = ($level ? str_repeat('—', $level * 2) . ' ' : '') . $child['tag'];
-			$children[] = $child;
-		}
-
-		return $children;
-	}
-
-	private static function flattenChildrenRecursively($albums)
-	{
-		if (empty($albums))
-			return [];
-
-		$rows = [];
-		foreach ($albums as $album)
-		{
-			$rows[] = array_intersect_key($album, array_flip(['id_tag', 'tag', 'slug', 'count']));
-			if (!empty($album['children']))
-			{
-				$children = self::flattenChildrenRecursively($album['children']);
-				foreach ($children as $child)
-					$rows[] = array_intersect_key($child, array_flip(['id_tag', 'tag', 'slug', 'count']));
-			}
-		}
-
-		return $rows;
-	}
 }

controllers/ManageAssets.php

@@ -14,10 +14,57 @@ class ManageAssets extends HTMLController
 		if (!Registry::get('user')->isAdmin())
 			throw new NotAllowedException();
 
+		if (isset($_POST['deleteChecked'], $_POST['delete']) && Session::validateSession())
+			$this->handleAssetDeletion();
+
 		Session::resetSessionToken();
 
 		$options = [
+			'form' => [
+				'action' => BASEURL . '/manageassets/?' . Session::getSessionTokenKey() . '=' . Session::getSessionToken(),
+				'method' => 'post',
+				'is_embed' => true,
+				'controls' => [
+					'deleteChecked' => [
+						'type' => 'submit',
+						'caption' => 'Delete checked',
+						'class' => 'btn-danger',
+						'onclick' => 'return confirm(\'Are you sure you want to delete these items?\')',
+					],
+				],
+			],
 			'columns' => [
+				'checkbox' => [
+					'header' => '<input type="checkbox" id="selectall">',
+					'is_sortable' => false,
+					'format' => fn($row) =>
+						'<input type="checkbox" class="asset_select" name="delete[]" value="' . $row['id_asset'] . '">',
+				],
+				'thumbnail' => [
+					'header' => '&nbsp;',
+					'is_sortable' => false,
+					'cell_class' => 'text-center',
+					'format' => function($row) {
+						$asset = Image::byRow($row);
+						$width = $height = 65;
+						if ($asset->isImage())
+						{
+							if ($asset->isPortrait())
+								$width = null;
+							else
+								$height = null;
+
+							$thumb = $asset->getThumbnailUrl($width, $height);
+						}
+						else
+							$thumb = BASEURL . '/images/nothumb.svg';
+
+						$width = isset($width) ? $width . 'px' : 'auto';
+						$height = isset($height) ? $height . 'px' : 'auto';
+
+						return sprintf('<img src="%s" style="width: %s; height: %s;">', $thumb, $width, $height);
+					},
+				],
 				'id_asset' => [
 					'value' => 'id_asset',
 					'header' => 'ID',
@@ -32,69 +79,64 @@ class ManageAssets extends HTMLController
 					'value' => 'filename',
 					'header' => 'Filename',
 					'is_sortable' => true,
-					'parse' => [
-						'type' => 'value',
-						'link' => BASEURL . '/editasset/?id={ID_ASSET}',
-						'data' => 'filename',
-					],
+					'link' => BASEURL . '/editasset/?id={ID_ASSET}',
+					'value' => 'filename',
 				],
-				'title' => [
-					'header' => 'Title',
+				'id_user_uploaded' => [
+					'header' => 'User uploaded',
 					'is_sortable' => true,
-					'parse' => [
-						'type' => 'value',
-						'link' => BASEURL . '/editasset/?id={ID_ASSET}',
-						'data' => 'title',
-					],
+					'format' => function($row) {
+						if (!empty($row['id_user']))
+							return sprintf('<a href="%s/edituser/?id=%d">%s</a>', BASEURL, $row['id_user'],
+								$row['first_name'] . ' ' . $row['surname']);
+						else
+							return 'n/a';
+					},
 				],
 				'dimensions' => [
 					'header' => 'Dimensions',
 					'is_sortable' => false,
-					'parse' => [
-						'type' => 'function',
-						'data' => function($row) {
-							if (!empty($row['image_width']))
-								return $row['image_width'] . ' x ' . $row['image_height'];
-							else
-								return 'n/a';
-						},
-					],
+					'format' => function($row) {
+						if (!empty($row['image_width']))
+							return $row['image_width'] . ' x ' . $row['image_height'];
+						else
+							return 'n/a';
+					},
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'default_sort_order' => 'id_asset',
+			'default_sort_direction' => 'down',
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage assets',
 			'no_items_label' => 'No assets meet the requirements of the current filter.',
 			'items_per_page' => 30,
-			'index_class' => 'pull_left',
 			'base_url' => BASEURL . '/manageassets/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'down') {
-				if (!in_array($order, ['id_asset', 'title', 'subdir', 'filename']))
-					$order = 'id_asset';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT id_asset, title, subdir, filename, image_width, image_height
-					FROM assets
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
+			'get_data' => 'Asset::getOffset',
 			'get_count' => 'Asset::getCount',
 		];
 
 		$table = new GenericTable($options);
-		parent::__construct('Asset management - Page ' . $table->getCurrentPage() .'');
-		$this->page->adopt(new TabularData($table));
+		parent::__construct('Asset management - Page ' . $table->getCurrentPage());
+
+		$wrapper = new AssetManagementWrapper();
+		$this->page->adopt($wrapper);
+		$wrapper->adopt(new TabularData($table));
+	}
+
+	private function handleAssetDeletion()
+	{
+		if (!isset($_POST['delete']) || !is_array($_POST['delete']))
+			throw new UnexpectedValueException();
+
+		foreach ($_POST['delete'] as $id_asset)
+		{
+			$asset = Asset::fromId($id_asset);
+			$asset->delete();
+		}
+
+		header('Location: ' . BASEURL . '/manageassets/');
+		exit;
 	}
 }

controllers/ManageErrors.php

@@ -14,8 +14,8 @@ class ManageErrors extends HTMLController
 		if (!Registry::get('user')->isAdmin())
 			throw new NotAllowedException();
 
-		// Flushing, are we?
-		if (isset($_POST['flush']) && Session::validateSession('get'))
+		// Clearing, are we?
+		if (isset($_POST['clear']) && Session::validateSession('get'))
 		{
 			ErrorLog::flush();
 			header('Location: ' . BASEURL . '/manageerrors/');
@@ -29,35 +29,32 @@ class ManageErrors extends HTMLController
 			'form' => [
 				'action' => BASEURL . '/manageerrors/?' . Session::getSessionTokenKey() . '=' . Session::getSessionToken(),
 				'method' => 'post',
-				'class' => 'floatright',
-				'buttons' => [
-					'flush' => [
+				'controls' => [
+					'clear' => [
 						'type' => 'submit',
 						'caption' => 'Delete all',
+						'class' => 'btn-danger',
 					],
 				],
 			],
 			'columns' => [
-				'id' => [
+				'id_entry' => [
 					'value' => 'id_entry',
 					'header' => '#',
 					'is_sortable' => true,
 				],
 				'message' => [
-					'parse' => [
-						'type' => 'function',
-						'data' => function($row) {
-							return $row['message'] . '<br>' .
-								'<div><a onclick="this.parentNode.childNodes[1].style.display=\'block\';this.style.display=\'none\';">Show debug info</a>' .
-								'<pre style="display: none">' . htmlspecialchars($row['debug_info']) .
-								'</pre></div>' .
-								'<small><a href="' . BASEURL .
-									htmlspecialchars($row['request_uri']) . '">' .
-									htmlspecialchars($row['request_uri']) . '</a></small>';
-						}
-					],
 					'header' => 'Message / URL',
 					'is_sortable' => false,
+					'format' => function($row) {
+						return $row['message'] . '<br>' .
+							'<div><a onclick="this.parentNode.childNodes[1].style.display=\'block\';this.style.display=\'none\';">Show debug info</a>' .
+							'<pre style="display: none">' . htmlspecialchars($row['debug_info']) .
+							'</pre></div>' .
+							'<small><a href="' . BASEURL .
+								htmlspecialchars($row['request_uri']) . '">' .
+								htmlspecialchars($row['request_uri']) . '</a></small>';
+					},
 				],
 				'file' => [
 					'value' => 'file',
@@ -70,12 +67,10 @@ class ManageErrors extends HTMLController
 					'is_sortable' => true,
 				],
 				'time' => [
-					'parse' => [
+					'format' => [
 						'type' => 'timestamp',
-						'data' => [
-							'timestamp' => 'time',
-							'pattern' => 'long',
-						],
+						'pattern' => 'long',
+						'value' => 'time',
 					],
 					'header' => 'Time',
 					'is_sortable' => true,
@@ -88,41 +83,20 @@ class ManageErrors extends HTMLController
 				'uid' => [
 					'header' => 'UID',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'id_user',
-					],
+					'link' => BASEURL . '/edituser/?id={ID_USER}',
+					'value' => 'id_user',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'default_sort_order' => 'id_entry',
+			'default_sort_direction' => 'down',
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'no_items_label' => "No errors to display -- we're all good!",
 			'items_per_page' => 20,
-			'index_class' => 'floatleft',
 			'base_url' => BASEURL . '/manageerrors/',
 			'get_count' => 'ErrorLog::getCount',
-			'get_data' => function($offset = 0, $limit = 20, $order = '', $direction = 'down') {
-				if (!in_array($order, ['id_entry', 'file', 'line', 'time', 'ipaddress', 'id_user']))
-					$order = 'id_entry';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT *
-					FROM log_errors
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction === 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
+			'get_data' => 'ErrorLog::getOffset',
 		];
 
 		$error_log = new GenericTable($options);

controllers/ManageTags.php

@@ -14,12 +14,13 @@ class ManageTags extends HTMLController
 		if (!Registry::get('user')->isAdmin())
 			throw new NotAllowedException();
 
+		Session::resetSessionToken();
+
 		$options = [
 			'form' => [
 				'action' => BASEURL . '/edittag/',
 				'method' => 'get',
-				'class' => 'floatright',
-				'buttons' => [
+				'controls' => [
 					'add' => [
 						'type' => 'submit',
 						'caption' => 'Add new tag',
@@ -35,23 +36,25 @@ class ManageTags extends HTMLController
 				'tag' => [
 					'header' => 'Tag',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edittag/?id={ID_TAG}',
-						'data' => 'tag',
-					],
+					'link' => BASEURL . '/edittag/?id={ID_TAG}',
+					'value' => 'tag',
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edittag/?id={ID_TAG}',
-						'data' => 'slug',
-					],
+					'link' => BASEURL . '/edittag/?id={ID_TAG}',
+					'value' => 'slug',
 				],
-				'kind' => [
-					'header' => 'Kind',
+				'id_user_owner' => [
+					'header' => 'Owning user',
 					'is_sortable' => true,
-					'value' => 'kind',
+					'format' => function($row) {
+						if (!empty($row['id_user']))
+							return sprintf('<a href="%s/edituser/?id=%d">%s</a>', BASEURL, $row['id_user'],
+								$row['first_name'] . ' ' . $row['surname']);
+						else
+							return 'n/a';
+					},
 				],
 				'count' => [
 					'header' => 'Cardinality',
@@ -59,45 +62,20 @@ class ManageTags extends HTMLController
 					'value' => 'count',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : null,
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : null,
+			'default_sort_order' => 'tag',
+			'default_sort_direction' => 'up',
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage tags',
 			'no_items_label' => 'No tags meet the requirements of the current filter.',
-			'items_per_page' => 30,
-			'index_class' => 'floatleft',
+			'items_per_page' => 9999,
 			'base_url' => BASEURL . '/managetags/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'up') {
-				if (!in_array($order, ['id_tag', 'tag', 'slug', 'kind', 'count']))
-					$order = 'tag';
-				if (!in_array($direction, ['up', 'down']))
-					$direction = 'up';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT *
-					FROM tags
-					WHERE kind != {string:album}
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-						'album' => 'Album',
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => ($direction == 'up' ? 'up' : 'down'),
-				];
+			'get_data' => function($offset, $limit, $order, $direction) {
+				return Tag::getOffset($offset, $limit, $order, $direction, true);
 			},
 			'get_count' => function() {
-				return Registry::get('db')->queryValue('
-					SELECT COUNT(*)
-					FROM tags
-					WHERE kind != {string:album}',
-					['album' => 'Album']);
+				return Tag::getCount(false, null, true);
 			}
 		];
 

controllers/ManageUsers.php

@@ -14,12 +14,13 @@ class ManageUsers extends HTMLController
 		if (!Registry::get('user')->isAdmin())
 			throw new NotAllowedException();
 
+		Session::resetSessionToken();
+
 		$options = [
 			'form' => [
 				'action' => BASEURL . '/edituser/',
 				'method' => 'get',
-				'class' => 'floatright',
-				'buttons' => [
+				'controls' => [
 					'add' => [
 						'type' => 'submit',
 						'caption' => 'Add new user',
@@ -35,26 +36,20 @@ class ManageUsers extends HTMLController
 				'surname' => [
 					'header' => 'Last name',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'surname',
-					],
+					'link' => BASEURL . '/edituser/?id={ID_USER}',
+					'value' => 'surname',
 				],
 				'first_name' => [
 					'header' => 'First name',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'first_name',
-					],
+					'link' => BASEURL . '/edituser/?id={ID_USER}',
+					'value' => 'first_name',
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
-						'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'slug',
-					],
+					'link' => BASEURL . '/edituser/?id={ID_USER}',
+					'value' => 'slug',
 				],
 				'emailaddress' => [
 					'value' => 'emailaddress',
@@ -62,12 +57,11 @@ class ManageUsers extends HTMLController
 					'is_sortable' => true,
 				],
 				'last_action_time' => [
-					'parse' => [
+					'format' => [
 						'type' => 'timestamp',
-						'data' => [
-							'timestamp' => 'last_action_time',
-							'pattern' => 'long',
-						],
+						'pattern' => 'long',
+						'value' => 'last_action_time',
+						'if_null' => 'n/a',
 					],
 					'header' => 'Last activity',
 					'is_sortable' => true,
@@ -80,48 +74,20 @@ class ManageUsers extends HTMLController
 				'is_admin' => [
 					'is_sortable' => true,
 					'header' => 'Admin?',
-					'parse' => [
-						'type' => 'function',
-						'data' => function($row) {
-							return $row['is_admin'] ? 'yes' : 'no';
-						}
-					],
+					'format' => fn($row) => $row['is_admin'] ? 'yes' : 'no',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'default_sort_order' => 'id_user',
+			'default_sort_direction' => 'down',
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage users',
 			'no_items_label' => 'No users meet the requirements of the current filter.',
 			'items_per_page' => 30,
-			'index_class' => 'floatleft',
 			'base_url' => BASEURL . '/manageusers/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'down') {
-				if (!in_array($order, ['id_user', 'surname', 'first_name', 'slug', 'emailaddress', 'last_action_time', 'ip_address', 'is_admin']))
-					$order = 'id_user';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT *
-					FROM users
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
-			'get_count' => function() {
-				return Registry::get('db')->queryValue('
-					SELECT COUNT(*)
-					FROM users');
-			}
+			'get_data' => 'Member::getOffset',
+			'get_count' => 'Member::getCount',
 		];
 
 		$table = new GenericTable($options);

controllers/ProvideAutoSuggest.php

@@ -57,7 +57,7 @@ class ProvideAutoSuggest extends JSONController
 			return;
 		}
 
-		$label = htmlentities(trim($_REQUEST['tag']));
+		$label = htmlspecialchars(trim($_REQUEST['tag']));
 		$slug = strtr($label, [' ' => '-']);
 		$tag = Tag::createNew([
 			'tag' => $label,

controllers/ResetPassword.php

@@ -16,66 +16,94 @@ class ResetPassword extends HTMLController
 
 		// Verifying an existing reset key?
 		if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2)
-		{
-			$email = rawurldecode($_GET['email']);
-			$id_user = Authentication::getUserid($email);
-			if ($id_user === false)
-				throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
-
-			$key = $_GET['key'];
-			if (!Authentication::checkResetKey($id_user, $key))
-				throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
-
-			parent::__construct('Reset password - ' . SITE_TITLE);
-			$form = new PasswordResetForm($email, $key);
-			$this->page->adopt($form);
-
-			// Are they trying to set something already?
-			if (isset($_POST['password1'], $_POST['password2']))
-			{
-				$missing = [];
-		 		if (strlen($_POST['password1']) < 6 || !preg_match('~[^A-z]~', $_POST['password1']))
-		 			$missing[] = 'Please fill in a password that is at least six characters long and contains at least one non-alphabetic character (e.g. a number or symbol).';
-				if ($_POST['password1'] != $_POST['password2'])
-					$missing[] = 'The passwords you entered do not match.';
-
-				// So, are we good to go?
-				if (empty($missing))
-				{
-					Authentication::updatePassword($id_user, Authentication::computeHash($_POST['password1']));
-					$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
-					header('Location: ' . BASEURL . '/login/');
-					exit;
-				}
-				else
-					$form->adopt(new Alert('Some fields require your attention', '<ul><li>' . implode('</li><li>', $missing) . '</li></ul>', 'error'));
-		 	}
-		}
+			$this->verifyResetKey();
 		else
+			$this->requestResetKey();
+	}
+
+	private function requestResetKey()
+	{
+		parent::__construct('Reset password - ' . SITE_TITLE);
+		$form = new ForgotPasswordForm();
+		$this->page->adopt($form);
+
+		// Have they submitted an email address yet?
+		if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
 		{
-			parent::__construct('Reset password - ' . SITE_TITLE);
-			$form = new ForgotPasswordForm();
-			$this->page->adopt($form);
-
-			// Have they submitted an email address yet?
-			if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
+			$user = Member::fromEmailAddress($_POST['emailaddress']);
+			if (!$user)
 			{
-				$id_user = Authentication::getUserid(trim($_POST['emailaddress']));
-				if ($id_user === false)
-				{
-					$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'error'));
-					return;
-				}
-
-				Authentication::setResetKey($id_user);
-				Email::resetMail($id_user);
-
-				// Show the success message
-				$this->page->clear();
-				$box = new DummyBox('An email has been sent');
-				$box->adopt(new Alert('', 'We have sent an email to ' . $_POST['emailaddress'] . ' containing details on how to reset your password.', 'success'));
-				$this->page->adopt($box);
+				$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
+				return;
 			}
+
+			if (Authentication::getResetTimeOut($user->getUserId()) > 0)
+			{
+				// Update the reset time-out to prevent hammering
+				$resetTimeOut = Authentication::updateResetTimeOut($user->getUserId());
+
+				// Present it to the user in a readable way
+				if ($resetTimeOut > 3600)
+					$timeOut = sprintf('%d hours', ceil($resetTimeOut / 3600));
+				elseif ($resetTimeOut > 60)
+					$timeOut = sprintf('%d minutes', ceil($resetTimeOut / 60));
+				else
+					$timeOut = sprintf('%d seconds', $resetTimeOut);
+
+				$form->adopt(new Alert('Password reset token already sent', 'We already sent a password reset token to this email address recently. ' .
+					'If no email was received, please wait ' . $timeOut . ' to try again.', 'error'));
+				return;
+			}
+
+			Authentication::setResetKey($user->getUserId());
+			Email::resetMail($user->getUserId());
+
+			// Show the success message
+			$this->page->clear();
+			$box = new DummyBox('An email has been sent');
+			$box->adopt(new Alert('', 'We have sent an email to ' . $_POST['emailaddress'] . ' containing details on how to reset your password.', 'success'));
+			$this->page->adopt($box);
+		}
+	}
+
+	private function verifyResetKey()
+	{
+		$email = rawurldecode($_GET['email']);
+		$user = Member::fromEmailAddress($email);
+		if (!$user)
+			throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
+
+		$key = $_GET['key'];
+		if (!Authentication::checkResetKey($user->getUserId(), $key))
+			throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
+
+		parent::__construct('Reset password - ' . SITE_TITLE);
+		$form = new PasswordResetForm($email, $key);
+		$this->page->adopt($form);
+
+		// Are they trying to set something already?
+		if (isset($_POST['password1'], $_POST['password2']))
+		{
+			$missing = [];
+			if (strlen($_POST['password1']) < 6 || !preg_match('~[^A-z]~', $_POST['password1']))
+				$missing[] = 'Please fill in a password that is at least six characters long and contains at least one non-alphabetic character (e.g. a number or symbol).';
+			if ($_POST['password1'] != $_POST['password2'])
+				$missing[] = 'The passwords you entered do not match.';
+
+			// So, are we good to go?
+			if (empty($missing))
+			{
+				Authentication::updatePassword($user->getUserId(), Authentication::computeHash($_POST['password1']));
+
+				// Consume token, ensuring it isn't used again
+				Authentication::consumeResetKey($user->getUserId());
+
+				$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
+				header('Location: ' . BASEURL . '/login/');
+				exit;
+			}
+			else
+				$form->adopt(new Alert('Some fields require your attention', '<ul><li>' . implode('</li><li>', $missing) . '</li></ul>', 'danger'));
 		}
 	}
 }

controllers/UploadMedia.php

@@ -33,21 +33,20 @@ class UploadMedia extends HTMLController
 				if (empty($uploaded_file))
 					continue;
 
