14 files changed, 107 insertions, 79 deletions

diff --git a/engine/lib/access.php b/engine/lib/access.php
index ae0ae891b..28584feeb 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -23,13 +23,13 @@
 	 */

 		function get_access_list($user_id = 0, $site_id = 0, $flush = false) {

 			

-			global $CONFIG, $init_finished;

+			global $CONFIG, $init_finished, $SESSION;

 			static $access_list;

 			

 			if (!isset($access_list) || !$init_finished)

 				$access_list = array();

 				

-			if ($user_id == 0) $user_id = $_SESSION['id'];

+			if ($user_id == 0) $user_id = $SESSION['id'];

 			if (($site_id == 0) && (isset($CONFIG->site_id))) $site_id = $CONFIG->site_id;

 			$user_id = (int) $user_id;

 			$site_id = (int) $site_id;

@@ -58,7 +58,7 @@
 			if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished))

 				$access_array = array(); 

 				

-			if ($user_id == 0) $user_id = $_SESSION['guid'];

+			if ($user_id == 0) $user_id = get_loggedin_userid();

 			

 			if (($site_id == 0) && (isset($CONFIG->site_guid))) $site_id = $CONFIG->site_guid;

 			$user_id = (int) $user_id;

@@ -70,8 +70,8 @@
 				$query .= " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id ";

 				$query .= " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";

 				

-				$tmp_access_array = array(2);

-				if (isloggedin())

+				$tmp_access_array = array(2); 

+				if (isloggedin()) 

 					$tmp_access_array[] = 1;

 				

 				if ($collections = get_data($query)) {

@@ -153,7 +153,7 @@
 			

 				$access = get_access_list();
 				
-				$owner = $_SESSION['id'];
+				$owner = get_loggedin_userid();
 				if (!$owner) $owner = -1;

 				

 				global $is_admin;

@@ -185,7 +185,7 @@
 			global $CONFIG;

 			static $access_array;

 			

-			if ($user_id == 0) $user_id = $_SESSION['guid'];

+			if ($user_id == 0) $user_id = get_loggedin_userid();

 			if (($site_id == 0) && (isset($CONFIG->site_id))) $site_id = $CONFIG->site_id;

 			$user_id = (int) $user_id;

 			$site_id = (int) $site_id;

@@ -230,7 +230,7 @@
 			$name = trim($name);

 			if (empty($name)) return false;

 			

-			if ($user_id == 0) $user_id = $_SESSION['id'];

+			if ($user_id == 0) $user_id = get_loggedin_userid();

 			if (($site_id == 0) && (isset($CONFIG->site_guid))) $site_id = $CONFIG->site_guid;

 			$name = sanitise_string($name);

 			

diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 699430431..6cc6ae1c6 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -166,7 +166,7 @@
 		$value_type = detect_extender_valuetype($value, sanitise_string(trim($value_type)));

 		

 		$owner_guid = (int)$owner_guid;

-		if ($owner_guid==0) $owner_guid = $_SESSION['id'];

+		if ($owner_guid==0) $owner_guid = get_loggedin_userid();

 		

 		$access_id = (int)$access_id;

 		

@@ -216,7 +216,7 @@
 		$value_type = detect_extender_valuetype($value, sanitise_string(trim($value_type)));

 		

 		$owner_guid = (int)$owner_guid;

-		if ($owner_guid==0) $owner_guid = $_SESSION['id'];

+		if ($owner_guid==0) $owner_guid = get_loggedin_userid();

 		

 		$access_id = (int)$access_id;

 		

diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index 1d5ad471e..fd0475d07 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -80,8 +80,10 @@
 			$this->attributes['guid'] = "";
 			$this->attributes['type'] = "";
 			$this->attributes['subtype'] = "";
-			$this->attributes['owner_guid'] = $_SESSION['guid'];
-			$this->attributes['container_guid'] = $_SESSION['guid'];
+			
+			$this->attributes['owner_guid'] = get_loggedin_userid();
+			$this->attributes['container_guid'] = get_loggedin_userid();
+			
 			$this->attributes['site_guid'] = 0;
 			$this->attributes['access_id'] = 0;
 			$this->attributes['time_created'] = "";
@@ -811,7 +813,7 @@
 			$this->attributes['subtype'] = $data->getAttribute('subclass');
 			
 			// Set owner
-			$this->attributes['owner_guid'] = $_SESSION['id']; // Import as belonging to importer.
+			$this->attributes['owner_guid'] = get_loggedin_userid(); // Import as belonging to importer.
 			
