Move photo deletion from ViewPhoto to EditAsset

Removes the intermediate confirmation page, instead using JavaScript for confirmation.

Fixes an XSS issue, in that the previous method was not passing or checking the session (!)

templates/PhotoPage.php

@@ -54,9 +54,7 @@ class PhotoPage extends Template
 					<div class="col-lg-4">';
 
 		$this->photoMeta();
-
-		if ($this->is_asset_owner)
-			$this->addUserActions();
+		$this->userActions();
 
 		echo '
 					</div>
@@ -259,13 +257,19 @@ class PhotoPage extends Template
 		$this->exif = $exif;
 	}
 
-	public function addUserActions()
+	public function userActions()
 	{
+		if (!$this->photo->isOwnedBy(Registry::get('user')))
+			return;
+
 		echo '
 				<div id="user_actions_box" class="content-box">
 					<h3>Actions</h3>
-					<a class="btn btn-primary" href="', BASEURL, '/editasset/?id=', $this->photo->getId(), '">Edit photo</a>
-					<a class="btn btn-danger" href="', BASEURL, '/', $this->photo->getSlug(), '/?confirm_delete">Delete photo</a>
+					<a class="btn btn-primary" href="', $this->photo->getEditUrl(), '">Edit photo</a>
+					<a class="btn btn-danger" href="', $this->photo->getDeleteUrl(), '&',
+						Session::getSessionTokenKey(), '=', Session::getSessionToken(),
+						'" onclick="return confirm(\'Are you sure you want to delete this photo?\');"',
+						'">Delete photo</a>
 				</div>';
 	}
 }