-				// DIY slug club.
-				$slug = $tag->slug . '/' . strtr($uploaded_file['name'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '\\' => '-']);
-
 				$asset = Asset::createNew([
 					'filename_to_copy' => $uploaded_file['tmp_name'],
 					'preferred_filename' => $uploaded_file['name'],
 					'preferred_subdir' => $tag->slug,
-					'slug' => $slug,
 				]);
 
 				$new_ids[] = $asset->getId();
 				$asset->linkTags([$tag->id_tag]);
 
-				$tag->id_asset_thumb = $asset->getId();
-				$tag->save();
+				if (empty($tag->id_asset_thumb))
+				{
+					$tag->id_asset_thumb = $asset->getId();
+					$tag->save();
+				}
 			}
 
 			if (isset($_REQUEST['format']) && $_REQUEST['format'] === 'json')

controllers/ViewPeople.php

@@ -52,8 +52,9 @@ class ViewPeople extends HTMLController
 			'start' => $start,
 			'base_url' => BASEURL . '/people/',
 			'page_slug' => 'page/%PAGE%/',
+			'index_class' => 'pagination-lg mt-5 justify-content-around justify-content-lg-center',
 		]);
-		$this->page->adopt(new Pagination($pagination));
+		$this->page->adopt(new PageIndexWidget($pagination));
 
 		$this->page->setCanonicalUrl(BASEURL . '/people/' . ($page > 1 ? 'page/' . $page . '/' : ''));
 	}

controllers/ViewPhoto.php

@@ -8,6 +8,8 @@
 
 class ViewPhoto extends HTMLController
 {
+	private Image $photo;
+
 	public function __construct()
 	{
 		// Ensure we're logged in at this point.
@@ -19,74 +21,48 @@ class ViewPhoto extends HTMLController
 		if (empty($photo))
 			throw new NotFoundException();
 
-		parent::__construct($photo->getTitle() . ' - ' . SITE_TITLE);
+		$this->photo = $photo->getImage();
 
-		$author = $photo->getAuthor();
+		Session::resetSessionToken();
 
-		if (isset($_REQUEST['confirm_delete']) || isset($_REQUEST['delete_confirmed']))
-			$this->handleConfirmDelete($user, $author, $photo);
-		else
-			$this->handleViewPhoto($user, $author, $photo);
+		parent::__construct($this->photo->getTitle() . ' - ' . SITE_TITLE);
 
-		// Add an edit button to the admin bar.
-		if ($user->isAdmin())
-			$this->admin_bar->appendItem(BASEURL . '/editasset/?id=' . $photo->getId(), 'Edit this photo');
-	}
-
-	private function handleConfirmDelete(User $user, User $author, Asset $photo)
-	{
-		if (!($user->isAdmin() || $user->getUserId() === $author->getUserId()))
-			throw new NotAllowedException();
-
-		if (isset($_REQUEST['confirm_delete']))
-		{
-			$page = new ConfirmDeletePage($photo->getImage());
-			$this->page->adopt($page);
-		}
-		else if (isset($_REQUEST['delete_confirmed']))
-		{
-			$album_url = $photo->getSubdir();
-			$photo->delete();
-
-			header('Location: ' . BASEURL . '/' . $album_url);
-			exit;
-		}
-	}
-
-	private function handleViewPhoto(User $user, User $author, Asset $photo)
-	{
 		if (!empty($_POST))
-			$this->handleTagging($photo->getImage());
+			$this->handleTagging();
+		else
+			$this->handleViewPhoto();
+	}
 
-		$page = new PhotoPage($photo->getImage());
+	private function handleViewPhoto()
+	{
+		$page = new PhotoPage($this->photo);
 
-		// Exif data?
-		$exif = EXIF::fromFile($photo->getFullPath());
-		if ($exif)
-			$page->setExif($exif);
+		// Any (EXIF) meta data?
+		$metaData = $this->prepareMetaData();
+		$page->setMetaData($metaData);
 
 		// What tag are we browsing?
 		$tag = isset($_GET['in']) ? Tag::fromId($_GET['in']) : null;
-		$id_tag = isset($tag) ? $tag->id_tag : null;
+		if (isset($tag))
+			$page->setTag($tag);
 
-		// Find previous photo in set.
-		$previous_url = $photo->getUrlForPreviousInSet($id_tag);
-		if ($previous_url)
-			$page->setPreviousPhotoUrl($previous_url);
+		// Keeping tabs on a filter?
+		if (isset($_GET['by']))
+		{
+			// Let's first verify that the filter is valid
+			$user = Member::fromSlug($_GET['by']);
+			if (!$user)
+				throw new UnexpectedValueException('Invalid filter for this album or tag.');
 
-		// ... and the next photo, too.
-		$next_url = $photo->getUrlForNextInSet($id_tag);
-		if ($next_url)
-			$page->setNextPhotoUrl($next_url);
-
-		if ($user->isAdmin() || $user->getUserId() === $author->getUserId())
-			$page->setIsAssetOwner(true);
+			// Alright, let's run with it then
+			$page->setActiveFilter($user->getSlug());
+		}
 
 		$this->page->adopt($page);
-		$this->page->setCanonicalUrl($photo->getPageUrl());
+		$this->page->setCanonicalUrl($this->photo->getPageUrl());
 	}
 
-	private function handleTagging(Image $photo)
+	private function handleTagging()
 	{
 		header('Content-Type: text/json; charset=utf-8');
 
@@ -100,7 +76,7 @@ class ViewPhoto extends HTMLController
 		// We are!
 		if (!isset($_POST['delete']))
 		{
-			$photo->linkTags([(int) $_POST['id_tag']]);
+			$this->photo->linkTags([(int) $_POST['id_tag']]);
 			echo json_encode(['success' => true]);
 			exit;
 		}
@@ -108,9 +84,43 @@ class ViewPhoto extends HTMLController
 		// ... deleting, that is.
 		else
 		{
-			$photo->unlinkTags([(int) $_POST['id_tag']]);
+			$this->photo->unlinkTags([(int) $_POST['id_tag']]);
 			echo json_encode(['success' => true]);
 			exit;
 		}
 	}
+
+	private function prepareMetaData()
+	{
+		if (!($exif = EXIF::fromFile($this->photo->getFullPath())))
+			throw new UnexpectedValueException('Photo file not found!');
+
+		$metaData = [];
+
+		if (!empty($exif->created_timestamp))
+			$metaData['Date Taken'] = date("j M Y, H:i:s", $exif->created_timestamp);
+
+		if ($author = $this->photo->getAuthor())
+			$metaData['Uploaded by'] = $author->getfullName();
+
+		if (!empty($exif->camera))
+			$metaData['Camera Model'] = $exif->camera;
+
+		if (!empty($exif->shutter_speed))
+			$metaData['Shutter Speed'] = $exif->shutterSpeedFraction();
+
+		if (!empty($exif->aperture))
+			$metaData['Aperture'] = 'f/' . number_format($exif->aperture, 1);
+
+		if (!empty($exif->focal_length))
+			$metaData['Focal Length'] = $exif->focal_length . ' mm';
+
+		if (!empty($exif->iso))
+			$metaData['ISO Speed'] = $exif->iso;
+
+		if (!empty($exif->software))
+			$metaData['Software'] = $exif->software;
+
+		return $metaData;
+	}
 }

controllers/ViewPhotoAlbum.php

@@ -26,80 +26,92 @@ class ViewPhotoAlbum extends HTMLController
 			$tag = Tag::fromSlug($_GET['tag']);
 			$id_tag = $tag->id_tag;
 			$title = $tag->tag;
-			$description = !empty($tag->description) ? $tag->description : '';
-
-			// Can we go up a level?
-			if ($tag->id_parent != 0)
-			{
-				$ptag = Tag::fromId($tag->id_parent);
-				$back_link = BASEURL . '/' . (!empty($ptag->slug) ? $ptag->slug . '/' : '');
-				$back_link_title = 'Back to "' . $ptag->tag . '"';
-			}
-			elseif ($tag->kind === 'Person')
-			{
-				$back_link = BASEURL . '/people/';
-				$back_link_title = 'Back to "People"';
-				$is_person = true;
-			}
-
-			$header_box = new AlbumHeaderBox($title, $description, $back_link, $back_link_title);
+			$header_box = $this->getHeaderBox($tag);
 		}
 		// View the album root.
 		else
 		{
 			$id_tag = 1;
+			$tag = Tag::fromId($id_tag);
 			$title = 'Albums';
 		}
 
 		// What page are we at?
-		$page = isset($_GET['page']) ? (int) $_GET['page'] : 1;
+		$current_page = isset($_GET['page']) ? (int) $_GET['page'] : 1;
 
-		parent::__construct($title . ' - Page ' . $page . ' - ' . SITE_TITLE);
+		parent::__construct($title . ' - Page ' . $current_page . ' - ' . SITE_TITLE);
 		if (isset($header_box))
 			$this->page->adopt($header_box);
 
-		// Can we do fancy things here?
-		// !!! TODO: permission system?
-		$buttons = [];
+		// Who contributed to this album?
+		$contributors = $tag->getContributorList();
 
-		if (Registry::get('user')->isLoggedIn())
+		// Enumerate possible filters
+		$filters = [];
+		if (!empty($contributors))
 		{
-			$buttons[] = [
-				'url' => BASEURL . '/download/?tag=' . $id_tag,
-				'caption' => 'Download this album',
-			];
+			$filters[''] = ['id_user' => null, 'label' => '', 'caption' => 'All photos',
+				'link' => $tag->getUrl()];
 
-			$buttons[] = [
-				'url' => BASEURL . '/uploadmedia/?tag=' . $id_tag,
-				'caption' => 'Upload new photos here',
-			];
+			foreach ($contributors as $contributor)
+			{
+				$filters[$contributor['slug']] = [
+					'id_user' => $contributor['id_user'],
+					'label' => $contributor['first_name'],
+					'caption' => sprintf('By %s (%s photos)',
+						$contributor['first_name'], $contributor['num_assets']),
+					'link' => $tag->getUrl() . '?by=' . $contributor['slug'],
+				];
+			}
 		}
-		if (Registry::get('user')->isAdmin())
-			$buttons[] = [
-				'url' => BASEURL . '/addalbum/?tag=' . $id_tag,
-				'caption' => 'Create new subalbum here',
-			];
 
-		// Enough actions for a button box?
-		if (!empty($buttons))
-			$this->page->adopt(new AlbumButtonBox($buttons));
+		// Limit to a particular uploader?
+		$active_filter = '';
+		$id_user_uploaded = null;
+		if (!empty($_GET['by']))
+		{
+			if (!isset($filters[$_GET['by']]))
+				throw new UnexpectedValueException('Invalid filter for this album or tag.');
+
+			$active_filter = $_GET['by'];
+			$id_user_uploaded = $filters[$active_filter]['id_user'];
+			$filters[$active_filter]['is_active'] = true;
+		}
+
+		// Add an interface to query and modify the album/tag
+		$buttons = $this->getAlbumButtons($tag, $active_filter);
+		$button_strip = new AlbumButtonBox($buttons, $filters, $active_filter);
+		$this->page->adopt($button_strip);
 
 		// Fetch subalbums, but only if we're on the first page.
-		if ($page === 1)
+		if ($current_page === 1)
 		{
 			$albums = $this->getAlbums($id_tag);
 			$index = new AlbumIndex($albums);
 			$this->page->adopt($index);
 		}
 
+		// Are we viewing a person tag?
+		$is_person = $tag->kind === 'Person';
+
 		// Load a photo mosaic for the current tag.
-		list($mosaic, $total_count) = $this->getPhotoMosaic($id_tag, $page, !isset($is_person));
+		list($mosaic, $total_count) = $this->getPhotoMosaic($id_tag, $id_user_uploaded, $current_page, !$is_person);
 		if (isset($mosaic))
 		{
 			$index = new PhotosIndex($mosaic, Registry::get('user')->isAdmin());
 			$this->page->adopt($index);
-			if ($id_tag > 1)
-				$index->setUrlSuffix('?in=' . $id_tag);
+
+			$url_params = [];
+			if (isset($tag))
+				$url_params['in'] = $tag->id_tag;
+			if (!empty($active_filter))
+				$url_params['by'] = $active_filter;
+
+			$url_suffix = http_build_query($url_params);
+			$index->setUrlSuffix('?' . $url_suffix);
+
+			$menu_items = $this->getEditMenuItems('&' . $url_suffix);
+			$index->setEditMenuItems($menu_items);
 		}
 
 		// Make a page index as needed, while we're at it.
@@ -108,23 +120,24 @@ class ViewPhotoAlbum extends HTMLController
 			$index = new PageIndex([
 				'recordCount' => $total_count,
 				'items_per_page' => self::PER_PAGE,
-				'start' => (isset($_GET['page']) ? $_GET['page'] - 1 : 0) * self::PER_PAGE,
-				'base_url' => BASEURL . '/' . (isset($_GET['tag']) ? $_GET['tag'] . '/' : ''),
-				'page_slug' => 'page/%PAGE%/',
+				'start' => ($current_page - 1) * self::PER_PAGE,
+				'base_url' => $tag->getUrl(),
+				'page_slug' => 'page/%PAGE%/' . (!empty($active_filter) ? '?by=' . $active_filter : ''),
+				'index_class' => 'pagination-lg justify-content-around justify-content-lg-center',
 			]);
-			$this->page->adopt(new Pagination($index));
+			$this->page->adopt(new PageIndexWidget($index));
 		}
 
 		// Set the canonical url.
-		$this->page->setCanonicalUrl(BASEURL . '/' . (isset($_GET['tag']) ? $_GET['tag'] . '/' : '') .
-			($page > 1 ? 'page/' . $page . '/' : ''));
+		$this->page->setCanonicalUrl($tag->getUrl() . ($current_page > 1 ? 'page/' . $current_page . '/' : ''));
 	}
 