 			// Set time
 			$this->attributes['time_created'] = strtotime($data->getAttribute('published'));
@@ -1181,7 +1183,7 @@
 	/**
 	 * Determine whether a given user is able to write to a given container.
 	 *
-	 * @param int $user_guid The user guid, or 0 for $_SESSION['user']->getGUID()
+	 * @param int $user_guid The user guid, or 0 for get_loggedin_userid()
 	 * @param int $container_guid The container, or 0 for the current page owner.
 	 */
 	function can_write_to_container($user_guid = 0, $container_guid = 0, $entity_type = 'all')
@@ -1189,8 +1191,8 @@
 		global $CONFIG;
 	
 		$user_guid = (int)$user_guid;
-		if (!$user_guid) $user_guid = (int) $_SESSION['guid'];
 		$user = get_entity($user_guid);
+		if (!$user) $user = get_loggedin_user();
 		
 		$container_guid = (int)$container_guid;
 		if (!$container_guid) $container_guid = page_owner();
@@ -1347,6 +1349,7 @@
 	function get_entity($guid)
 	{
 		static $newentity_cache;
+		$new_entity = false;
 		if ((!$newentity_cache) && (is_memcache_available())) 
 			$newentity_cache = new ElggMemcache('new_entity_cache');
 		if ($newentity_cache) $new_entity = $newentity_cache->load($guid);
@@ -1806,16 +1809,10 @@
 	 */
 	function can_edit_entity($entity_guid, $user_guid = 0) {
 		global $CONFIG;
-		if ($user_guid == 0) {
-					
-			if (isset($_SESSION['user'])) {			
-				$user = $_SESSION['user'];
-			} else {		
-				$user = null;
-			}
-		} else {		
-			$user = get_entity($user_guid);
-		}
+		
+		$user_guid = (int)$user_guid;
+		$user = get_entity($user_guid);
+		if (!$user) $user = get_loggedin_user();
 
 		if ($entity = get_entity($entity_guid)) {
 			
diff --git a/engine/lib/extender.php b/engine/lib/extender.php
index 988899409..206d98be4 100644
--- a/engine/lib/extender.php
+++ b/engine/lib/extender.php
@@ -327,20 +327,14 @@
 	 * @param int $user_guid The GUID of the user

 	 * @return true|false

 	 */

-	function can_edit_extender($extender_id, $type, $user_guid = 0) {

+	function can_edit_extender($extender_id, $type, $user_guid = 0) {
 		

 		if (!isloggedin())

 			return false;

-		

-		if ($user_guid == 0) {

-			if (isset($_SESSION['user'])) {

-				$user = $_SESSION['user'];

-			} else {

-				$user = null;

-			}

-		} else {

-			$user = get_entity($user_guid);

-		}

+		
+		$user_guid = (int)$user_guid;
+		$user = get_entity($user_guid);
+		if (!$user) $user = get_loggedin_user(); 

 

 		$functionname = "get_{$type}";

 		if (is_callable($functionname)) {

diff --git a/engine/lib/filestore.php b/engine/lib/filestore.php
index 94ab26594..690ea304c 100644
--- a/engine/lib/filestore.php
+++ b/engine/lib/filestore.php
@@ -239,7 +239,7 @@
 		{
 			$owner = $file->getOwnerEntity();
 			if (!$owner)
-				$owner = $_SESSION['user'];
+				$owner = get_loggedin_user();
 					
 			if ((!$owner) || (!$owner->username)) throw InvalidParameterException(elgg_echo('InvalidParameterException:MissingOwner'));
 			
diff --git a/engine/lib/group.php b/engine/lib/group.php
index 51afd8e41..0a218b6f1 100644
--- a/engine/lib/group.php
+++ b/engine/lib/group.php
@@ -230,8 +230,8 @@
 		 */
 		public function isMember($user = 0)
 		{

