Move photo deletion from ViewPhoto to EditAsset

Removes the intermediate confirmation page, instead using JavaScript for confirmation.

Fixes an XSS issue, in that the previous method was not passing or checking the session (!)

controllers/ViewPhoto.php

@@ -21,39 +21,14 @@ class ViewPhoto extends HTMLController
 
 		parent::__construct($photo->getTitle() . ' - ' . SITE_TITLE);
 
-		$author = $photo->getAuthor();
-
-		if (isset($_REQUEST['confirm_delete']) || isset($_REQUEST['delete_confirmed']))
-			$this->handleConfirmDelete($user, $author, $photo);
-		else
-			$this->handleViewPhoto($user, $author, $photo);
-	}
-
-	private function handleConfirmDelete(User $user, User $author, Asset $photo)
-	{
-		if (!($user->isAdmin() || $user->getUserId() === $author->getUserId()))
-			throw new NotAllowedException();
-
-		if (isset($_REQUEST['confirm_delete']))
-		{
-			$page = new ConfirmDeletePage($photo->getImage());
-			$this->page->adopt($page);
-		}
-		elseif (isset($_REQUEST['delete_confirmed']))
-		{
-			$album_url = $photo->getSubdir();
-			$photo->delete();
-
-			header('Location: ' . BASEURL . '/' . $album_url);
-			exit;
-		}
-	}
-
-	private function handleViewPhoto(User $user, User $author, Asset $photo)
-	{
 		if (!empty($_POST))
 			$this->handleTagging($photo->getImage());
+		else
+			$this->handleViewPhoto($photo);
+	}
 
+	private function handleViewPhoto(Asset $photo)
+	{
 		$page = new PhotoPage($photo->getImage());
 
 		// Exif data?
@@ -75,9 +50,6 @@ class ViewPhoto extends HTMLController
 		if ($next_url)
 			$page->setNextPhotoUrl($next_url);
 
-		if ($user->isAdmin() || $user->getUserId() === $author->getUserId())
-			$page->setIsAssetOwner(true);
-
 		$this->page->adopt($page);
 		$this->page->setCanonicalUrl($photo->getPageUrl());
 	}