-	public function getPhotoMosaic($id_tag, $page, $sort_linear)
+	public function getPhotoMosaic($id_tag, $id_user_uploaded, $page, $sort_linear)
 	{
 		// Create an iterator.
 		list($this->iterator, $total_count) = AssetIterator::getByOptions([
 			'id_tag' => $id_tag,
+			'id_user_uploaded' => $id_user_uploaded,
 			'order' => 'date_captured',
 			'direction' => $sort_linear ? 'asc' : 'desc',
 			'limit' => self::PER_PAGE,
@@ -156,16 +169,124 @@ class ViewPhotoAlbum extends HTMLController
 				'id_tag' => $album['id_tag'],
 				'caption' => $album['tag'],
 				'link' => BASEURL . '/' . $album['slug'] . '/',
-				'thumbnail' => !empty($album['id_asset_thumb']) ? $assets[$album['id_asset_thumb']]->getImage() : null,
+				'thumbnail' => !empty($album['id_asset_thumb']) && isset($assets[$album['id_asset_thumb']])
+					? $assets[$album['id_asset_thumb']]->getImage() : null,
 			];
 		}
 
 		return $albums;
 	}
 
-	public function __destruct()
+	private function getAlbumButtons(Tag $tag, $active_filter)
 	{
-		if (isset($this->iterator))
-			$this->iterator->clean();
+		$buttons = [];
+		$user = Registry::get('user');
+
+		if ($user->isLoggedIn())
+		{
+			$suffix = !empty($active_filter) ? '&by=' . $active_filter : '';
+			$buttons[] = [
+				'url' => BASEURL . '/download/?tag=' . $tag->id_tag . $suffix,
+				'caption' => 'Download album',
+			];
+		}
+
+		if ($tag->id_parent != 0)
+		{
+			if ($tag->kind === 'Album')
+			{
+				$buttons[] = [
+					'url' => BASEURL . '/uploadmedia/?tag=' . $tag->id_tag,
+					'caption' => 'Upload photos here',
+				];
+			}
+
+			if ($user->isAdmin())
+			{
+				if ($tag->kind === 'Album')
+				{
+					$buttons[] = [
+						'url' => BASEURL . '/editalbum/?id=' . $tag->id_tag,
+						'caption' => 'Edit album',
+					];
+				}
+				elseif ($tag->kind === 'Person')
+				{
+					$buttons[] = [
+						'url' => BASEURL . '/edittag/?id=' . $tag->id_tag,
+						'caption' => 'Edit tag',
+					];
+				}
+			}
+		}
+
+		if ($user->isAdmin() && (!isset($tag) || $tag->kind === 'Album'))
+		{
+			$buttons[] = [
+				'url' => BASEURL . '/addalbum/?tag=' . $tag->id_tag,
+				'caption' => 'Create subalbum',
+			];
+		}
+
+		return $buttons;
+	}
+
+	private function getEditMenuItems($url_suffix)
+	{
+		$items = [];
+		$sess = '&' . Session::getSessionTokenKey() . '=' . Session::getSessionToken();
+
+		if (Registry::get('user')->isLoggedIn())
+		{
+			$items[] = [
+				'label' => 'Edit image',
+				'uri' => fn($image) => $image->getEditUrl() . $url_suffix,
+			];
+
+			$items[] = [
+				'label' => 'Delete image',
+				'uri' => fn($image) => $image->getDeleteUrl() . $url_suffix . $sess,
+				'onclick' => 'return confirm(\'Are you sure you want to delete this image?\');',
+			];
+		}
+
+		if (Registry::get('user')->isAdmin())
+		{
+			$items[] = [
+				'label' => 'Make album cover',
+				'uri' => fn($image) => $image->getEditUrl() . $url_suffix . '&album_cover' . $sess,
+			];
+
+			$items[] = [
+				'label' => 'Increase priority',
+				'uri' => fn($image) => $image->getEditUrl() . $url_suffix . '&inc_prio' . $sess,
+			];
+
+			$items[] = [
+				'label' => 'Decrease priority',
+				'uri' => fn($image) => $image->getEditUrl() . $url_suffix . '&dec_prio' . $sess,
+			];
+		}
+
+		return $items;
+	}
+
+	private function getHeaderBox(Tag $tag)
+	{
+		// Can we go up a level?
+		if ($tag->id_parent != 0)
+		{
+			$ptag = Tag::fromId($tag->id_parent);
+			$back_link = BASEURL . '/' . (!empty($ptag->slug) ? $ptag->slug . '/' : '');
+			$back_link_title = 'Back to "' . $ptag->tag . '"';
+		}
+		elseif ($tag->kind === 'Person')
+		{
+			$back_link = BASEURL . '/people/';
+			$back_link_title = 'Back to "People"';
+		}
+
+		$description = !empty($tag->description) ? $tag->description : '';
+		return new AlbumHeaderBox($tag->tag, $description, $back_link, $back_link_title);
 	}
 }

controllers/ViewTimeline.php

@@ -46,17 +46,12 @@ class ViewTimeline extends HTMLController
 				'start' => (isset($_GET['page']) ? $_GET['page'] - 1 : 0) * self::PER_PAGE,
 				'base_url' => BASEURL . '/timeline/',
 				'page_slug' => 'page/%PAGE%/',
+				'index_class' => 'pagination-lg justify-content-around justify-content-lg-center',
 			]);
-			$this->page->adopt(new Pagination($index));
+			$this->page->adopt(new PageIndexWidget($index));
 		}
 
 		// Set the canonical url.
 		$this->page->setCanonicalUrl(BASEURL . '/timeline/');
 	}
-
-	public function __destruct()
-	{
-		if (isset($this->iterator))
-			$this->iterator->clean();
-	}
 }

import_albums.php

@@ -1,319 +0,0 @@
-<?php
-/*****************************************************************************
- * import_albums.php
- * Imports albums from a Gallery 3 database.
- *
- * Kabuki CMS (C) 2013-2016, Aaron van Geffen
- *****************************************************************************/
-
-// Include the project's configuration.
-require_once 'config.php';
-
-// Set up the autoloader.
-require_once 'vendor/autoload.php';
-
-// Initialise the database.
-$db = new Database(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
-$pdb = new Database(DB_SERVER, DB_USER, DB_PASS, "hashru_gallery");
-Registry::set('db', $db);
-
-// Do some authentication checks.
-Session::start();
-Registry::set('user', Authentication::isLoggedIn() ? Member::fromId($_SESSION['user_id']) : new Guest());
-
-// Enable debugging.
-//set_error_handler('ErrorHandler::handleError');
-ini_set("display_errors", DEBUG ? "On" : "Off");
-
-/*******************************
- * STEP 0: USERS
- *******************************/
-
-$num_users = $pdb->queryValue('
-	SELECT COUNT(*)
-	FROM users');
-
-echo $num_users, ' users to import.', "\n";
-
-$rs_users = $pdb->query('
-	SELECT id, name, full_name, password, last_login, email, admin
-	FROM users
-	WHERE id > 1
-	ORDER BY id ASC');
-
-$old_user_id_to_new_user_id = [];
-
-while ($user = $pdb->fetch_assoc($rs_users))
-{
-	// Check whether a user already exists for this e-mail address.
-	if (!($id_user = Authentication::getUserId($user['email'])))
-	{
-		$bool = $db->insert('insert', 'users', [
-			'first_name' => 'string-30',
-			'surname' => 'string-60',
-			'slug' => 'string-90',
-			'emailaddress' => 'string-255',
-			'password_hash' => 'string-255',
-			'creation_time' => 'int',
-			'last_action_time' => 'int',
-			'ip_address' => 'string-15',
-			'is_admin' => 'int',
-		], [
-			'first_name' => substr($user['full_name'], 0, strpos($user['full_name'], ' ')),
-			'surname' => substr($user['full_name'], strpos($user['full_name'], ' ') + 1),
-			'slug' => $user['name'],
-			'emailaddress' => $user['email'],
-			'password_hash' => $user['password'],
-			'creation_time' => 0,
-			'last_action_time' => $user['last_login'],
-			'ip_address' => '0.0.0.0',
-			'is_admin' => $user['admin'],
-		], ['id_user']);
-
-		if ($bool)
-			$id_user = $db->insert_id();
-		else
-			die("User creation failed!");
-	}
-
-	$old_user_id_to_new_user_id[$user['id']] = $id_user;
-}
-
-$pdb->free_result($rs_users);
-
-/*******************************
- * STEP 1: ALBUMS
- *******************************/
-
-$num_albums = $pdb->queryValue('
-	SELECT COUNT(*)
-	FROM items
-	WHERE type = {string:album}
-	ORDER BY id ASC',
-	['album' => 'album']);
-
-echo $num_albums, ' albums to import.', "\n";
-
-$albums = $pdb->query('
-	SELECT id, album_cover_item_id, parent_id, title, description, relative_path_cache, relative_url_cache
-	FROM items
-	WHERE type = {string:album}
-	ORDER BY id ASC',
-	['album' => 'album']);
-
-$tags = [];
-$old_album_id_to_new_tag_id = [];
-$dirnames_by_old_album_id = [];
-$old_thumb_id_by_tag_id = [];
-
-while ($album = $pdb->fetch_assoc($albums))
-{
-	$tag = Tag::createNew([
-		'tag' => $album['title'],
-		'slug' => $album['relative_url_cache'],
-		'kind' => 'Album',
-		'description' => $album['description'],
-	]);
-
-	if (!empty($album['parent_id']))
-		$parent_to_set[$tag->id_tag] = $album['parent_id'];
-
-	$tags[$tag->id_tag] = $tag;
-	$old_album_id_to_new_tag_id[$album['id']] = $tag->id_tag;
-	$dirnames_by_old_album_id[$album['id']] = str_replace('#', '', urldecode($album['relative_path_cache']));
-	$old_thumb_id_by_tag_id[$tag->id_tag] = $album['album_cover_item_id'];
-}
-
-$pdb->free_result($albums);
-
-foreach ($parent_to_set as $id_tag => $old_album_id)
-{
-	$id_parent = $old_album_id_to_new_tag_id[$old_album_id];
-	$db->query('
-		UPDATE tags
-		SET id_parent = ' . $id_parent . '
-		WHERE id_tag = ' . $id_tag);
-}
-
-unset($parent_to_set);
-
-/*******************************
- * STEP 2: PHOTOS
- *******************************/
-
-$num_photos = $pdb->queryValue('
-	SELECT COUNT(*)
-	FROM items
-	WHERE type = {string:photo}',
-	['photo' => "photo"]);
-
-echo $num_photos, " photos to import.\n";
-
-$old_photo_id_to_asset_id = [];
-for ($i = 0; $i < $num_photos; $i += 50)
-{
-	echo 'Offset ' . $i . "...\n";
-
-	$photos = $pdb->query('
-		SELECT id, owner_id, parent_id, captured, created, name, title, description, relative_url_cache, width, height, mime_type, weight
-		FROM items
-		WHERE type = {string:photo}
-		ORDER BY id ASC
-		LIMIT ' . $i . ', 50',
-		['photo' => 'photo']);
-
-	while ($photo = $pdb->fetch_assoc($photos))
-	{
-		$res = $db->query('
-			INSERT INTO assets
-			(id_user_uploaded, subdir, filename, title, slug, mimetype, image_width, image_height, date_captured, priority)
-			VALUES
-			({int:id_user_uploaded}, {string:subdir}, {string:filename}, {string:title}, {string:slug}, {string:mimetype},
-			 {int:image_width}, {int:image_height},
-			 IF({int:date_captured} > 0, FROM_UNIXTIME({int:date_captured}), NULL),
-			 {int:priority})',
-			[
-				'id_user_uploaded' => $old_user_id_to_new_user_id[$photo['owner_id']],
-				'subdir' => $dirnames_by_old_album_id[$photo['parent_id']],
-				'filename' => str_replace('#', '', $photo['name']),
-				'title' => $photo['title'],
-				'slug' => str_replace('#', '', urldecode($photo['relative_url_cache'])),
-				'mimetype' => $photo['mime_type'],
-				'image_width' => !empty($photo['width']) ? $photo['width'] : 'NULL',
-				'image_height' => !empty($photo['height']) ? $photo['height'] : 'NULL',
-				'date_captured' => !empty($photo['captured']) ? $photo['captured'] : $photo['created'],
-				'priority' => !empty($photo['weight']) ? (int) $photo['weight'] : 0,
-			]);
-
-		$id_asset = $db->insert_id();
-		$old_photo_id_to_asset_id[$photo['id']] = $id_asset;
-
-		// Link to album.
-		$db->query('
-			INSERT INTO assets_tags
-			(id_asset, id_tag)
-			VALUES
-			({int:id_asset}, {int:id_tag})',
-			[
-				'id_asset' => $id_asset,
-				'id_tag' => $old_album_id_to_new_tag_id[$photo['parent_id']],
-			]);
-	}
-}
-
-/*******************************
- * STEP 3: TAGS
- *******************************/
-
-$num_tags = $pdb->queryValue('
-	SELECT COUNT(*)
-	FROM tags');
-
-echo $num_tags, " tags to import.\n";
-
-$rs_tags = $pdb->query('
-	SELECT id, name, count
-	FROM tags');
-
-$old_tag_id_to_new_tag_id = [];
-while ($person = $pdb->fetch_assoc($rs_tags))
-{
-	$tag = Tag::createNew([
-		'tag' => $person['name'],
-		'slug' => $person['name'],
-		'kind' => 'Person',
-		'description' => '',
-		'count' => $person['count'],
-	]);
-
-	$tags[$tag->id_tag] = $tag;
-	$old_tag_id_to_new_tag_id[$person['id']] = $tag->id_tag;
-}
-
-$pdb->free_result($rs_tags);
-
-/*******************************
- * STEP 4: TAGGED PHOTOS
- *******************************/
-
-$num_tagged = $pdb->queryValue('
-	SELECT COUNT(*)
-	FROM items_tags
-	WHERE item_id IN(
-		SELECT id
-		FROM items
-		WHERE type = {string:photo}
-	)',
-	['photo' => 'photo']);
-
-echo $num_tagged, " photo tags to import.\n";
-
-$rs_tags = $pdb->query('
-	SELECT item_id, tag_id
-	FROM items_tags
-	WHERE item_id IN(
-		SELECT id
-		FROM items
-		WHERE type = {string:photo}
-	)',
-	['photo' => 'photo']);
-
-while ($tag = $pdb->fetch_assoc($rs_tags))
-{
-	if (!isset($old_tag_id_to_new_tag_id[$tag['tag_id']], $old_photo_id_to_asset_id[$tag['item_id']]))
-		continue;
-
-	$id_asset = $old_photo_id_to_asset_id[$tag['item_id']];
-	$id_tag = $old_tag_id_to_new_tag_id[$tag['tag_id']];
-
-	// Link up.
-	$db->query('
-		INSERT IGNORE INTO assets_tags
-		(id_asset, id_tag)
-		VALUES
-		({int:id_asset}, {int:id_tag})',
-		[
-			'id_asset' => $id_asset,
-			'id_tag' => $id_tag,
-		]);
-}
-
-$pdb->free_result($rs_tags);
-
-/*******************************
- * STEP 5: THUMBNAIL IDS
- *******************************/
-
-foreach ($old_thumb_id_by_tag_id as $id_tag => $old_thumb_id)
-{
-	if (!isset($old_photo_id_to_asset_id[$old_thumb_id]))
-		continue;
-
-	$id_asset = $old_photo_id_to_asset_id[$old_thumb_id];
-	$db->query('
-		UPDATE tags
-		SET id_asset_thumb = ' . $id_asset . '
-		WHERE id_tag = ' . $id_tag);
-}
-
-/*******************************
- * STEP 6: THUMBNAILS FOR PEOPLE
- *******************************/
-
-$db->query('
-	UPDATE tags AS t
-	SET id_asset_thumb = (
-		SELECT id_asset
-		FROM assets_tags AS a
-		WHERE a.id_tag = t.id_tag
-		ORDER BY RAND()
-		LIMIT 1
-	)
-	WHERE kind = {string:person}',
-	['person' => 'Person']);
-
-/*******************************
- * STEP 7: CLEANING UP
- *******************************/
-
-Tag::recount();

import_postprocess.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# ALBUM UPDATE
-
-# Hashes uit filenames.
-find . -name '*#*' -exec rename -v "s/#//" {} \;
-
-# Orientatie-tags goedzetten.
-find public/assets/borrel/april-2015/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Eetpartijtjes/ruwinterbbq/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Eetpartijtjes/Tapasavond-oktober-2011/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Eetpartijtjes/Verjaardag-IV-bij-Wally/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Uitstapjes/Final-Symphony-Wuppertal-2013-05-11/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Universiteit/Oude-sneeuwfoto\'s/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Weekenden/Susteren-2012 -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Weekenden/Susteren-2013 -type f -exec exiftool -n -Orientation=1 "{}" \;
-find public/assets/Weekenden/Wijhe-2016/ -type f -exec exiftool -n -Orientation=1 "{}" \;
-
-# Remove backup files.
-find public/assets/ -type f -name '*_original' -delete

migrate_thumbs.php

@@ -1,53 +0,0 @@
-<?php
-/*****************************************************************************
- * migrate_thumbs.php
- * Migrates old-style thumbnails (meta) to new table.
- *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
- *****************************************************************************/
-
-// Include the project's configuration.
-require_once 'config.php';
-
-// Set up the autoloader.
-require_once 'vendor/autoload.php';
-
-// Initialise the database.
-$db = new Database(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
-Registry::set('db', $db);
-
-// Do some authentication checks.
-Session::start();
-Registry::set('user', Authentication::isLoggedIn() ? Member::fromId($_SESSION['user_id']) : new Guest());
-
-
-$res = $db->query('
-	SELECT id_asset, variable, value
-	FROM assets_meta
-	WHERE variable LIKE {string:thumbs}',
-	['thumbs' => 'thumb_%']);
-
-while ($row = $db->fetch_assoc($res))
-{
-	if (!preg_match('~^thumb_(?<width>\d+)x(?<height>\d+)(?:_(?<mode>c[best]?))?$~', $row['variable'], $match))
-		continue;
-
-	echo 'Migrating ... ', $row['value'], '(#', $row['id_asset'], ")\r";
-
-	$db->insert('replace', 'assets_thumbs', [
-		'id_asset' => 'int',
-		'width' => 'int',
-		'height' => 'int',
-		'mode' => 'string-3',
-		'filename' => 'string-255',
-	], [
-		'id_asset' => $row['id_asset'],
-		'width' => $match['width'],
-		'height' => $match['height'],
-		'mode' => $match['mode'] ?? '',
-		'filename' => $row['value'],
-	]);
-}
-
-echo "\nDone\n";
-

migrations/2024-11-05.sql

@@ -0,0 +1,2 @@
+/* Add time-out to password reset keys, and prevent repeated mails */
+ALTER TABLE `users` ADD `reset_blocked_until` INT  UNSIGNED  NULL  AFTER `reset_key`;

models/AdminMenu.php

@@ -0,0 +1,61 @@
+<?php
+/*****************************************************************************
+ * AdminMenu.php
+ * Contains the admin navigation logic.
+ *
+ * Kabuki CMS (C) 2013-2023, Aaron van Geffen
+ *****************************************************************************/
+
+class AdminMenu extends Menu
+{
+	public function __construct()
+	{
+		$user = Registry::has('user') ? Registry::get('user') : new Guest();
+		if (!$user->isAdmin())
+			return;
+
+		$this->items[0] = [
+			'label' => 'Admin',
+			'icon' => 'gear',
+			'badge' => ErrorLog::getCount(),
+			'subs' => [
+				[
+					'uri' => '/managealbums/',
+					'label' => 'Albums',
+				],
+				[
+					'uri' => '/manageassets/',
+					'label' => 'Assets',
+				],
+				[
+					'uri' => '/managetags/',
+					'label' => 'Tags',
+				],
+				[
+					'uri' => '/manageusers/',
+					'label' => 'Users',
+				],
+				[
+					'uri' => '/manageerrors/',
+					'label' => 'Errors',
+					'badge' => ErrorLog::getCount(),
+				],
+			],
+		];
+
+		if ($this->items[0]['badge'] == 0)
+			unset($this->items[0]['badge']);
+
+		foreach ($this->items as $i => $item)
+		{
+			if (isset($item['uri']))
+				$this->items[$i]['url'] = BASEURL . $item['uri'];
+
+			if (!isset($item['subs']))
+				continue;
+
+			foreach ($item['subs'] as $j => $subitem)
+				$this->items[$i]['subs'][$j]['url'] = BASEURL . $subitem['uri'];
+		}
+	}
+}

models/Asset.php

@@ -8,36 +8,55 @@
 
 class Asset
 {
-	protected $id_asset;
-	protected $id_user_uploaded;
-	protected $subdir;
-	protected $filename;
-	protected $title;
-	protected $mimetype;
-	protected $image_width;
-	protected $image_height;
-	protected $date_captured;
-	protected $priority;
+	public $id_asset;
+	public $id_user_uploaded;
+	public $subdir;
+	public $filename;
+	public $title;
+	public $slug;
+	public $mimetype;
+	public $image_width;
+	public $image_height;
+	public $date_captured;
+	public $priority;
 
 	protected $meta;
 	protected $tags;
 	protected $thumbnails;
 
-	protected function __construct(array $data)
+	public function __construct(array $data)
 	{
 		foreach ($data as $attribute => $value)
-			$this->$attribute = $value;
+		{
+			if (property_exists($this, $attribute))
+				$this->$attribute = $value;
+		}
 