-			if (!($user instanceof ElggUser)) $user = $_SESSION['user'];

-			if (!($_SESSION['user'] instanceof ElggUser)) return false;
+			if (!($user instanceof ElggUser)) $user = get_loggedin_user();

+			if (!($user instanceof ElggUser)) return false;
 			return is_group_member($this->getGUID(), $user->getGUID());
 		}
 		
diff --git a/engine/lib/languages.php b/engine/lib/languages.php
index acca80c6c..5c62eaa81 100644
--- a/engine/lib/languages.php
+++ b/engine/lib/languages.php
@@ -55,8 +55,10 @@
 	{
 		global $CONFIG;
 		
-		if ((isset($_SESSION['user'])) && ($_SESSION['user']->language))
-			$language = $_SESSION['user']->language;
+		$user = get_loggedin_user();
+		
+		if ((isset($user)) && ($user->language))
+			$language = $user->language;
 	
 		if ((empty($language)) && (isset($CONFIG->language)))
 			$language = $CONFIG->language;
@@ -78,8 +80,10 @@
 			

 			global $CONFIG;

 
-			if ((empty($language)) && (isset($_SESSION['user'])) && ($_SESSION['user']->language))
-				$language = $_SESSION['user']->language;
+			$user = get_loggedin_user();
+			
+			if ((empty($language)) && (isset($user)) && ($user->language))
+				$language = $user->language;
 	

 			if ((empty($language)) && (isset($CONFIG->language)))

 				$language = $CONFIG->language;
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 204b027c3..2e6337694 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -153,7 +153,7 @@
 		$id = (int)$id;
 		$access = get_access_sql_suffix("e");

 		$md_access = get_access_sql_suffix("m");
-				
+
 		return row_to_elggmetadata(get_data_row("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e on e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.id=$id and $access and $md_access"));
 	}
 	

@@ -208,7 +208,7 @@
 		$owner_guid = (int)$owner_guid;
 		$allow_multiple = (boolean)$allow_multiple;
 		
-		if ($owner_guid==0) $owner_guid = $_SESSION['id'];
+		if ($owner_guid==0) $owner_guid = get_loggedin_userid();
 		
 		$access_id = (int)$access_id;
 
@@ -276,10 +276,10 @@
 		global $CONFIG;
 
 		$id = (int)$id;

-	

-		if (!$md = get_metadata($id)) return false;

+

+		if (!$md = get_metadata($id)) return false;	

 		if (!$md->canEdit()) return false;
-		
+	
 		// If memcached then we invalidate the cache for this entry
 		static $metabyname_memcache;
 		if ((!$metabyname_memcache) && (is_memcache_available()))
@@ -291,7 +291,7 @@
 		$value_type = detect_extender_valuetype($value, sanitise_string(trim($value_type)));
 		
 		$owner_guid = (int)$owner_guid;
-		if ($owner_guid==0) $owner_guid = $_SESSION['id'];
+		if ($owner_guid==0) $owner_guid = get_loggedin_userid();
 		
 		$access_id = (int)$access_id;
 		
@@ -386,6 +386,7 @@
 		$md_access = get_access_sql_suffix("m");
 		
 		// If memcache is available then cache this (cache only by name for now since this is the most common query)
+		$meta = null;
 		static $metabyname_memcache;
 		if ((!$metabyname_memcache) && (is_memcache_available()))
 			$metabyname_memcache = new ElggMemcache('metabyname_memcache');
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index 8eeb009c0..7f7238daa 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -137,8 +137,7 @@
 	{
 		$user_guid = (int)$user_guid;
 		
-		if ($user_guid == 0) 
-			$user_guid = $_SESSION['user']->guid;
+		if ($user_guid == 0) $user_guid = get_loggedin_userid();
 		
 		$all_metadata = get_metadata_for_entity($user_guid);
 		if ($all_metadata)
@@ -173,11 +172,9 @@
 	{
 		$user_guid = (int)$user_guid;
 		$method = sanitise_string($method);
-
-		if ($user_guid == 0) 
-			$user_guid = $_SESSION['user']->guid;
 			
 		$user = get_entity($user_guid);
+		if (!$user) $user = get_loggedin_user();
 		
 		if (($user) && ($user instanceof ElggUser))
 		{			
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index 3cc11f96c..d2381db40 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -320,7 +320,7 @@
 			if (!$plugin_name)
 				$plugin_name = get_plugin_name();
 				
-			if ($user_guid == 0) $user_guid = $_SESSION['user']->guid;
+			if ($user_guid == 0) $user_guid = get_loggedin_userid();
 			
 			// Get metadata for user
 			$all_metadata = get_metadata_for_entity($user_guid);
@@ -360,10 +360,10 @@
 			
 			if (!$plugin_name)
 				$plugin_name = get_plugin_name();
-				
-			if ($user_guid == 0) $user_guid = $_SESSION['user']->guid;
-			
+							
 			$user = get_entity($user_guid);
+			if (!$user) $user = get_loggedin_user();
+			
 			if (($user) && ($user instanceof ElggUser))
 			{
 				$prefix = "plugin:settings:$plugin_name:$name";
@@ -391,9 +391,9 @@
 			if (!$plugin_name)
 				$plugin_name = get_plugin_name();
 				
-			if ($user_guid == 0) $user_guid = $_SESSION['user']->guid;
-			
 			$user = get_entity($user_guid);
+			if (!$user) $user = get_loggedin_user();
+			
 			if (($user) && ($user instanceof ElggUser))
 			{
 				$prefix = "plugin:settings:$plugin_name:$name";
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index b7d0ce90f..dda4e960a 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -87,21 +87,50 @@
 			if ($this->offsetGet($offset)) return true;
 		}
 	}
+	
+		
+	/**
+	 * Return the current logged in user, or null if no user is logged in.
+	 *
+	 * If no user can be found in the current session, a plugin hook - 'session:get' 'user' to give plugin 
+	 * authors another way to provide user details to the ACL system without touching the session.
+	 */
+		function get_loggedin_user()
+		{
+			global $SESSION;
+			
+			return $SESSION['user'];
+		}
+		
+	/**
+	 * Return the current logged in user by id.
+	 * 
+	 * @see get_loggedin_user()
+	 * @return int
+	 */
+		function get_loggedin_userid()
+		{
+			$user = get_loggedin_user();
+			if ($user)
+				return $user->guid;
+				
+			return 0;
+		}
 

 	/**

 	 * Returns whether or not the user is currently logged in

 	 *

-	 * @uses $_SESSION

 	 * @return true|false

 	 */

 		function isloggedin() {

+						

+			if (!is_installed()) return false; 
 			
-			global $SESSION;
+			$user = get_loggedin_user();
 			

-			if (!is_installed()) return false; 

-			if ((isset($SESSION['guid'])) && ($SESSION['guid'] > 0) && (isset($SESSION['id'])) && ($SESSION['id'] > 0) )
-			

-				return true;

+			if ((isset($user)) && ($user->guid > 0))

+				return true;
+				

 			return false;

 			

 		}

@@ -109,15 +138,16 @@
 	/**
 	 * Returns whether or not the user is currently logged in and that they are an admin user.
 	 *
-	 * @uses $_SESSION
 	 * @uses isloggedin()
 	 * @return true|false
 	 */
 		function isadminloggedin()
 		{
-			global $SESSION;
+			if (!is_installed()) return false; 
+			
+			$user = get_loggedin_user();
 			