-		if (!empty($data['date_captured']) && $data['date_captured'] !== 'NULL')
+		if (isset($data['date_captured']) && $data['date_captured'] !== null && !is_object($data['date_captured']))
 			$this->date_captured = new DateTime($data['date_captured']);
 	}
 
+	public function canBeEditedBy(User $user)
+	{
+		return $this->isOwnedBy($user) || $user->isAdmin();
+	}
+
+	public static function cleanSlug($slug)
+	{
+		// Only alphanumerical chars, underscores and forward slashes are allowed
+		if (!preg_match_all('~([A-z0-9\/_]+)~', $slug, $allowedTokens, PREG_PATTERN_ORDER))
+			throw new UnexpectedValueException('Slug does not make sense.');
+
+		// Join valid substrings together with hyphens
+		return implode('-', $allowedTokens[1]);
+	}
+
 	public static function fromId($id_asset, $return_format = 'object')
 	{
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM assets
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $id_asset,
 			]);
@@ -50,7 +69,7 @@ class Asset
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM assets
-			WHERE slug = {string:slug}',
+			WHERE slug = :slug',
 			[
 				'slug' => $slug,
 			]);
@@ -66,7 +85,7 @@ class Asset
 		$row['meta'] = $db->queryPair('
 			SELECT variable, value
 			FROM assets_meta
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $row['id_asset'],
 			]);
@@ -75,21 +94,20 @@ class Asset
 		$row['thumbnails'] = $db->queryPair('
 			SELECT
 				CONCAT(
-					width,
-					{string:x},
-					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
+					width, :x, height,
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
 				) AS selector, filename
 			FROM assets_thumbs
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $row['id_asset'],
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
 
-		return $return_format == 'object' ? new Asset($row) : $row;
+		return $return_format === 'object' ? new static($row) : $row;
 	}
 
 	public static function fromIds(array $id_assets, $return_format = 'array')
@@ -102,14 +120,14 @@ class Asset
 		$res = $db->query('
 			SELECT *
 			FROM assets
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
 			]);
 
 		$assets = [];
-		while ($asset = $db->fetch_assoc($res))
+		while ($asset = $db->fetchAssoc($res))
 		{
 			$assets[$asset['id_asset']] = $asset;
 			$assets[$asset['id_asset']]['meta'] = [];
@@ -119,7 +137,7 @@ class Asset
 		$metas = $db->queryRows('
 			SELECT id_asset, variable, value
 			FROM assets_meta
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
@@ -131,17 +149,16 @@ class Asset
 		$thumbnails = $db->queryRows('
 			SELECT id_asset,
 				CONCAT(
-					width,
-					{string:x},
-					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
+					width, :x, height,
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
 				) AS selector, filename
 			FROM assets_thumbs
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
@@ -149,8 +166,10 @@ class Asset
 		foreach ($thumbnails as $thumb)
 			$assets[$thumb[0]]['thumbnails'][$thumb[1]] = $thumb[2];
 
-		if ($return_format == 'array')
+		if ($return_format === 'array')
+		{
 			return $assets;
+		}
 		else
 		{
 			$objects = [];
@@ -183,9 +202,10 @@ class Asset
 
 		$new_filename = $preferred_filename;
 		$destination = ASSETSDIR . '/' . $preferred_subdir . '/' . $preferred_filename;
-		while (file_exists($destination))
+		for ($i = 1; file_exists($destination); $i++)
 		{
-			$filename = pathinfo($preferred_filename, PATHINFO_FILENAME) . '_' . mt_rand(10, 99);
+			$suffix = $i;
+			$filename = pathinfo($preferred_filename, PATHINFO_FILENAME) . ' (' . $suffix . ')';
 			$extension = pathinfo($preferred_filename, PATHINFO_EXTENSION);
 			$new_filename = $filename . '.' . $extension;
 			$destination = dirname($destination) . '/' . $new_filename;
@@ -202,11 +222,14 @@ class Asset
 		$mimetype = finfo_file($finfo, $destination);
 		finfo_close($finfo);
 
+		// We're going to need the base name a few times...
+		$basename = pathinfo($new_filename, PATHINFO_FILENAME);
+
 		// Do we have a title yet? Otherwise, use the filename.
-		$title = isset($data['title']) ? $data['title'] : pathinfo($preferred_filename, PATHINFO_FILENAME);
+		$title = $data['title'] ?? $basename;
 
 		// Same with the slug.
-		$slug = isset($data['slug']) ? $data['slug'] : $preferred_subdir . '/' . pathinfo($preferred_filename, PATHINFO_FILENAME);
+		$slug = $data['slug'] ?? self::cleanSlug(sprintf('%s/%s', $preferred_subdir, $basename));
 
 		// Detected an image?
 		if (substr($mimetype, 0, 5) == 'image')
@@ -239,10 +262,10 @@ class Asset
 			INSERT INTO assets
 			(id_user_uploaded, subdir, filename, title, slug, mimetype, image_width, image_height, date_captured, priority)
 			VALUES
-			({int:id_user_uploaded}, {string:subdir}, {string:filename}, {string:title}, {string:slug}, {string:mimetype},
-			 {int:image_width}, {int:image_height},
-			 IF({int:date_captured} > 0, FROM_UNIXTIME({int:date_captured}), NULL),
-			 {int:priority})',
+			(:id_user_uploaded, :subdir, :filename, :title, :slug, :mimetype,
+			 :image_width, :image_height,
+			 ' . (!empty($date_captured) ? 'FROM_UNIXTIME(:date_captured)' : 'NULL') . ',
+			 :priority)',
 			[
 				'id_user_uploaded' => isset($id_user) ? $id_user : Registry::get('user')->getUserId(),
 				'subdir' => $preferred_subdir,
@@ -250,9 +273,9 @@ class Asset
 				'title' => $title,
 				'slug' => $slug,
 				'mimetype' => $mimetype,
-				'image_width' => isset($image_width) ? $image_width : 'NULL',
-				'image_height' => isset($image_height) ? $image_height : 'NULL',
-				'date_captured' => isset($date_captured) ? $date_captured : 'NULL',
+				'image_width' => isset($image_width) ? $image_width : null,
+				'image_height' => isset($image_height) ? $image_height : null,
+				'date_captured' => isset($date_captured) ? $date_captured : null,
 				'priority' => isset($priority) ? (int) $priority : 0,
 			]);
 
@@ -262,8 +285,8 @@ class Asset
 			return false;
 		}
 
-		$data['id_asset'] = $db->insert_id();
-		return $return_format == 'object' ? new self($data) : $data;
+		$data['id_asset'] = $db->insertId();
+		return $return_format === 'object' ? new self($data) : $data;
 	}
 
 	public function getId()
@@ -281,6 +304,16 @@ class Asset
 		return $this->date_captured;
 	}
 
+	public function getDeleteUrl()
+	{
+		return BASEURL . '/editasset/?id=' . $this->id_asset . '&delete';
+	}
+
+	public function getEditUrl()
+	{
+		return BASEURL . '/editasset/?id=' . $this->id_asset;
+	}
+
 	public function getFilename()
 	{
 		return $this->filename;
@@ -291,7 +324,7 @@ class Asset
 		$posts = Registry::get('db')->queryValues('
 			SELECT id_post
 			FROM posts_assets
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			['id_asset' => $this->id_asset]);
 
 		// TODO: fix empty post iterator.
@@ -364,7 +397,7 @@ class Asset
 
 	public function isImage()
 	{
-		return substr($this->mimetype, 0, 5) === 'image';
+		return isset($this->mimetype) && substr($this->mimetype, 0, 5) === 'image';
 	}
 
 	public function getImage()
@@ -375,6 +408,50 @@ class Asset
 		return new Image(get_object_vars($this));
 	}
 
+	public function isOwnedBy(User $user)
+	{
+		return $this->id_user_uploaded == $user->getUserId();
+	}
+
+	public function moveToSubDir($destSubDir)
+	{
+		// Verify the original exists
+		$source = ASSETSDIR . '/' . $this->subdir . '/' . $this->filename;
+		if (!file_exists($source))
+			return -1;
+
+		// Ensure the intended target file doesn't exist yet
+		$destDir = ASSETSDIR . '/' . $destSubDir;
+		$destFile = $destDir . '/' . $this->filename;
+
+		if (file_exists($destFile))
+			return -2;
+
+		// Can we write to the target directory?
+		if (!is_writable($destDir))
+			return -3;
+
+		// Perform move
+		if (rename($source, $destFile))
+		{
+			$this->subdir = $destSubDir;
+			$this->slug = $this->subdir . '/' . $this->title;
+			Registry::get('db')->query('
+				UPDATE assets
+				SET subdir = :subdir,
+					slug = :slug
+				WHERE id_asset = :id_asset',
+				[
+					'id_asset' => $this->id_asset,
+					'subdir' => $this->subdir,
+					'slug' => $this->slug,
+				]);
+			return true;
+		}
+
+		return -4;
+	}
+
 	public function replaceFile($filename)
 	{
 		// No filename? Abort!
@@ -394,7 +471,7 @@ class Asset
 		finfo_close($finfo);
 
 		// Detected an image?
-		if (substr($this->mimetype, 0, 5) == 'image')
+		if (substr($this->mimetype, 0, 5) === 'image')
 		{
 			$image = new Imagick($destination);
 			$d = $image->getImageGeometry();
@@ -418,18 +495,18 @@ class Asset
 		return Registry::get('db')->query('
 			UPDATE assets
 			SET
-				mimetype = {string:mimetype},
-				image_width = {int:image_width},
-				image_height = {int:image_height},
-				date_captured = {datetime:date_captured},
-				priority = {int:priority}
-			WHERE id_asset = {int:id_asset}',
+				mimetype = :mimetype,
+				image_width = :image_width,
+				image_height = :image_height,
+				date_captured = :date_captured,
+				priority = :priority
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $this->id_asset,
 				'mimetype' => $this->mimetype,
-				'image_width' => isset($this->image_width) ? $this->image_width : 'NULL',
-				'image_height' => isset($this->image_height) ? $this->image_height : 'NULL',
-				'date_captured' => isset($this->date_captured) ? $this->date_captured : 'NULL',
+				'image_width' => isset($this->image_width) ? $this->image_width : null,
+				'image_height' => isset($this->image_height) ? $this->image_height : null,
+				'date_captured' => isset($this->date_captured) ? $this->date_captured : null,
 				'priority' => $this->priority,
 			]);
 	}
@@ -450,8 +527,8 @@ class Asset
 			if (!empty($to_remove))
 				$db->query('
 					DELETE FROM assets_meta
-					WHERE id_asset = {int:id_asset} AND
-						variable IN({array_string:variables})',
+					WHERE id_asset = :id_asset AND
+						variable IN(@variables)',
 					[
 						'id_asset' => $this->id_asset,
 						'variables' => array_keys($to_remove),
@@ -482,47 +559,40 @@ class Asset
 	{
 		$db = Registry::get('db');
 
-		if (!unlink(ASSETSDIR . '/' . $this->subdir . '/' . $this->filename))
-			return false;
+		// Delete any and all thumbnails, if this is an image.
+		if ($this->isImage())
+		{
+			$image = $this->getImage();
+			$image->removeAllThumbnails();
+		}
 
+		// Delete all meta info for this asset.
 		$db->query('
 			DELETE FROM assets_meta
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
+			WHERE id_asset = :id_asset',
+			['id_asset' => $this->id_asset]);
 
+		// Figure out what tags to recount cardinality for
 		$recount_tags = $db->queryValues('
 			SELECT id_tag
 			FROM assets_tags
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
+			WHERE id_asset = :id_asset',
+			['id_asset' => $this->id_asset]);
 
+		// Delete asset association for these tags
 		$db->query('
 			DELETE FROM assets_tags
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
+			WHERE id_asset = :id_asset',
+			['id_asset' => $this->id_asset]);
 
 		Tag::recount($recount_tags);
 
-		$return = $db->query('
-			DELETE FROM assets
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
-
-		$rows = $db->query('
+		// Reset asset ID for tags that use this asset for their thumbnail
+		$rows = $db->queryValues('
 			SELECT id_tag
 			FROM tags
-			WHERE id_asset_thumb = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
+			WHERE id_asset_thumb = :id_asset',
+			['id_asset' => $this->id_asset]);
 
 		if (!empty($rows))
 		{
@@ -533,6 +603,15 @@ class Asset
 			}
 		}
 
+		// Finally, delete the actual asset
+		if (!unlink(ASSETSDIR . '/' . $this->subdir . '/' . $this->filename))
+			return false;
+
+		$return = $db->query('
+			DELETE FROM assets
+			WHERE id_asset = :id_asset',
+			['id_asset' => $this->id_asset]);
+
 		return $return;
 	}
 
@@ -560,7 +639,7 @@ class Asset
 
 		Registry::get('db')->query('
 			DELETE FROM assets_tags
-			WHERE id_asset = {int:id_asset} AND id_tag IN ({array_int:id_tags})',
+			WHERE id_asset = :id_asset AND id_tag IN (@id_tags)',
 			[
 				'id_asset' => $this->id_asset,
 				'id_tags' => $id_tags,
@@ -576,91 +655,117 @@ class Asset
 			FROM assets');
 	}
 
-	public function setKeyData($title, $slug, DateTime $date_captured = null, $priority)
+	public static function getOffset($offset, $limit, $order, $direction)
 	{
-		$params = [
-			'id_asset' => $this->id_asset,
-			'title' => $title,
-			'slug' => $slug,
-			'priority' => $priority,
-		];
+		$order = $order . ($direction == 'up' ? ' ASC' : ' DESC');
 
-		if (isset($date_captured))
-			$params['date_captured'] = $date_captured->format('Y-m-d H:i:s');
+		return Registry::get('db')->queryAssocs('
+			SELECT a.id_asset, a.subdir, a.filename,
+				a.image_width, a.image_height, a.mimetype,
+				u.id_user, u.first_name, u.surname
+			FROM assets AS a
+			LEFT JOIN users AS u ON a.id_user_uploaded = u.id_user
+			ORDER BY ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+			]);
+	}
+
+	public function save()
+	{
+		if (empty($this->id_asset))
+			throw new UnexpectedValueException();
 
 		return Registry::get('db')->query('
 			UPDATE assets
-			SET title = {string:title},
-				slug = {string:slug},' . (isset($date_captured) ? '
-				date_captured = {datetime:date_captured},' : '') . '
-				priority = {int:priority}
-			WHERE id_asset = {int:id_asset}',
+			SET subdir = :subdir,
+				filename = :filename,
+				title = :title,
+				slug = :slug,
+				mimetype = :mimetype,
+				image_width = :image_width,
+				image_height = :image_height,
+				date_captured = :date_captured,
+				priority = :priority
+			WHERE id_asset = :id_asset',
+			get_object_vars($this));
+	}
+
+	protected function getUrlForAdjacentInSet($prevNext, ?Tag $tag, $activeFilter)
+	{
+		$next = $prevNext === 'next';
+		$previous = !$next;
+
+		$where = [];
+		$params = [
+			'id_asset' => $this->id_asset,
+			'date_captured' => $this->date_captured,
+		];
+
+		// Direction depends on whether we're browsing a tag or timeline
+		if (isset($tag))
+		{
+			$where[] = 't.id_tag = :id_tag';
+			$params['id_tag'] = $tag->id_tag;
+			$where_op = $previous ? '<' : '>';
+			$order_dir = $previous ? 'DESC' : 'ASC';
+		}
+		else
+		{
+			$where_op = $previous ? '>' : '<';
+			$order_dir = $previous ? 'ASC' : 'DESC';
+		}
+
+		// Take active filter into account as well
+		if (!empty($activeFilter) && ($user = Member::fromSlug($activeFilter)) !== false)
+		{
+			$where[] = 'id_user_uploaded = :id_user_uploaded';
+			$params['id_user_uploaded'] = $user->getUserId();
+		}
+
+		// Use complete ordering when sorting the set
+		$where[] = '(a.date_captured, a.id_asset) ' . $where_op .
+			' (:date_captured, :id_asset)';
+
+		// Stringify conditions together
+		$where = '(' . implode(') AND (', $where) . ')';
+
+		// Run query, leaving out tags table if not required
+		$row = Registry::get('db')->queryAssoc('
+			SELECT a.*
+			FROM assets AS a
+			' . (isset($tag) ? '
+			INNER JOIN assets_tags AS t ON a.id_asset = t.id_asset' : '') . '
+			WHERE ' . $where . '
+			ORDER BY a.date_captured ' . $order_dir . ', a.id_asset ' . $order_dir . '
+			LIMIT 1',
 			$params);
+
+		if (!$row)
+			return false;
+
+		$obj = self::byRow($row, 'object');
+
+		$urlParams = [];
+		if (isset($tag))
+			$urlParams['in'] = $tag->id_tag;
+		if (!empty($activeFilter))
+			$urlParams['by'] = $activeFilter;
+
+		$queryString = !empty($urlParams) ? '?' . http_build_query($urlParams) : '';
+
+		return $obj->getPageUrl() . $queryString;
 	}
 
-	public function getUrlForPreviousInSet($id_tag = null)
+	public function getUrlForPreviousInSet(?Tag $tag, $activeFilter)
 	{
-		$row = Registry::get('db')->queryAssoc('
-			SELECT a.*
-			' . (isset($id_tag) ? '
-			FROM assets_tags AS t
-			INNER JOIN assets AS a ON a.id_asset = t.id_asset
-			WHERE t.id_tag = {int:id_tag} AND
-				a.date_captured <= {datetime:date_captured} AND
-				a.id_asset != {int:id_asset}
-			ORDER BY a.date_captured DESC'
-			: '
-			FROM assets AS a
-			WHERE date_captured >= {datetime:date_captured} AND
-				a.id_asset != {int:id_asset}
-			ORDER BY date_captured ASC')
-			 . '
-			LIMIT 1',
-			[
-				'id_asset' => $this->id_asset,
-				'id_tag' => $id_tag,
-				'date_captured' => $this->date_captured,
-			]);
-
-		if ($row)
-		{
-			$obj = self::byRow($row, 'object');
-			return $obj->getPageUrl() . ($id_tag ? '?in=' . $id_tag : '');
-		}
-		else
-			return false;
+		return $this->getUrlForAdjacentInSet('previous', $tag, $activeFilter);
 	}
 