-			if ((isloggedin()) && (($SESSION['user']->admin || $SESSION['user']->siteadmin)))
+			if ((isloggedin()) && (($user->admin || $user->siteadmin)))
 				return true;
 				
 			return false;
diff --git a/engine/lib/tags.php b/engine/lib/tags.php
index 30aa9f78c..107ac3ce7 100644
--- a/engine/lib/tags.php
+++ b/engine/lib/tags.php
@@ -131,8 +131,9 @@
 		} else if (is_int($owner_guid)) {

 			$query .= " and e.container_guid = {$owner_guid} ";

 		}

-		

-		$query .= " and (e.access_id in {$access} or (e.access_id = 0 and e.owner_guid = {$_SESSION['id']}))";

+		
+		$userid = get_loggedin_userid();

+		$query .= " and (e.access_id in {$access} or (e.access_id = 0 and e.owner_guid = {$userid}))";

 		

 		$query .= " group by msvalue.string having total > {$threshold} order by total desc limit {$limit} ";

 

diff --git a/engine/lib/users.php b/engine/lib/users.php
index 37a6b5bbd..d32dc5c0a 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1159,8 +1159,9 @@
 	 *

 	 */

 	function collections_submenu_items() {

-		global $CONFIG;

-		add_submenu_item(elgg_echo('friends:collections'), $CONFIG->wwwroot . "pg/collections/" . $_SESSION['user']->username);

+		global $CONFIG;
+		$user = get_loggedin_user();

+		add_submenu_item(elgg_echo('friends:collections'), $CONFIG->wwwroot . "pg/collections/" . $user->username);

 		add_submenu_item(elgg_echo('friends:collections:add'),$CONFIG->wwwroot."pg/collections/add");

 	}

 	

@@ -1300,8 +1301,10 @@
 			global $CONFIG;

 		

 		// Set up menu for logged in users

-			if (isloggedin())

-				add_menu(elgg_echo('friends'), $CONFIG->wwwroot . "pg/friends/" . $_SESSION['user']->username);

+			if (isloggedin()) {
+				$user = get_loggedin_user();

+				add_menu(elgg_echo('friends'), $CONFIG->wwwroot . "pg/friends/" . $user->username);
+			}

 		

 		register_page_handler('friends','friends_page_handler');

 		register_page_handler('friendsof','friends_of_page_handler');

diff --git a/engine/lib/usersettings.php b/engine/lib/usersettings.php
index 6f10ebdbd..fc7b0ae0c 100644
--- a/engine/lib/usersettings.php
+++ b/engine/lib/usersettings.php
@@ -39,11 +39,12 @@
 			global $CONFIG;

 		

 		// Menu options

-			if (get_context() == "settings") {

-				add_submenu_item(elgg_echo('usersettings:user:opt:linktext'),$CONFIG->wwwroot . "pg/settings/user/{$_SESSION['user']->username}/");

+			if (get_context() == "settings") {
+				$user = get_loggedin_user();

+				add_submenu_item(elgg_echo('usersettings:user:opt:linktext'),$CONFIG->wwwroot . "pg/settings/user/{$user->username}/");

 				add_submenu_item(elgg_echo('profile:editicon'), $CONFIG->wwwroot . 'mod/profile/editicon.php');
-				add_submenu_item(elgg_echo('usersettings:plugins:opt:linktext'),$CONFIG->wwwroot . "pg/settings/plugins/{$_SESSION['user']->username}/");

-				add_submenu_item(elgg_echo('usersettings:statistics:opt:linktext'),$CONFIG->wwwroot . "pg/settings/statistics/{$_SESSION['user']->username}/");

+				add_submenu_item(elgg_echo('usersettings:plugins:opt:linktext'),$CONFIG->wwwroot . "pg/settings/plugins/{$user->username}/");

+				add_submenu_item(elgg_echo('usersettings:statistics:opt:linktext'),$CONFIG->wwwroot . "pg/settings/statistics/{$user->username}/");

 			}

 	}