-	public function getUrlForNextInSet($id_tag = null)
+	public function getUrlForNextInSet(?Tag $tag, $activeFilter)
 	{
-		$row = Registry::get('db')->queryAssoc('
-			SELECT a.*
-			' . (isset($id_tag) ? '
-			FROM assets_tags AS t
-			INNER JOIN assets AS a ON a.id_asset = t.id_asset
-			WHERE t.id_tag = {int:id_tag} AND
-				a.date_captured >= {datetime:date_captured} AND
-				a.id_asset != {int:id_asset}
-			ORDER BY a.date_captured ASC'
-			: '
-			FROM assets AS a
-			WHERE date_captured <= {datetime:date_captured} AND
-				a.id_asset != {int:id_asset}
-			ORDER BY date_captured DESC')
-			 . '
-			LIMIT 1',
-			[
-				'id_asset' => $this->id_asset,
-				'id_tag' => $id_tag,
-				'date_captured' => $this->date_captured,
-			]);
-
-		if ($row)
-		{
-			$obj = self::byRow($row, 'object');
-			return $obj->getPageUrl() . ($id_tag ? '?in=' . $id_tag : '');
-		}
-		else
-			return false;
+		return $this->getUrlForAdjacentInSet('next', $tag, $activeFilter);
 	}
 }

models/AssetIterator.php

@@ -1,38 +1,50 @@
 <?php
 /*****************************************************************************
  * AssetIterator.php
- * Contains key class AssetIterator.
+ * Contains model class AssetIterator.
  *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
  *****************************************************************************/
 
-class AssetIterator extends Asset
+class AssetIterator implements Iterator
 {
+	private $direction;
 	private $return_format;
-	private $res_assets;
-	private $res_meta;
-	private $res_thumbs;
+	private $rowCount;
 
-	protected function __construct($res_assets, $res_meta, $res_thumbs, $return_format)
+	private $assets_iterator;
+	private $meta_iterator;
+	private $thumbs_iterator;
+
+	protected function __construct(PDOStatement $stmt_assets, PDOStatement $stmt_meta, PDOStatement $stmt_thumbs,
+		$return_format, $direction)
 	{
-		$this->db = Registry::get('db');
-		$this->res_assets = $res_assets;
-		$this->res_meta = $res_meta;
-		$this->res_thumbs = $res_thumbs;
+		$this->direction = $direction;
 		$this->return_format = $return_format;
+		$this->rowCount = $stmt_assets->rowCount();
+
+		$this->assets_iterator = new CachedPDOIterator($stmt_assets);
+		$this->assets_iterator->rewind();
+
+		$this->meta_iterator = new CachedPDOIterator($stmt_meta);
+		$this->thumbs_iterator = new CachedPDOIterator($stmt_thumbs);
 	}
 
-	public function next()
+	public static function all()
 	{
-		$row = $this->db->fetch_assoc($this->res_assets);
+		return self::getByOptions();
+	}
 
-		// No more rows?
+	public function current(): mixed
+	{
+		$row = $this->assets_iterator->current();
 		if (!$row)
-			return false;
+			return $row;
 
-		// Looks up metadata.
+		// Collect metadata
 		$row['meta'] = [];
-		while ($meta = $this->db->fetch_assoc($this->res_meta))
+		$this->meta_iterator->rewind();
+		foreach ($this->meta_iterator as $meta)
 		{
 			if ($meta['id_asset'] != $row['id_asset'])
 				continue;
@@ -40,54 +52,23 @@ class AssetIterator extends Asset
 			$row['meta'][$meta['variable']] = $meta['value'];
 		}
 
-		// Reset internal pointer for next asset.
-		$this->db->data_seek($this->res_meta, 0);
-
-		// Looks up thumbnails.
+		// Collect thumbnails
 		$row['thumbnails'] = [];
-		while ($thumbs = $this->db->fetch_assoc($this->res_thumbs))
+		$this->thumbs_iterator->rewind();
+		foreach ($this->thumbs_iterator as $thumb)
 		{
-			if ($thumbs['id_asset'] != $row['id_asset'])
+			if ($thumb['id_asset'] != $row['id_asset'])
 				continue;
 
-			$row['thumbnails'][$thumbs['selector']] = $thumbs['filename'];
+			$row['thumbnails'][$thumb['selector']] = $thumb['filename'];
 		}
 
-		// Reset internal pointer for next asset.
-		$this->db->data_seek($this->res_thumbs, 0);
-
-		if ($this->return_format == 'object')
+		if ($this->return_format === 'object')
 			return new Asset($row);
 		else
 			return $row;
 	}
 
-	public function reset()
-	{
-		$this->db->data_seek($this->res_assets, 0);
-		$this->db->data_seek($this->res_meta, 0);
-		$this->db->data_seek($this->res_thumbs, 0);
-	}
-
-	public function clean()
-	{
-		if (!$this->res_assets)
-			return;
-
-		$this->db->free_result($this->res_assets);
-		$this->res_assets = null;
-	}
-
-	public function num()
-	{
-		return $this->db->num_rows($this->res_assets);
-	}
-
-	public static function all()
-	{
-		return self::getByOptions();
-	}
-
 	public static function getByOptions(array $options = [], $return_count = false, $return_format = 'object')
 	{
 		$params = [
@@ -110,9 +91,14 @@ class AssetIterator extends Asset
 		{
 			$params['mime_type'] = $options['mime_type'];
 			if (is_array($options['mime_type']))
-				$where[] = 'a.mimetype IN({array_string:mime_type})';
+				$where[] = 'a.mimetype IN(@mime_type)';
 			else
-				$where[] = 'a.mimetype = {string:mime_type}';
+				$where[] = 'a.mimetype = :mime_type';
+		}
+		if (isset($options['id_user_uploaded']))
+		{
+			$params['id_user_uploaded'] = $options['id_user_uploaded'];
+			$where[] = 'id_user_uploaded = :id_user_uploaded';
 		}
 		if (isset($options['id_tag']))
 		{
@@ -120,7 +106,17 @@ class AssetIterator extends Asset
 			$where[] = 'id_asset IN(
 				SELECT l.id_asset
 				FROM assets_tags AS l
-				WHERE l.id_tag = {int:id_tag})';
+				WHERE l.id_tag = :id_tag)';
+		}
+		elseif (isset($options['tag']))
+		{
+			$params['tag'] = $options['tag'];
+			$where[] = 'id_asset IN(
+				SELECT l.id_asset
+				FROM assets_tags AS l
+				INNER JOIN tags AS t
+				ON l.id_tag = t.id_tag
+				WHERE t.slug = :tag)';
 		}
 
 		// Make it valid SQL.
@@ -136,7 +132,7 @@ class AssetIterator extends Asset
 			FROM assets AS a
 			WHERE ' . $where . '
 			ORDER BY ' . $order . (!empty($params['limit']) ? '
-			LIMIT {int:offset}, {int:limit}' : ''),
+			LIMIT :offset, :limit' : ''),
 			$params);
 
 		// Get a resource object for the asset meta.
@@ -156,9 +152,9 @@ class AssetIterator extends Asset
 			SELECT id_asset, filename,
 				CONCAT(
 					width,
-					{string:x},
+					:x,
 					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
 				) AS selector
 			FROM assets_thumbs
 			WHERE id_asset IN(
@@ -168,12 +164,13 @@ class AssetIterator extends Asset
 			)
 			ORDER BY id_asset',
 			$params + [
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
 
-		$iterator = new self($res_assets, $res_meta, $res_thumbs, $return_format);
+		$iterator = new self($res_assets, $res_meta, $res_thumbs, $return_format, $params['direction']);
 
 		// Returning total count, too?
 		if ($return_count)
@@ -189,4 +186,39 @@ class AssetIterator extends Asset
 		else
 			return $iterator;
 	}
+
+	public function key(): mixed
+	{
+		return $this->assets_iterator->key();
+	}
+
+	public function isAscending(): bool
+	{
+		return $this->direction === 'asc';
+	}
+
+	public function isDescending(): bool
+	{
+		return $this->direction === 'desc';
+	}
+
+	public function next(): void
+	{
+		$this->assets_iterator->next();
+	}
+
+	public function num(): int
+	{
+		return $this->rowCount;
+	}
+
+	public function rewind(): void
+	{
+		$this->assets_iterator->rewind();
+	}
+
+	public function valid(): bool
+	{
+		return $this->assets_iterator->valid();
+	}
 }

models/Authentication.php

@@ -12,48 +12,27 @@
  */
 class Authentication
 {
-	/**
-	 * Checks whether a user still exists in the database.
-	 */
-	public static function checkExists($id_user)
-	{
-		$res = Registry::get('db')->queryValue('
-			SELECT id_user
-			FROM users
-			WHERE id_user = {int:id}',
-			[
-				'id' => $id_user,
-			]);
-
-		return $res !== null;
-	}
+	const DEFAULT_RESET_TIMEOUT = 30;
 
 	/**
-	 * Finds the user id belonging to a certain emailaddress.
+	 * Checks a password for a given username against the database.
 	 */
-	public static function getUserId($emailaddress)
+	public static function checkPassword($emailaddress, $password)
 	{
-		$res = Registry::get('db')->queryValue('
-			SELECT id_user
+		// Retrieve password hash for user matching the provided emailaddress.
+		$password_hash = Registry::get('db')->queryValue('
+			SELECT password_hash
 			FROM users
-			WHERE emailaddress = {string:emailaddress}',
+			WHERE emailaddress = :emailaddress',
 			[
 				'emailaddress' => $emailaddress,
 			]);
 
-		return empty($res) ? false : $res;
-	}
+		// If there's no hash, the user likely does not exist.
+		if (!$password_hash)
+			return false;
 
-	public static function setResetKey($id_user)
-	{
-		return Registry::get('db')->query('
-			UPDATE users
-			SET reset_key = {string:key}
-			WHERE id_user = {int:id}',
-			[
-				'id' => $id_user,
-				'key' => self::newActivationKey(),
-			]);
+		return password_verify($password, $password_hash);
 	}
 
 	public static function checkResetKey($id_user, $reset_key)
@@ -61,7 +40,7 @@ class Authentication
 		$key = Registry::get('db')->queryValue('
 			SELECT reset_key
 			FROM users
-			WHERE id_user = {int:id}',
+			WHERE id_user = :id',
 			[
 				'id' => $id_user,
 			]);
@@ -69,22 +48,55 @@ class Authentication
 		return $key == $reset_key;
 	}
 
+	/**
+	 * Computes a password hash.
+	 */
+	public static function computeHash($password)
+	{
+		$hash = password_hash($password, PASSWORD_DEFAULT);
+		if (!$hash)
+			throw new Exception('Hash creation failed!');
+		return $hash;
+	}
+
+	public static function consumeResetKey($id_user)
+	{
+		return Registry::get('db')->query('
+			UPDATE users
+			SET reset_key = NULL,
+				reset_blocked_until = NULL
+			WHERE id_user = :id_user',
+			['id_user' => $id_user]);
+	}
+
+	public static function getResetTimeOut($id_user)
+	{
+		$resetTime = Registry::get('db')->queryValue('
+			SELECT reset_blocked_until
+			FROM users
+			WHERE id_user = :id_user',
+			['id_user' => $id_user]);
+
+		return max(0, $resetTime - time());
+	}
+
 	/**
 	 * Verifies whether the user is currently logged in.
 	 */
 	public static function isLoggedIn()
 	{
-		// Check whether the active session matches the current user's environment.
-		if (isset($_SESSION['ip_address'], $_SESSION['user_agent']) && (
-			 (isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] != $_SERVER['REMOTE_ADDR']) ||
-			 (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'])))
+		if (!isset($_SESSION['user_id']))
+			return false;
+
+		try
+		{
+			$exists = Member::fromId($_SESSION['user_id']);
+			return true;
+		}
+		catch (NotFoundException $e)
 		{
-			session_destroy();
 			return false;
 		}
-
-		// A user is logged in if a user id exists in the session and this id is (still) in the database.
-		return isset($_SESSION['user_id']) && self::checkExists($_SESSION['user_id']);
 	}
 
 	/**
@@ -99,36 +111,17 @@ class Authentication
 		return $string;
 	}
 
-	/**
-	 * Checks a password for a given username against the database.
-	 */
-	public static function checkPassword($emailaddress, $password)
+	public static function setResetKey($id_user)
 	{
-		// Retrieve password hash for user matching the provided emailaddress.
-		$password_hash = Registry::get('db')->queryValue('
-			SELECT password_hash
-			FROM users
-			WHERE emailaddress = {string:emailaddress}',
+		return Registry::get('db')->query('
+			UPDATE users
+			SET reset_key = :key,
+				reset_blocked_until = UNIX_TIMESTAMP() + ' . static::DEFAULT_RESET_TIMEOUT . '
+			WHERE id_user = :id',
 			[
-				'emailaddress' => $emailaddress,
+				'id' => $id_user,
+				'key' => self::newActivationKey(),
 			]);
-
-		// If there's no hash, the user likely does not exist.
-		if (!$password_hash)
-			return false;
-
-		return password_verify($password, $password_hash);
-	}
-
-	/**
-	 * Computes a password hash.
-	 */
-	public static function computeHash($password)
-	{
-		$hash = password_hash($password, PASSWORD_DEFAULT);
-		if (!$hash)
-			throw new Exception('Hash creation failed!');
-		return $hash;
 	}
 
 	/**
@@ -139,13 +132,35 @@ class Authentication
 		return Registry::get('db')->query('
 			UPDATE users
 			SET
-				password_hash = {string:hash},
-				reset_key = {string:blank}
-			WHERE id_user = {int:id_user}',
+				password_hash = :hash,
+				reset_key = :blank
+			WHERE id_user = :id_user',
 			[
 				'id_user' => $id_user,
 				'hash' => $hash,
 				'blank' => '',
 			]);
 	}
+
+	public static function updateResetTimeOut($id_user)
+	{
+		$currentResetTimeOut = static::getResetTimeOut($id_user);
+
+		// New timeout: between 30 seconds, double the current timeout, and a full day
+		$newResetTimeOut = min(max(static::DEFAULT_RESET_TIMEOUT, $currentResetTimeOut * 2), 60 * 60 * 24);
+
+		$success = Registry::get('db')->query('
+			UPDATE users
+			SET reset_blocked_until = :new_time_out
+			WHERE id_user = :id_user',
+			[
+				'id_user' => $id_user,
+				'new_time_out' => time() + $newResetTimeOut,
+			]);
+
+		if (!$success)
+			throw new UnexpectedValueException('Could not set password reset timeout!');
+
+		return $newResetTimeOut;
+	}
 }

models/Cache.php

@@ -1,61 +0,0 @@
-<?php
-/*****************************************************************************
- * Cache.php
- * Contains key class Cache.
- *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
- *****************************************************************************/
-
-class Cache
-{
-	public static $hits = 0;
-	public static $misses = 0;
-	public static $puts = 0;
-	public static $removals = 0;
-
-	public static function put($key, $value, $ttl = 3600)
-	{
-		// If the cache is unavailable, don't bother.
-		if (!CACHE_ENABLED || !function_exists('apcu_store'))
-			return false;
-
-		// Keep track of the amount of cache puts.
-		self::$puts++;
-
-		// Store the data in serialized form.
-		return apcu_store(CACHE_KEY_PREFIX . $key, serialize($value), $ttl);
-	}
-
-	// Get some data from the cache.
-	public static function get($key)
-	{
-		// If the cache is unavailable, don't bother.
-		if (!CACHE_ENABLED || !function_exists('apcu_fetch'))
-			return false;
-
-		// Try to fetch it!
-		$value = apcu_fetch(CACHE_KEY_PREFIX . $key);
-
-		// Were we successful?
-		if (!empty($value))
-		{
-			self::$hits++;
-			return unserialize($value);
-		}
-		// Otherwise, it's a miss.
-		else
-		{
-			self::$misses++;
-			return null;
-		}
-	}
-
-	public static function remove($key)
-	{
-		if (!CACHE_ENABLED || !function_exists('apcu_delete'))
-			return false;
-
-		self::$removals++;
-		return apcu_delete(CACHE_KEY_PREFIX . $key);
-	}
-}

models/CachedPDOIterator.php

@@ -0,0 +1,56 @@
+<?php
+/*****************************************************************************
+ * CachedPDOIterator.php
+ * Contains model class CachedPDOIterator.
+ *
+ * Based on https://gist.github.com/hakre/5152090
+ *
+ * Kabuki CMS (C) 2013-2021, Aaron van Geffen
+ *****************************************************************************/
+
+class CachedPDOIterator extends CachingIterator
+{
+    private $index;
+
+    public function __construct(PDOStatement $statement)
+    {
+        parent::__construct(new IteratorIterator($statement), self::FULL_CACHE);
+    }
+
+    public function rewind(): void
+    {
+        if ($this->index === null)
+        {
+            parent::rewind();
+        }
+        $this->index = 0;
+    }
+
+    public function current(): mixed
+    {
+        if ($this->offsetExists($this->index))
+        {
+            return $this->offsetGet($this->index);
+        }
+        return parent::current();
+    }
+
+    public function key(): mixed
+    {
+        return $this->index;
+    }
+
+    public function next(): void
+    {
+        $this->index++;
+        if (!$this->offsetExists($this->index))
+        {
+            parent::next();
+        }
+    }
+
+    public function valid(): bool
+    {
+        return $this->offsetExists($this->index) || parent::valid();
+    }
+}

models/Database.php

@@ -1,43 +1,34 @@
 <?php
 /*****************************************************************************
  * Database.php
- * Contains key class Database.
+ * Contains model class Database.
  *
- * Adapted from SMF 2.0's DBA (C) 2011 Simple Machines
- * Used under BSD 3-clause license.
- *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
  *****************************************************************************/
 
-/**
- * The database model used to communicate with the MySQL server.
- */
 class Database
 {
 	private $connection;
 	private $query_count = 0;
 	private $logged_queries = [];
 
-	/**
-	 * Initialises a new database connection.
-	 * @param server: server to connect to.
-	 * @param user: username to use for authentication.
-	 * @param password: password to use for authentication.
-	 * @param name: database to select.
-	 */
-	public function __construct($server, $user, $password, $name)
+	public function __construct($host, $user, $password, $name)
 	{
-		$this->connection = @mysqli_connect($server, $user, $password, $name);
-
-		// Give up if we have a connection error.
-		if (mysqli_connect_error())
+		try
 		{
-			header('HTTP/1.1 503 Service Temporarily Unavailable');
+			$this->connection = new PDO("mysql:host=$host;dbname=$name;charset=utf8mb4", $user, $password, [
+				PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+				PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+				PDO::ATTR_EMULATE_PREPARES => false,
+			]);
+		}
+		// Give up if we have a connection error.
+		catch (PDOException $e)
+		{
+			http_response_code(503);
 			echo '<h2>Database Connection Problems</h2><p>Our software could not connect to the database. We apologise for any inconvenience and ask you to check back later.</p>';
 			exit;
 		}
-
-		$this->query('SET NAMES {string:utf8}', ['utf8' => 'utf8']);
 	}
 
 	public function getQueryCount()
@@ -51,305 +42,227 @@ class Database
 	}
 
 	/**
-	 * Fetches a row from a given recordset, using field names as keys.
+	 * Fetches a row from a given statement/recordset, using field names as keys.
 	 */
-	public function fetch_assoc($resource)
+	public function fetchAssoc($stmt)
 	{
-		return mysqli_fetch_assoc($resource);
+		return $stmt->fetch(PDO::FETCH_ASSOC);
 	}
 
 	/**
-	 * Fetches a row from a given recordset, using numeric keys.
+	 * Fetches a row from a given statement/recordset, encapsulating into an object.
 	 */
-	public function fetch_row($resource)
+	public function fetchObject($stmt, $class)
 	{
-		return mysqli_fetch_row($resource);
+		return $stmt->fetchObject($class);
 	}
 
 	/**
-	 * Destroys a given recordset.
+	 * Fetches a row from a given statement/recordset, using numeric keys.
 	 */
-	public function free_result($resource)
+	public function fetchNum($stmt)
 	{
-		return mysqli_free_result($resource);
-	}
-
-	public function data_seek($result, $row_num)
-	{
-		return mysqli_data_seek($result, $row_num);
+		return $stmt->fetch(PDO::FETCH_NUM);
 	}
 
 	/**
-	 * Returns the amount of rows in a given recordset.
+	 * Destroys a given statement/recordset.
 	 */
-	public function num_rows($resource)
+	public function free($stmt)
 	{
-		return mysqli_num_rows($resource);
+		return $stmt->closeCursor();
 	}
 
 	/**
-	 * Returns the amount of fields in a given recordset.
+	 * Returns the amount of rows in a given statement/recordset.
 	 */
-	public function num_fields($resource)
+	public function rowCount($stmt)
 	{
-		return mysqli_num_fields($resource);
+		return $stmt->rowCount();
 	}
 
 	/**
-	 * Escapes a string.
+	 * Returns the amount of fields in a given statement/recordset.
 	 */
-	public function escape_string($string)
+	public function columnCount($stmt)
 	{
-		return mysqli_real_escape_string($this->connection, $string);
-	}
-
-	/**
-	 * Unescapes a string.
-	 */
-	public function unescape_string($string)
-	{
-		return stripslashes($string);
-	}
-
-	/**
-	 * Returns the last MySQL error.
-	 */
-	public function error()
-	{
-		return mysqli_error($this->connection);
-	}
-
-	public function server_info()
-	{
-		return mysqli_get_server_info($this->connection);
-	}
-
-	/**
-	 * Selects a database on a given connection.
-	 */
-	public function select_db($database)
-	{
-		return mysqli_select_db($database, $this->connection);
-	}
-
-	/**
-	 * Returns the amount of rows affected by the previous query.
-	 */
-	public function affected_rows()
-	{
-		return mysqli_affected_rows($this->connection);
+		return $stmt->columnCount();
 	}
 
 	/**
 	 * Returns the id of the row created by a previous query.
 	 */
-	public function insert_id()
+	public function insertId($name = null)
 	{
-		return mysqli_insert_id($this->connection);
+		return $this->connection->lastInsertId($name);
 	}
 
 	/**
-	 * Do a MySQL transaction.
+	 * Start a transaction.
 	 */
-	public function transaction($operation = 'commit')
+	public function beginTransaction()
 	{
-		switch ($operation)
-		{
-				case 'begin':
-				case 'rollback':
-				case 'commit':
-					return @mysqli_query($this->connection, strtoupper($operation));
-			default:
-				return false;
-		}
+		return $this->connection->beginTransaction();
 	}
 
 	/**
-	 * Function used as a callback for the preg_match function that parses variables into database queries.
+	 * Rollback changes in a transaction.
 	 */
-	private function replacement_callback($matches)
+	public function rollback()
 	{
-		list ($values, $connection) = $this->db_callback;
+		return $this->connection->rollBack();
+	}
 
-		if (!isset($matches[2]))
-			trigger_error('Invalid value inserted or no type specified.', E_USER_ERROR);
+	/**
+	 * Commit changes in a transaction.
+	 */
+	public function commit()
+	{
+		return $this->connection->commit();
+	}
 
-		if (!isset($values[$matches[2]]))
-			trigger_error('The database value you\'re trying to insert does not exist: ' . htmlspecialchars($matches[2]), E_USER_ERROR);
-
-		$replacement = $values[$matches[2]];
-
-		switch ($matches[1])
+	private function expandPlaceholders($db_string, array &$db_values)
+	{
+		foreach ($db_values as $key => &$value)
 		{
-			case 'int':
-				if ((!is_numeric($replacement) || (string) $replacement !== (string) (int) $replacement) && $replacement !== 'NULL')
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Integer expected.', E_USER_ERROR);
-				return $replacement !== 'NULL' ? (string) (int) $replacement : 'NULL';
-			break;
-
-			case 'string':
-			case 'text':
-				return $replacement !== 'NULL' ? sprintf('\'%1$s\'', mysqli_real_escape_string($connection, $replacement)) : 'NULL';
-			break;
-
-			case 'array_int':
-				if (is_array($replacement))
+			if (str_contains($db_string, ':' . $key))
+			{
+				if (is_array($value))
 				{
-					if (empty($replacement))
-						trigger_error('Database error, given array of integer values is empty.', E_USER_ERROR);
-
-					foreach ($replacement as $key => $value)
-					{
-						if (!is_numeric($value) || (string) $value !== (string) (int) $value)
-							trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of integers expected.', E_USER_ERROR);
-
-						$replacement[$key] = (string) (int) $value;
-					}
-
-					return implode(', ', $replacement);
+					throw new UnexpectedValueException('Array ' . $key .
+						' is used as a scalar placeholder. Did you mean to use \'@\' instead?');
 				}
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of integers expected.', E_USER_ERROR);
 
-			break;
-
-			case 'array_string':
-				if (is_array($replacement))
+				// Prepare date/time values
+				if (is_a($value, 'DateTime'))
 				{
-					if (empty($replacement))
-						trigger_error('Database error, given array of string values is empty.', E_USER_ERROR);
-
-					foreach ($replacement as $key => $value)
-						$replacement[$key] = sprintf('\'%1$s\'', mysqli_real_escape_string($connection, $value));
-
-					return implode(', ', $replacement);
+					$value = $value->format('Y-m-d H:i:s');
+				}
+			}
+			elseif (str_contains($db_string, '@' . $key))
+			{
+				if (!is_array($value))
+				{
+					throw new UnexpectedValueException('Scalar value ' . $key .
+						' is used as an array placeholder. Did you mean to use \':\' instead?');
 				}
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of strings expected.', E_USER_ERROR);
-			break;
 
-			case 'date':
-				if (preg_match('~^(\d{4})-([0-1]?\d)-([0-3]?\d)$~', $replacement, $date_matches) === 1)
-					return sprintf('\'%04d-%02d-%02d\'', $date_matches[1], $date_matches[2], $date_matches[3]);
-				elseif ($replacement === 'NULL')
-					return 'NULL';
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Date expected.', E_USER_ERROR);
-			break;
-
-			case 'datetime':
-				if (is_a($replacement, 'DateTime'))
-					return $replacement->format('\'Y-m-d H:i:s\'');
-				elseif (preg_match('~^(\d{4})-([0-1]?\d)-([0-3]?\d) (\d{2}):(\d{2}):(\d{2})$~', $replacement, $date_matches) === 1)
-					return sprintf('\'%04d-%02d-%02d %02d:%02d:%02d\'', $date_matches[1], $date_matches[2], $date_matches[3], $date_matches[4], $date_matches[5], $date_matches[6]);
-				elseif ($replacement === 'NULL')
-					return 'NULL';
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. DateTime expected.', E_USER_ERROR);
-			break;
-
-			case 'float':
-				if (!is_numeric($replacement) && $replacement !== 'NULL')
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Floating point number expected.', E_USER_ERROR);
-				return $replacement !== 'NULL' ? (string) (float) $replacement : 'NULL';
-			break;
-
-			case 'identifier':
-				// Backticks inside identifiers are supported as of MySQL 4.1. We don't need them here.
-				return '`' . strtr($replacement, ['`' => '', '.' => '']) . '`';
-			break;
-
-			case 'raw':
-				return $replacement;
-			break;
-
-			case 'bool':
-			case 'boolean':
-				// In mysql this is a synonym for tinyint(1)
-				return (bool)$replacement ? 1 : 0;
-			break;
-
-			default:
-				trigger_error('Undefined type <b>' . $matches[1] . '</b> used in the database query', E_USER_ERROR);
-			break;
+				// Create placeholders for all array elements
+				$placeholders = array_map(fn($num) => ':' . $key . $num, range(0, count($value) - 1));
+				$db_string = str_replace('@' . $key, implode(', ', $placeholders), $db_string);
+			}
+			else
+			{
+				// throw new Exception('Warning: unused key in query: ' . $key);
+			}
 		}
-	}
-
-	/**
-	 * Escapes and quotes a string using values passed, and executes the query.
-	 */
-	public function query($db_string, $db_values = [])
-	{
-		// One more query....
-		$this->query_count ++;
-
-		// Overriding security? This is evil!
-		$security_override = $db_values === 'security_override' || !empty($db_values['security_override']);
-
-		// Please, just use new style queries.
-		if (strpos($db_string, '\'') !== false && !$security_override)
-			trigger_error('Hack attempt!', 'Illegal character (\') used in query.', E_USER_ERROR);
-
-		if (!$security_override && !empty($db_values))
-		{
-			// Set some values for use in the callback function.
-			$this->db_callback = [$db_values, $this->connection];
-
-			// Insert the values passed to this function.
-			$db_string = preg_replace_callback('~{([a-z_]+)(?::([a-zA-Z0-9_-]+))?}~', [&$this, 'replacement_callback'], $db_string);
-
-			// Save some memory.
-			$this->db_callback = [];
-		}
-
-		if (defined("DB_LOG_QUERIES") && DB_LOG_QUERIES)
-			$this->logged_queries[] = $db_string;
-
-		$return = @mysqli_query($this->connection, $db_string, empty($this->unbuffered) ? MYSQLI_STORE_RESULT : MYSQLI_USE_RESULT);
-
-		if (!$return)
-		{
-			$clean_sql = implode("\n", array_map('trim', explode("\n", $db_string)));
-			trigger_error($this->error() . '<br>' . $clean_sql, E_USER_ERROR);
-		}
-
-		return $return;
-	}
-
-	/**
-	 * Escapes and quotes a string just like db_query, but does not execute the query.
-	 * Useful for debugging purposes.
-	 */
-	public function quote($db_string, $db_values = [])
-	{
-		// Please, just use new style queries.
-		if (strpos($db_string, '\'') !== false)
-			trigger_error('Hack attempt!', 'Illegal character (\') used in query.', E_USER_ERROR);
-
-		// Save some values for use in the callback function.
-		$this->db_callback = [$db_values, $this->connection];
-
-		// Insert the values passed to this function.
-		$db_string = preg_replace_callback('~{([a-z_]+)(?::([a-zA-Z0-9_-]+))?}~', [&$this, 'replacement_callback'], $db_string);
-
-		// Save some memory.
-		$this->db_callback = [];
 
 		return $db_string;
 	}
 
 	/**
-	 * Executes a query, returning an array of all the rows it returns.
+	 * Escapes and quotes a string using values passed, and executes the query.
 	 */
-	public function queryRow($db_string, $db_values = [])
+	public function query($db_string, array $db_values = []): PDOStatement
+	{
+		// One more query...
+		$this->query_count++;
+
+		// Error out if hardcoded strings are detected
+		if (strpos($db_string, '\'') !== false)
+			throw new UnexpectedValueException('Hack attempt: illegal character (\') used in query.');
+
+		if (defined('DB_LOG_QUERIES') && DB_LOG_QUERIES)
+			$this->logged_queries[] = $db_string;
+
+		try
+		{
+			// Preprocessing/checks: prepare any arrays for binding
+			$db_string = $this->expandPlaceholders($db_string, $db_values);
+
+			// Prepare query for execution
+			$statement = $this->connection->prepare($db_string);
+
+			// Bind parameters... the hard way, due to a limit/offset hack.
+			// NB: bindParam binds by reference, hence &$value here.
+			foreach ($db_values as $key => &$value)
+			{
+				// Assumption: both scalar and array values are preprocessed to use named ':' placeholders
+				if (!str_contains($db_string, ':' . $key))
+					continue;
+
+				if (!is_array($value))
+				{
+					$statement->bindParam(':' . $key, $value);
+					continue;
+				}
+
+				foreach (array_values($value) as $num => &$element)
+				{
+					$statement->bindParam(':' . $key . $num, $element);
+				}
+			}
+
+			$statement->execute();
+			return $statement;
+		}
+		catch (PDOException $e)
+		{
+			ob_start();
+
+			$debug = ob_get_clean();
+
+			throw new Exception($e->getMessage() . "\n" . var_export($e->errorInfo, true) . "\n" . var_export($db_values, true));
+		}
+	}
+
+	/**
+	 * Executes a query, returning an object of the row it returns.
+	 */
+	public function queryObject($class, $db_string, $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if (!$res || $this->rowCount($res) === 0)
+			return null;
+
+		$object = $this->fetchObject($res, $class);
+		$this->free($res);
+
+		return $object;
+	}
+
+	/**
+	 * Executes a query, returning an array of objects of all the rows returns.
+	 */
+	public function queryObjects($class, $db_string, $db_values = [])
+	{
+		$res = $this->query($db_string, $db_values);
+
+		if (!$res || $this->rowCount($res) === 0)
 			return [];
 
-		$row = $this->fetch_row($res);
-		$this->free_result($res);
+		$rows = [];
+		while ($object = $this->fetchObject($res, $class))
+			$rows[] = $object;
+
+		$this->free($res);
+
+		return $rows;
+	}
+
+	/**
+	 * Executes a query, returning an array of all the rows it returns.
+	 */
+	public function queryRow($db_string, array $db_values = [])
+	{
+		$res = $this->query($db_string, $db_values);
+
+		if ($this->rowCount($res) === 0)
+			return [];
+
+		$row = $this->fetchNum($res);
+		$this->free($res);
 
 		return $row;
 	}
@@ -357,18 +270,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryRows($db_string, $db_values = [])
+	public function queryRows($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[] = $row;
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -376,18 +289,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryPair($db_string, $db_values = [])
+	public function queryPair($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[$row[0]] = $row[1];
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -395,21 +308,21 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryPairs($db_string, $db_values = [])
+	public function queryPairs($db_string, $db_values = array())
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if (!$res || $this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_assoc($res))
+		while ($row = $this->fetchAssoc($res))
 		{
 			$key_value = reset($row);
 			$rows[$key_value] = $row;
 		}
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -417,15 +330,15 @@ class Database
 	/**
 	 * Executes a query, returning an associative array of all the rows it returns.
 	 */
-	public function queryAssoc($db_string, $db_values = [])
+	public function queryAssoc($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
-		$row = $this->fetch_assoc($res);
-		$this->free_result($res);
+		$row = $this->fetchAssoc($res);
+		$this->free($res);
 
 		return $row;
 	}
@@ -433,18 +346,18 @@ class Database
 	/**
 	 * Executes a query, returning an associative array of all the rows it returns.
 	 */
-	public function queryAssocs($db_string, $db_values = [], $connection = null)
+	public function queryAssocs($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_assoc($res))
+		while ($row = $this->fetchAssoc($res))
 			$rows[] = $row;
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -452,16 +365,16 @@ class Database
 	/**
 	 * Executes a query, returning the first value of the first row.
 	 */
-	public function queryValue($db_string, $db_values = [])
+	public function queryValue($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
 		// If this happens, you're doing it wrong.
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return null;
 
-		list($value) = $this->fetch_row($res);
-		$this->free_result($res);
+		list($value) = $this->fetchNum($res);
+		$this->free($res);
 
 		return $value;
 	}
@@ -469,18 +382,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of the first value of each row.
 	 */
-	public function queryValues($db_string, $db_values = [])
+	public function queryValues($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[] = $row[0];
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -488,7 +401,7 @@ class Database
 	/**
 	 * This function can be used to insert data into the database in a secure way.
 	 */
-	public function insert($method = 'replace', $table, $columns, $data)
+	public function insert($method, $table, $columns, $data)
 	{
 		// With nothing to insert, simply return.
 		if (empty($data))
@@ -498,35 +411,45 @@ class Database
 		if (!is_array($data[array_rand($data)]))
 			$data = [$data];
 
-		// Create the mold for a single row insert.
-		$insertData = '(';
-		foreach ($columns as $columnName => $type)
-		{
-			// Are we restricting the length?
-			if (strpos($type, 'string-') !== false)
-				$insertData .= sprintf('SUBSTRING({string:%1$s}, 1, ' . substr($type, 7) . '), ', $columnName);
-			else
-				$insertData .= sprintf('{%1$s:%2$s}, ', $type, $columnName);
-		}
-		$insertData = substr($insertData, 0, -2) . ')';
-
-		// Create an array consisting of only the columns.
-		$indexed_columns = array_keys($columns);
-
-		// Here's where the variables are injected to the query.
-		$insertRows = [];
-		foreach ($data as $dataRow)
-			$insertRows[] = $this->quote($insertData, array_combine($indexed_columns, $dataRow));
-
 		// Determine the method of insertion.
-		$queryTitle = $method == 'replace' ? 'REPLACE' : ($method == 'ignore' ? 'INSERT IGNORE' : 'INSERT');
+		$method = $method == 'replace' ? 'REPLACE' : ($method == 'ignore' ? 'INSERT IGNORE' : 'INSERT');
 
-		// Do the insert.
-		return $this->query('
-			' . $queryTitle . ' INTO ' . $table . ' (`' . implode('`, `', $indexed_columns) . '`)
-			VALUES
-				' . implode(',
-				', $insertRows),
-			['security_override' => true]);
+		// What columns are we inserting?
+		$columns = array_keys($data[0]);
+
+		// Start building the query.
+		$db_string = $method . ' INTO ' . $table . ' (' . implode(',', $columns) . ') VALUES ';
+
+		// Create the mold for a single row insert.
+		$placeholders = '(' . substr(str_repeat('?, ', count($columns)), 0, -2) . '), ';
+
+		// Append it for every row we're to insert.
+		$values = [];
+		foreach ($data as $row)
+		{
+			$values = array_merge($values, array_values($row));
+			$db_string .= $placeholders;
+		}
+
+		// Get rid of the tailing comma.
+		$db_string = substr($db_string, 0, -2);
+
+		// Prepare for your impending demise!
+		$statement = $this->connection->prepare($db_string);
+
+		// Bind parameters... the hard way, due to a limit/offset hack.
+		foreach ($values as $key => $value)
+			$statement->bindValue($key + 1, $values[$key]);
+
+		// Handle errors.
+		try
+		{
+			$statement->execute();
+			return $statement;
+		}
+		catch (PDOException $e)
+		{
+			throw new Exception($e->getMessage() . '<br><br>' . $db_string . '<br><br>' . print_r($values, true));
+		}
 	}
 }

models/Dispatcher.php

@@ -8,79 +8,12 @@
 
 class Dispatcher
 {
-	public static function route()
-	{
-		$possibleActions = [
-			'addalbum' => 'EditAlbum',
-			'albums' => 'ViewPhotoAlbums',
-			'editalbum' => 'EditAlbum',
-			'editasset' => 'EditAsset',
-			'edittag' => 'EditTag',
-			'edituser' => 'EditUser',
-			'login' => 'Login',
-			'logout' => 'Logout',
-			'managealbums' => 'ManageAlbums',
-			'manageassets' => 'ManageAssets',
-			'manageerrors' => 'ManageErrors',
-			'managetags' => 'ManageTags',
-			'manageusers' => 'ManageUsers',
-			'people' => 'ViewPeople',
-			'resetpassword' => 'ResetPassword',
-			'suggest' => 'ProvideAutoSuggest',
-			'timeline' => 'ViewTimeline',
-			'uploadmedia' => 'UploadMedia',
-			'download' => 'Download',
-		];
-
-		// Work around PHP's FPM not always providing PATH_INFO.
-		if (empty($_SERVER['PATH_INFO']) && isset($_SERVER['REQUEST_URI']))
-		{
-			if (strpos($_SERVER['REQUEST_URI'], '?') === false)
-				$_SERVER['PATH_INFO'] = $_SERVER['REQUEST_URI'];
-			else
-				$_SERVER['PATH_INFO'] = substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], '?'));
-		}
-
-		// Just showing the album index?
-		if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/')
-		{
-			return new ViewPhotoAlbum();
-		}
-		// Asynchronously generating thumbnails?
-		elseif (preg_match('~^/thumbnail/(?<id>\d+)/(?<width>\d+)x(?<height>\d+)(?:_(?<mode>c(t|b|s|)))?/?~', $_SERVER['PATH_INFO'], $path))
-		{
-			$_GET = array_merge($_GET, $path);
-			return new GenerateThumbnail();
-		}
-		// Look for particular actions...
-		elseif (preg_match('~^/(?<action>[a-z]+)(?:/page/(?<page>\d+))?/?~', $_SERVER['PATH_INFO'], $path) && isset($possibleActions[$path['action']]))
-		{
-			$_GET = array_merge($_GET, $path);
-			return new $possibleActions[$path['action']]();
-		}
-		// An album, person, or any other tag?
-		elseif (preg_match('~^/(?<tag>.+?)(?:/page/(?<page>\d+))?/?$~', $_SERVER['PATH_INFO'], $path) && Tag::matchSlug($path['tag']))
-		{
-			$_GET = array_merge($_GET, $path);
-			return new ViewPhotoAlbum();
-		}
-		// A photo for sure, then, right?
-		elseif (preg_match('~^/(?<slug>.+?)/?$~', $_SERVER['PATH_INFO'], $path))
-		{
-			$_GET = array_merge($_GET, $path);
-			return new ViewPhoto();
-		}
-		// No idea, then?
-		else
-			throw new NotFoundException();
-	}
-
 	public static function dispatch()
 	{
 		// Let's try to find our bearings!
 		try
 		{
-			$page = self::route();
+			$page = Router::route();
 			$page->showContent();
 		}
 		// Something wasn't found?
@@ -111,13 +44,26 @@ class Dispatcher
 		}
 	}
 
+	public static function errorPage($title, $body)
+	{
+		$page = new MainTemplate($title);
+		$page->adopt(new ErrorPage($title, $body));
+
+		if (Registry::get('user')->isAdmin())
+		{
+			$page->appendStylesheet(BASEURL . '/css/admin.css');
+		}
+
+		$page->html_main();
+	}
+
 	/**
 	 * Kicks a guest to a login form, redirecting them back to this page upon login.
 	 */
 	public static function kickGuest($title = null, $message = null)
 	{
 		$form = new LogInForm('Log in');
-		$form->adopt(new Alert($title ?? '', $message ?? 'You need to be logged in to view this page.', 'error'));
+		$form->adopt(new Alert($title ?? '', $message ?? 'You need to be logged in to view this page.', 'danger'));
 		$form->setRedirectUrl($_SERVER['REQUEST_URI']);
 
 		$page = new MainTemplate('Login required');
@@ -127,38 +73,24 @@ class Dispatcher
 		exit;
 	}
 
-	public static function trigger400()
+	private static function trigger400()
 	{
-		header('HTTP/1.1 400 Bad Request');
-		$page = new MainTemplate('Bad request');
-		$page->adopt(new DummyBox('Bad request', '<p>The server does not understand your request.</p>'));
-		$page->html_main();
+		http_response_code(400);
+		self::errorPage('Bad request', 'The server does not understand your request.');
 		exit;
 	}
 
-	public static function trigger403()
+	private static function trigger403()
 	{
-		header('HTTP/1.1 403 Forbidden');
-		$page = new MainTemplate('Access denied');
-		$page->adopt(new DummyBox('Forbidden', '<p>You do not have access to the page you requested.</p>'));
-		$page->html_main();
+		http_response_code(403);
+		self::errorPage('Forbidden', 'You do not have access to this page.');
 		exit;
 	}
 
-	public static function trigger404()
+	private static function trigger404()
 	{
-		header('HTTP/1.1 404 Not Found');
-		$page = new MainTemplate('Page not found');
-
-		if (Registry::has('user') && Registry::get('user')->isAdmin())
-		{
-			$page->appendStylesheet(BASEURL . '/css/admin.css');
-			$page->adopt(new AdminBar());
-		}
-
-		$page->adopt(new DummyBox('Well, this is a bit embarrassing!', '<p>The page you requested could not be found. Don\'t worry, it\'s probably not your fault. You\'re welcome to browse the website, though!</p>', 'errormsg'));
-		$page->addClass('errorpage');
-		$page->html_main();
-		exit;
+		http_response_code(404);
+		$page = new ViewErrorPage('Page not found!');
+		$page->showContent();
 	}
 }

models/EXIF.php

@@ -12,6 +12,7 @@ class EXIF
 	public $iso = 0;
 	public $shutter_speed = 0;
 	public $title = '';
+	public $software = '';
 
 	private function __construct(array $meta)
 	{
@@ -35,6 +36,7 @@ class EXIF
 			'iso' => 0,
 			'shutter_speed' => 0,
 			'title' => '',
+			'software' => '',
 		];
 
 		if (!function_exists('exif_read_data'))
@@ -88,7 +90,9 @@ class EXIF
 
 		if (!empty($exif['Model']))
 		{
-			if (!empty($exif['Make']) && strpos($exif['Model'], $exif['Make']) === false)
+			if (strpos($exif['Model'], 'PENTAX') !== false)
+				$meta['camera'] = trim($exif['Model']);
+			elseif (!empty($exif['Make']) && strpos($exif['Model'], $exif['Make']) === false)
 				$meta['camera'] = trim($exif['Make']) . ' ' . trim($exif['Model']);
 			else
 				$meta['camera'] = trim($exif['Model']);
@@ -101,6 +105,9 @@ class EXIF
 		elseif (!empty($exif['DateTimeDigitized']))
 			$meta['created_timestamp'] = self::toUnixTime($exif['DateTimeDigitized']);
 
+		if (!empty($exif['Software']))
+			$meta['software'] = $exif['Software'];
+
 		return new self($meta);
 	}
 

models/Email.php

@@ -69,7 +69,7 @@ class Email
 		$row = Registry::get('db')->queryAssoc('
 			SELECT first_name, surname, emailaddress, reset_key
 			FROM users
-			WHERE id_user = {int:id_user}',
+			WHERE id_user = :id_user',
 			[
 				'id_user' => $id_user,
 			]);

models/ErrorHandler.php

@@ -3,7 +3,7 @@
  * ErrorHandler.php
  * Contains key class ErrorHandler.
  *
- * Kabuki CMS (C) 2013-2016, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
  *****************************************************************************/
 
 class ErrorHandler
@@ -47,10 +47,8 @@ class ErrorHandler
 		// Log the error in the database.
 		self::logError($error_message, $debug_info, $file, $line);
 
-		// Are we considering this fatal? Then display and exit.
-		// !!! TODO: should we consider warnings fatal?
-		if (true) // DEBUG || (!DEBUG && $error_level === E_WARNING || $error_level === E_USER_WARNING))
-			self::display($file . ' (' . $line . ')<br>' . $error_message, $debug_info);
+		// Display error and exit.
+		self::display($error_message, $file, $line, $debug_info);
 
 		// If it wasn't a fatal error, well...
 		self::$handling_error = false;
@@ -63,11 +61,11 @@ class ErrorHandler
 
 		// Include info on the contents of superglobals.
 		if (!empty($_SESSION))
-			$debug_info .= "\nSESSION: " . print_r($_SESSION, true);
+			$debug_info .= "\nSESSION: " . var_export($_SESSION, true);
 		if (!empty($_POST))
-			$debug_info .= "\nPOST: " . print_r($_POST, true);
+			$debug_info .= "\nPOST: " . var_export($_POST, true);
 		if (!empty($_GET))
-			$debug_info .= "\nGET: " . print_r($_GET, true);
+			$debug_info .= "\nGET: " . var_export($_GET, true);
 
 		return $debug_info;
 	}
@@ -96,12 +94,17 @@ class ErrorHandler
 			$object = isset($call['class']) ? $call['class'] . $call['type'] : '';
 
 			$args = [];
-			foreach ($call['args'] as $j => $arg)
+			if (isset($call['args']))
 			{
-				if (is_array($arg))
-					$args[$j] = print_r($arg, true);
-				elseif (is_object($arg))
-					$args[$j] = var_dump($arg);
+				foreach ($call['args'] as $j => $arg)
+				{
+					// Only include the class name for objects
+					if (is_object($arg))
+						$args[$j] = get_class($arg) . '{}';
+					// Export everything else -- including arrays
+					else
+						$args[$j] = var_export($arg, true);
+				}
 			}
 
 			$buffer .= '#' . str_pad($i, 3, ' ')
@@ -113,7 +116,7 @@ class ErrorHandler
 	}
 
 	// Logs an error into the database.
-	private static function logError($error_message = '', $debug_info = '', $file = '', $line = 0)
+	public static function logError($error_message = '', $debug_info = '', $file = '', $line = 0)
 	{
 		if (!ErrorLog::log([
 			'message' => $error_message,
@@ -125,15 +128,15 @@ class ErrorHandler
 			'request_uri' => isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '',
 			]))
 		{
-			header('HTTP/1.1 503 Service Temporarily Unavailable');
-			echo '<h2>An Error Occured</h2><p>Our software could not connect to the database. We apologise for any inconvenience and ask you to check back later.</p>';
+			http_response_code(503);
+			echo '<h2>An Error Occurred</h2><p>Our software could not connect to the database. We apologise for any inconvenience and ask you to check back later.</p>';
 			exit;
 		}
 
 		return $error_message;
 	}
 
-	public static function display($message, $debug_info, $is_sensitive = true)
+	public static function display($message, $file, $line, $debug_info, $is_sensitive = true)
 	{
 		$is_admin = Registry::has('user') && Registry::get('user')->isAdmin();
 
@@ -151,30 +154,30 @@ class ErrorHandler
 			elseif (!$is_sensitive)
 				echo json_encode(['error' => $message]);
 			else
-				echo json_encode(['error' => 'Our apologies, an error occured while we were processing your request. Please try again later, or contact us if the problem persists.']);
+				echo json_encode(['error' => 'Our apologies, an error occurred while we were processing your request. Please try again later, or contact us if the problem persists.']);
 			exit;
 		}
 
 		// Initialise the main template to present a nice message to the user.
-		$page = new MainTemplate('An error occured!');
+		$page = new MainTemplate('An error occurred!');
 
 		// Show the error.
 		$is_admin = Registry::has('user') && Registry::get('user')->isAdmin();
 		if (DEBUG || $is_admin)
 		{
-			$page->adopt(new DummyBox('An error occured!', '<p>' . $message . '</p><pre>' . $debug_info . '</pre>'));
+			$debug_info = sprintf("Trigger point:\n%s (L%d)\n\n%s", $file, $line, $debug_info);
+			$page->adopt(new ErrorPage('An error occurred!', $message, $debug_info));
 
 			// Let's provide the admin navigation despite it all!
 			if ($is_admin)
 			{
 				$page->appendStylesheet(BASEURL . '/css/admin.css');
-				$page->adopt(new AdminBar());
 			}
 		}
 		elseif (!$is_sensitive)
-			$page->adopt(new DummyBox('An error occured!', '<p>' . $message . '</p>'));
+			$page->adopt(new ErrorPage('An error occurred!', '<p>' . $message . '</p>'));
 		else
-			$page->adopt(new DummyBox('An error occured!', '<p>Our apologies, an error occured while we were processing your request. Please try again later, or contact us if the problem persists.</p>'));
+			$page->adopt(new ErrorPage('An error occurred!', 'Our apologies, an error occurred while we were processing your request. Please try again later, or contact us if the problem persists.'));
 
 		// If we got this far, make sure we're not showing stuff twice.
 		ob_end_clean();

models/ErrorLog.php

@@ -17,14 +17,14 @@ class ErrorLog
 			INSERT INTO log_errors
 			(id_user, message, debug_info, file, line, request_uri, time, ip_address)
 			VALUES
-			({int:id_user}, {string:message}, {string:debug_info}, {string:file}, {int:line},
-			 {string:request_uri}, CURRENT_TIMESTAMP, {string:ip_address})',
+			(:id_user, :message, :debug_info, :file, :line,
+			 :request_uri, CURRENT_TIMESTAMP, :ip_address)',
 			$data);
 	}
 
 	public static function flush()
 	{
-		return Registry::get('db')->query('TRUNCATE log_errors');
+		return Registry::get('db')->query('DELETE FROM log_errors');
 	}
 
 	public static function getCount()
@@ -33,4 +33,20 @@ class ErrorLog
 			SELECT COUNT(*)
 			FROM log_errors');
 	}
+
+	public static function getOffset($offset, $limit, $order, $direction)
+	{
+		assert(in_array($order, ['id_entry', 'file', 'line', 'time', 'ipaddress', 'id_user']));
+		$order = $order . ($direction === 'up' ? ' ASC' : ' DESC');
+
+		return Registry::get('db')->queryAssocs('
+			SELECT *
+			FROM log_errors
+			ORDER BY ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+			]);
+	}
 }

models/Form.php

@@ -3,30 +3,77 @@
  * Form.php
  * Contains key class Form.
  *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2023, Aaron van Geffen
  *****************************************************************************/
 
 class Form
 {
 	public $request_method;
 	public $request_url;
-	public $content_above;
-	public $content_below;
-	private $fields;
-	private $data;
-	private $missing;
+
+	private $fields = [];
+	public $before_fields;
+	public $after_fields;
+
+	private $submit_caption;
+	public $buttons_extra;
+	private $trim_inputs;
+
+	private $data = [];
+	private $missing = [];
 
 	// NOTE: this class does not verify the completeness of form options.
 	public function __construct($options)
 	{
-		$this->request_method = !empty($options['request_method']) ? $options['request_method'] : 'POST';
-		$this->request_url = !empty($options['request_url']) ? $options['request_url'] : BASEURL;
-		$this->fields = !empty($options['fields']) ? $options['fields'] : [];
-		$this->content_below = !empty($options['content_below']) ? $options['content_below'] : null;
-		$this->content_above = !empty($options['content_above']) ? $options['content_above'] : null;
+		static $optionKeys = [
+			'request_method' => 'POST',
+			'request_url' => BASEURL,
+
+			'fields' => [],
+			'before_fields' => null,
+			'after_fields' => null,
+
+			'submit_caption' => 'Save information',
+			'buttons_extra' => null,
+			'trim_inputs' => true,
+		];
+
+		foreach ($optionKeys as $optionKey => $default)
+			$this->$optionKey = !empty($options[$optionKey]) ? $options[$optionKey] : $default;
 	}
 
-	public function verify($post)
+	public function getFields()
+	{
+		return $this->fields;
+	}
+
+	public function getData()
+	{
+		return $this->data;
+	}
+
+	public function getSubmitButtonCaption()
+	{
+		return $this->submit_caption;
+	}
+
+	public function getMissing()
+	{
+		return $this->missing;
+	}
+
+	public function setData($data)
+	{
+		$this->verify($data, true);
+		$this->missing = [];
+	}
+
+	public function setFieldAsMissing($field)
+	{
+		$this->missing[] = $field;
+	}
+
+	public function verify($post, $initalisation = false)
 	{
 		$this->data = [];
 		$this->missing = [];
@@ -41,30 +88,43 @@ class Form
 			}
 
 			// No data present at all for this field?
-			if ((!isset($post[$field_id]) || $post[$field_id] == '') && empty($field['is_optional']))
+			if ((!isset($post[$field_id]) || $post[$field_id] == '') &&
+				$field['type'] !== 'captcha')
 			{
-				$this->missing[] = $field_id;
-				$this->data[$field_id] = '';
+				if (empty($field['is_optional']))
+					$this->missing[] = $field_id;
+
+				if ($field['type'] === 'select' && !empty($field['multiple']))
+					$this->data[$field_id] = [];
+				else
+					$this->data[$field_id] = '';
+
 				continue;
 			}
 
-			// Verify data for all fields
+			// Should we trim this?
+			if ($this->trim_inputs && $field['type'] !== 'captcha' && empty($field['multiple']))
+				$post[$field_id] = trim($post[$field_id]);
+
+			// Using a custom validation function?
+			if (isset($field['validate']) && is_callable($field['validate']))
+			{
+				// Validation functions can clean up the data if passed by reference
+				$this->data[$field_id] = $post[$field_id];
+
+				// Evaluate validation functions as boolean to see if data is missing
+				if (!$field['validate']($post[$field_id]))
+					$this->missing[] = $field_id;
+
+				continue;
+			}
+
+			// Verify data by field type
 			switch ($field['type'])
 			{
 				case 'select':
 				case 'radio':
-					// Skip validation? Dangerous territory!
-					if (isset($field['verify_options']) && $field['verify_options'] === false)
-						$this->data[$field_id] = $post[$field_id];
-					// Check whether selected option is valid.
-					elseif (isset($post[$field_id]) && !isset($field['options'][$post[$field_id]]))
-					{
-						$this->missing[] = $field_id;
-						$this->data[$field_id] = '';
-						continue 2;
-					}
-					else
-						$this->data[$field_id] = $post[$field_id];
+					$this->validateSelect($field_id, $field, $post);
 					break;
 
 				case 'checkbox':
@@ -73,61 +133,22 @@ class Form
 					break;
 
 				case 'color':
-					// Colors are stored as a string of length 3 or 6 (hex)
-					if (!isset($post[$field_id]) || (strlen($post[$field_id]) != 3 && strlen($post[$field_id]) != 6))
-					{
-						$this->missing[] = $field_id;
-						$this->data[$field_id] = '';
-						continue 2;
-					}
-					else
-						$this->data[$field_id] = $post[$field_id];
+					$this->validateColor($field_id, $field, $post);
 					break;
 
 				case 'file':
-					// Needs to be verified elsewhere!
+					// Asset needs to be processed out of POST! This is just a filename.
+					$this->data[$field_id] = isset($post[$field_id]) ? $post[$field_id] : '';
 					break;
 
 				case 'numeric':
-					$data = isset($post[$field_id]) ? $post[$field_id] : '';
-					// Do we need to check bounds?
-					if (isset($field['min_value']) && is_numeric($data))
-					{
-						if (is_float($field['min_value']) && (float) $data < $field['min_value'])
-						{
-							$this->missing[] = $field_id;
-							$this->data[$field_id] = 0.0;
-						}
-						elseif (is_int($field['min_value']) && (int) $data < $field['min_value'])
-						{
-							$this->missing[] = $field_id;
-							$this->data[$field_id] = 0;
-						}
-						else
-							$this->data[$field_id] = $data;
-					}
-					elseif (isset($field['max_value']) && is_numeric($data))
-					{
-						if (is_float($field['max_value']) && (float) $data > $field['max_value'])
-						{
-							$this->missing[] = $field_id;
-							$this->data[$field_id] = 0.0;
-						}
-						elseif (is_int($field['max_value']) && (int) $data > $field['max_value'])
-						{
-							$this->missing[] = $field_id;
-							$this->data[$field_id] = 0;
-						}
-						else
-							$this->data[$field_id] = $data;
-					}
-					// Does it look numeric?
-					elseif (is_numeric($data))
-					{
-						$this->data[$field_id] = $data;
-					}
-					// Let's consider it missing, then.
-					else
+					$this->validateNumeric($field_id, $field, $post);
+					break;
+
+				case 'captcha':
+					if (isset($_POST['g-recaptcha-response']) && !$initalisation)
+						$this->validateCaptcha($field_id);
+					elseif (!$initalisation)
 					{
 						$this->missing[] = $field_id;
 						$this->data[$field_id] = 0;
@@ -137,29 +158,200 @@ class Form
 				case 'text':
 				case 'textarea':
 				default:
-					$this->data[$field_id] = isset($post[$field_id]) ? $post[$field_id] : '';
+					$this->validateText($field_id, $field, $post);
 			}
 		}
 	}
 
-	public function setData($data)
+	private function validateCaptcha($field_id)
 	{
-		$this->verify($data);
-		$this->missing = [];
+		$postdata = http_build_query([
+			'secret' => RECAPTCHA_API_SECRET,
+			'response' => $_POST['g-recaptcha-response'],
+		]);
+
+		$opts = [
+			'http' => [
+				'method'  => 'POST',
+				'header'  => 'Content-type: application/x-www-form-urlencoded',
+				'content' => $postdata,
+			]
+		];
+
+		$context  = stream_context_create($opts);
+		$result = file_get_contents('https://www.google.com/recaptcha/api/siteverify', false, $context);
+		$check = json_decode($result);
+
+		if ($check->success)
+		{
+			$this->data[$field_id] = 1;
+		}
+		else
+		{
+			$this->data[$field_id] = 0;
+			$this->missing[] = $field_id;
+		}
 	}
 
-	public function getFields()
+	private function validateColor($field_id, array $field, array $post)
 	{
-		return $this->fields;
+		// Colors are stored as a string of length 3 or 6 (hex)
+		if (!isset($post[$field_id]) || (strlen($post[$field_id]) != 3 && strlen($post[$field_id]) != 6))
+		{
+			$this->missing[] = $field_id;
+			$this->data[$field_id] = '';
+		}
+		else
+			$this->data[$field_id] = $post[$field_id];
 	}
 
-	public function getData()
+	private function validateNumeric($field_id, array $field, array $post)
 	{
-		return $this->data;
+		$data = isset($post[$field_id]) ? $post[$field_id] : '';
+
+		// Sanity check: does this even look numeric?
+		if (!is_numeric($data))
+		{
+			$this->missing[] = $field_id;
+			$this->data[$field_id] = 0;
+			return;
+		}
+
+		// Do we need to a minimum bound?
+		if (isset($field['min_value']))
+		{
+			if (is_float($field['min_value']) && (float) $data < $field['min_value'])
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = 0.0;
+			}
+			elseif (is_int($field['min_value']) && (int) $data < $field['min_value'])
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = 0;
+			}
+		}
+
+		// What about a maximum bound?
+		if (isset($field['max_value']))
+		{
+			if (is_float($field['max_value']) && (float) $data > $field['max_value'])
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = 0.0;
+			}
+			elseif (is_int($field['max_value']) && (int) $data > $field['max_value'])
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = 0;
+			}
+		}
+
+		$this->data[$field_id] = $data;
 	}
 
-	public function getMissing()
+	private function validateSelect($field_id, array $field, array $post)
 	{
-		return $this->missing;
+		// Skip validation? Dangerous territory!
+		if (isset($field['verify_options']) && $field['verify_options'] === false)
+		{
+			$this->data[$field_id] = $post[$field_id];
+			return;
+		}
+
+		// Check whether selected option is valid.
+		if (($field['type'] !== 'select' || empty($field['multiple'])) && empty($field['has_groups']))
+		{
+			if (isset($post[$field_id]) && !isset($field['options'][$post[$field_id]]))
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = '';
+				return;
+			}
+			else
+				$this->data[$field_id] = $post[$field_id];
+		}
+		// Multiple selections involve a bit more work.
+		elseif (!empty($field['multiple']) && empty($field['has_groups']))
+		{
+			$this->data[$field_id] = [];
+			if (!is_array($post[$field_id]))
+			{
+				if (isset($field['options'][$post[$field_id]]))
+					$this->data[$field_id][] = $post[$field_id];
+				else
+					$this->missing[] = $field_id;
+				return;
+			}
+
+			foreach ($post[$field_id] as $option)
+			{
+				if (isset($field['options'][$option]))
+					$this->data[$field_id][] = $option;
+			}
+
+			if (empty($this->data[$field_id]))
+				$this->missing[] = $field_id;
+		}
+		// Any optgroups involved?
+		elseif (!empty($field['has_groups']))
+		{
+			if (!isset($post[$field_id]))
+			{
+				$this->missing[] = $field_id;
+				$this->data[$field_id] = '';
+				return;
+			}
+
+			// Expensive: iterate over all groups until the value selected has been found.
+			foreach ($field['options'] as $label => $options)
+			{
+				if (is_array($options))
+				{
+					// Consider each of the options as a valid a value.
+					foreach ($options as $value => $label)
+					{
+						if ($post[$field_id] === $value)
+						{
+							$this->data[$field_id] = $options;
+							return;
+						}
+					}
+				}
+				else
+				{
+					// This is an ungrouped value in disguise! Treat it as such.
+					if ($post[$field_id] === $options)
+					{
+						$this->data[$field_id] = $options;
+						return;
+					}
+					else
+						continue;
+				}
+			}
+
+			// If we've reached this point, we'll consider the data invalid.
+			$this->missing[] = $field_id;
+			$this->data[$field_id] = '';
+		}
+		else
+		{
+			throw new UnexpectedValueException('Unexpected field configuration in validateSelect!');
+		}
+	}
+
+	private function validateText($field_id, array $field, array $post)
+	{
+		$this->data[$field_id] = isset($post[$field_id]) ? $post[$field_id] : '';
+
+		// Trim leading and trailing whitespace?
+		if (!empty($field['trim']))
+			$this->data[$field_id] = trim($this->data[$field_id]);
+
+		// Is there a length limit to enforce?
+		if (isset($field['maxlength']) && strlen($post[$field_id]) > $field['maxlength']) {
+			$post[$field_id] = substr($post[$field_id], 0, $field['maxlength']);
+		}
 	}
 }

models/GenericTable.php

@@ -3,7 +3,7 @@
  * GenericTable.php
  * Contains key class GenericTable.
  *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2023, Aaron van Geffen
  *****************************************************************************/
 
 class GenericTable
@@ -15,68 +15,40 @@ class GenericTable
 
 	private $title;
 	private $title_class;
-	private $tableIsSortable = false;
 
 	public $form_above;
 	public $form_below;
+	private $table_class;
+	private $sort_direction;
+	private $sort_order;
+	private $base_url;
+	private $start;
+	private $items_per_page;
+	private $recordCount;
 
 	public function __construct($options)
 	{
-		// Make sure we're actually sorting on something sortable.
-		if (!isset($options['sort_order']) || (!empty($options['sort_order']) && empty($options['columns'][$options['sort_order']]['is_sortable'])))
-			$options['sort_order'] = '';
+		$this->initOrder($options);
+		$this->initPagination($options);
 
-		// Order in which direction?
-		if (!empty($options['sort_direction']) && !in_array($options['sort_direction'], ['up', 'down']))
-			$options['sort_direction'] = 'up';
-
-		// Make sure we know whether we can actually sort on something.
-		$this->tableIsSortable = !empty($options['base_url']);
-
-		// How much data do we have?
-		$this->recordCount = $options['get_count'](...(!empty($options['get_count_params']) ? $options['get_count_params'] : []));
-
-		// How much data do we need to retrieve?
-		$this->items_per_page = !empty($options['items_per_page']) ? $options['items_per_page'] : 30;
-
-		// Figure out where to start.
-		$this->start = empty($options['start']) || !is_numeric($options['start']) || $options['start'] < 0 || $options['start'] > $this->recordCount ? 0 : $options['start'];
-
-		// Figure out where we are on the whole, too.
-		$numPages = ceil($this->recordCount / $this->items_per_page);
-		$this->currentPage = min(ceil($this->start / $this->items_per_page) + 1, $numPages);
-
-		// Let's bear a few things in mind...
-		$this->base_url = $options['base_url'];
-
-		// Gather parameters for the data gather function first.
-		$parameters = [$this->start, $this->items_per_page, $options['sort_order'], $options['sort_direction']];
-		if (!empty($options['get_data_params']) && is_array($options['get_data_params']))
-			$parameters = array_merge($parameters, $options['get_data_params']);
-
-		// Okay, let's fetch the data!
-		$data = $options['get_data'](...$parameters);
-
-		// Extract data into local variables.
-		$rawRowData = $data['rows'];
-		$this->sort_order = $data['order'];
-		$this->sort_direction = $data['direction'];
-		unset($data);
+		$data = $options['get_data']($this->start, $this->items_per_page,
+			$this->sort_order, $this->sort_direction);
 
 		// Okay, now for the column headers...
 		$this->generateColumnHeaders($options);
 
 		// Should we create a page index?
-		$needsPageIndex = !empty($this->items_per_page) && $this->recordCount > $this->items_per_page;
-		if ($needsPageIndex)
+		if ($this->recordCount > $this->items_per_page)
 			$this->generatePageIndex($options);
 
 		// Process the data to be shown into rows.
-		if (!empty($rawRowData))
-			$this->processAllRows($rawRowData, $options);
+		if (!empty($data))
+			$this->processAllRows($data, $options);
 		else
 			$this->body = $options['no_items_label'] ?? '';
 
+		$this->table_class = $options['table_class'] ?? '';
+
 		// Got a title?
 		$this->title = $options['title'] ?? '';
 		$this->title_class = $options['title_class'] ?? '';
@@ -86,6 +58,38 @@ class GenericTable
 		$this->form_below = $options['form_below'] ?? $options['form'] ?? null;
 	}
 
+	private function initOrder($options)
+	{
+		assert(isset($options['default_sort_order']));
+		assert(isset($options['default_sort_direction']));
+
+		// Validate sort order (column)
+		$this->sort_order = $options['sort_order'];
+		if (empty($this->sort_order) || empty($options['columns'][$this->sort_order]['is_sortable']))
+			$this->sort_order = $options['default_sort_order'];
+
+		// Validate sort direction
+		$this->sort_direction = $options['sort_direction'];
+		if (empty($this->sort_direction) || !in_array($this->sort_direction, ['up', 'down']))
+			$this->sort_direction = $options['default_sort_direction'];
+	}
+
+	private function initPagination(array $options)
+	{
+		assert(isset($options['base_url']));
+		assert(isset($options['items_per_page']));
+
+		$this->base_url = $options['base_url'];
+
+		$this->recordCount = $options['get_count']();
+		$this->items_per_page = !empty($options['items_per_page']) ? $options['items_per_page'] : 30;
+
+		$this->start = empty($options['start']) || !is_numeric($options['start']) || $options['start'] < 0 || $options['start'] > $this->recordCount ? 0 : $options['start'];
+
+		$numPages = max(1, ceil($this->recordCount / $this->items_per_page));
+		$this->currentPage = min(ceil($this->start / $this->items_per_page) + 1, $numPages);
+	}
+
 	private function generateColumnHeaders($options)
 	{
 		foreach ($options['columns'] as $key => $column)
@@ -93,13 +97,14 @@ class GenericTable
 			if (empty($column['header']))
 				continue;
 
-			$isSortable = $this->tableIsSortable && !empty($column['is_sortable']);
+			$isSortable = !empty($column['is_sortable']);
 			$sortDirection = $key == $this->sort_order && $this->sort_direction === 'up' ? 'down' : 'up';
 
 			$header = [
 				'class' => isset($column['class']) ? $column['class'] : '',
+				'cell_class' => isset($column['cell_class']) ? $column['cell_class'] : null,
 				'colspan' => !empty($column['header_colspan']) ? $column['header_colspan'] : 1,
-				'href' => $isSortable ? $this->getLink($this->start, $key, $sortDirection) : null,
+				'href' => $isSortable ? $this->getHeaderLink($this->start, $key, $sortDirection) : null,
 				'label' => $column['header'],
 				'scope' => 'col',
 				'sort_mode' => $key == $this->sort_order ? $this->sort_direction : null,
@@ -116,7 +121,7 @@ class GenericTable
 			'base_url' => $this->base_url,
 			'index_class' => $options['index_class'] ?? '',
 			'items_per_page' => $this->items_per_page,
-			'linkBuilder' => [$this, 'getLink'],
+			'linkBuilder' => [$this, 'getHeaderLink'],
 			'recordCount' => $this->recordCount,
 			'sort_direction' => $this->sort_direction,
 			'sort_order' => $this->sort_order,
@@ -124,7 +129,7 @@ class GenericTable
 		]);
 	}
 
-	public function getLink($start = null, $order = null, $dir = null)
+	public function getHeaderLink($start = null, $order = null, $dir = null)
 	{
 		if ($start === null)
 			$start = $this->start;
@@ -161,6 +166,11 @@ class GenericTable
 		return $this->pageIndex;
 	}
 
+	public function getTableClass()
+	{
+		return $this->table_class;
+	}
+
 	public function getTitle()
 	{
 		return $this->title;
@@ -181,14 +191,21 @@ class GenericTable
 
 			foreach ($options['columns'] as $column)
 			{
-				// Process data for this particular cell.
-				if (isset($column['parse']))
-					$value = self::processCell($column['parse'], $row);
+				// Process formatting
+				if (isset($column['format']) && is_callable($column['format']))
+					$value = $column['format']($row);
+				elseif (isset($column['format']))
+					$value = self::processFormatting($column['format'], $row);
 				else
 					$value = $row[$column['value']];
 
+				// Turn value into a link?
+				if (!empty($column['link']))
+					$value = $this->processLink($column['link'], $value, $row);
+
 				// Append the cell to the row.
 				$newRow['cells'][] = [
+					'class' => $column['cell_class'] ?? '',
 					'value' => $value,
 				];
 			}
@@ -198,66 +215,47 @@ class GenericTable
 		}
 	}
 
-	private function processCell($options, $rowData)
+	private function processFormatting($options, $rowData)
 	{
-		if (!isset($options['type']))
-			$options['type'] = 'value';
-
-		// Parse the basic value first.
-		switch ($options['type'])
+		if ($options['type'] === 'timestamp')
 		{
-			// Basic option: simply take a use a particular data property.
-			case 'value':
-				$value = htmlspecialchars($rowData[$options['data']]);
-				break;
+			if (empty($options['pattern']) || $options['pattern'] === 'long')
+				$pattern = 'Y-m-d H:i';
+			elseif ($options['pattern'] === 'short')
+				$pattern = 'Y-m-d';
+			else
+				$pattern = $options['pattern'];
 
-			// Processing via a lambda function.
-			case 'function':
-				$value = $options['data']($rowData);
-				break;
+			assert(array_key_exists($options['value'], $rowData));
+			if (isset($rowData[$options['value']]) && !is_numeric($rowData[$options['value']]))
+				$timestamp = strtotime($rowData[$options['value']]);
+			else
+				$timestamp = (int) $rowData[$options['value']];
 
-			// Using sprintf to fill out a particular pattern.
-			case 'sprintf':
-				$parameters = [$options['data']['pattern']];
-				foreach ($options['data']['arguments'] as $identifier)
-					$parameters[] = $rowData[$identifier];
+			if (isset($options['if_null']) && $timestamp == 0)
+				$value = $options['if_null'];
+			else
+				$value = date($pattern, $timestamp);
 
-				$value = sprintf(...$parameters);
-				break;
-
-			// Timestamps get custom treatment.
-			case 'timestamp':
-				if (empty($options['data']['pattern']) || $options['data']['pattern'] === 'long')
-					$pattern = 'Y-m-d H:i';
-				elseif ($options['data']['pattern'] === 'short')
-					$pattern = 'Y-m-d';
-				else
-					$pattern = $options['data']['pattern'];
-
-				if (!is_numeric($rowData[$options['data']['timestamp']]))
-					$timestamp = strtotime($rowData[$options['data']['timestamp']]);
-				else
-					$timestamp = (int) $rowData[$options['data']['timestamp']];
-
-				if (isset($options['data']['if_null']) && $timestamp == 0)
-					$value = $options['data']['if_null'];
-				else
-					$value = date($pattern, $timestamp);
-				break;
+			return $value;
 		}
+		else
+			throw ValueError('Unexpected formatter type: ' . $options['type']);
+	}
 
-		// Generate a link, if requested.
-		if (!empty($options['link']))
-		{
-			// First, generate the replacement variables.
-			$keys = array_keys($rowData);
-			$values = array_values($rowData);
-			foreach ($keys as $keyKey => $keyValue)
-				$keys[$keyKey] = '{' . strtoupper($keyValue) . '}';
+	private function processLink($template, $value, array $rowData)
+	{
+		$href = $this->rowReplacements($template, $rowData);
+		return '<a href="' . $href . '">' . $value . '</a>';
+	}
 
-			$value = '<a href="' . str_replace($keys, $values, $options['link']) . '">' . $value . '</a>';
-		}
+	private function rowReplacements($template, array $rowData)
+	{
+		$keys = array_keys($rowData);
+		$values = array_values($rowData);
+		foreach ($keys as $keyKey => $keyValue)
+			$keys[$keyKey] = '{' . strtoupper($keyValue) . '}';
 
-		return $value;
+		return str_replace($keys, $values, $template);
 	}
 }