6 files changed, 110 insertions, 22 deletions

diff --git a/modules/user/user.admin.inc b/modules/user/user.admin.inc
index 4789e7e73..1cc2c4a24 100644
--- a/modules/user/user.admin.inc
+++ b/modules/user/user.admin.inc
@@ -413,6 +413,7 @@ function user_admin_settings() {
     '#maxlength' => 10,
     '#field_suffix' => ' ' . t('KB'),
     '#description' => t('Maximum allowed file size for uploaded pictures. Upload size is normally limited only by the PHP maximum post and file upload settings, and images are automatically scaled down to the dimensions specified above.'),
+    '#element_validate' => array('element_validate_integer_positive'),
   );
   $form['personalization']['pictures']['user_picture_guidelines'] = array(
     '#type' => 'textarea',
diff --git a/modules/user/user.api.php b/modules/user/user.api.php
index 069a9f880..f610408dc 100644
--- a/modules/user/user.api.php
+++ b/modules/user/user.api.php
@@ -224,9 +224,10 @@ function hook_user_categories() {
  * @see hook_user_update()
  */
 function hook_user_presave(&$edit, $account, $category) {
-  // Make sure that our form value 'mymodule_foo' is stored as 'mymodule_bar'.
+  // Make sure that our form value 'mymodule_foo' is stored as
+  // 'mymodule_bar' in the 'data' (serialized) column.
   if (isset($edit['mymodule_foo'])) {
-    $edit['data']['my_module_foo'] = $edit['my_module_foo'];
+    $edit['data']['mymodule_bar'] = $edit['mymodule_foo'];
   }
 }
 
diff --git a/modules/user/user.install b/modules/user/user.install
index a48feb5f8..e46f29d8e 100644
--- a/modules/user/user.install
+++ b/modules/user/user.install
@@ -120,6 +120,8 @@ function user_schema() {
     ),
   );
 
+  // The table name here is plural, despite Drupal table naming standards,
+  // because "user" is a reserved word in many databases.
   $schema['users'] = array(
     'description' => 'Stores user data.',
     'fields' => array(
@@ -234,6 +236,7 @@ function user_schema() {
       'access' => array('access'),
       'created' => array('created'),
       'mail' => array('mail'),
+      'picture' => array('picture'),
     ),
     'unique keys' => array(
       'name' => array('name'),
@@ -890,3 +893,21 @@ function user_update_7017() {
 /**
  * @} End of "addtogroup updates-6.x-to-7.x"
  */
+
+/**
+ * @addtogroup updates-7.x-extra
+ * @{
+ */
+
+/**
+ * Ensure there is an index on {users}.picture.
+ */
+function user_update_7018() {
+  if (!db_index_exists('users', 'picture')) {
+    db_add_index('users', 'picture', array('picture'));
+  }
+}
+
+/**
+ * @} End of "addtogroup updates-7.x-extra"
+ */
diff --git a/modules/user/user.js b/modules/user/user.js
index 73af27e5d..d182066ad 100644
--- a/modules/user/user.js
+++ b/modules/user/user.js
@@ -95,10 +95,10 @@ Drupal.behaviors.password = {
 Drupal.evaluatePasswordStrength = function (password, translate) {
   var weaknesses = 0, strength = 100, msg = [];
 
-  var hasLowercase = password.match(/[a-z]+/);
-  var hasUppercase = password.match(/[A-Z]+/);
-  var hasNumbers = password.match(/[0-9]+/);
-  var hasPunctuation = password.match(/[^a-zA-Z0-9]+/);
+  var hasLowercase = /[a-z]+/.test(password);
+  var hasUppercase = /[A-Z]+/.test(password);
+  var hasNumbers = /[0-9]+/.test(password);
+  var hasPunctuation = /[^a-zA-Z0-9]+/.test(password);
 
   // If there is a username edit box on the page, compare password to that, otherwise
   // use value from the database.
@@ -180,7 +180,7 @@ Drupal.behaviors.fieldUserRegistration = {
   attach: function (context, settings) {
     var $checkbox = $('form#field-ui-field-edit-form input#edit-instance-settings-user-register-form');
 
-    if ($checkbox.size()) {
+    if ($checkbox.length) {
       $('input#edit-instance-required', context).once('user-register-form-checkbox', function () {
         $(this).bind('change', function (e) {
           if ($(this).attr('checked')) {
diff --git a/modules/user/user.module b/modules/user/user.module
index 87f7b5e9c..94ecaa2df 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -41,7 +41,7 @@ function user_help($path, $arg) {
     case 'admin/help#user':
       $output = '';
       $output .= '<h3>' . t('About') . '</h3>';
-      $output .= '<p>' . t('The User module allows users to register, log in, and log out. It also allows users with proper permissions to manage user roles (used to classify users) and permissions associated with those roles. For more information, see the online handbook entry for <a href="@user">User module</a>.', array('@user' => 'http://drupal.org/handbook/modules/user')) . '</p>';
+      $output .= '<p>' . t('The User module allows users to register, log in, and log out. It also allows users with proper permissions to manage user roles (used to classify users) and permissions associated with those roles. For more information, see the online handbook entry for <a href="@user">User module</a>.', array('@user' => 'http://drupal.org/documentation/modules/user')) . '</p>';
       $output .= '<h3>' . t('Uses') . '</h3>';
       $output .= '<dl>';
       $output .= '<dt>' . t('Creating and managing users') . '</dt>';
@@ -493,6 +493,10 @@ function user_save($account, $edit = array(), $category = 'account') {
           file_delete($account->original->picture);
         }
       }
+      elseif (isset($edit['picture_delete']) && $edit['picture_delete']) {
+        file_usage_delete($account->original->picture, 'user', 'user', $account->uid);
+        file_delete($account->original->picture);
+      }
       $account->picture = empty($account->picture->fid) ? 0 : $account->picture->fid;
 
       // Do not allow 'uid' to be changed.
@@ -2739,7 +2743,7 @@ Your account on [site:name] has been canceled.
   if ($replace) {
     // We do not sanitize the token replacement, since the output of this
     // replacement is intended for an e-mail message, not a web browser.
-    return token_replace($text, $variables, array('language' => $language, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE));
+    return token_replace($text, $variables, array('language' => $language, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
   }
 
   return $text;
@@ -3388,15 +3392,6 @@ function user_build_filter_query(SelectQuery $query) {
 }
 
 /**
- * Implements hook_forms().
- */
-function user_forms() {
-  $forms['user_admin_access_add_form']['callback'] = 'user_admin_access_form';
-  $forms['user_admin_access_edit_form']['callback'] = 'user_admin_access_form';
-  return $forms;
-}
-
-/**
  * Implements hook_comment_view().
  */
 function user_comment_view($comment) {
@@ -3688,6 +3683,14 @@ function user_register_form($form, &$form_state) {
 
   $admin = user_access('administer users');
 
+  // Pass access information to the submit handler. Running an access check
+  // inside the submit function interferes with form processing and breaks
+  // hook_form_alter().
+  $form['administer_users'] = array(
+     '#type' => 'value',
+     '#value' => $admin,
+  );
+
   // If we aren't admin but already logged on, go to the user page instead.
   if (!$admin && $user->uid) {
     drupal_goto('user/' . $user->uid);
@@ -3746,7 +3749,7 @@ function user_register_validate($form, &$form_state) {
  * @see user_register_form()
  */
 function user_register_submit($form, &$form_state) {
-  $admin = user_access('administer users');
+  $admin = $form_state['values']['administer_users'];
 
   if (!variable_get('user_email_verification', TRUE) || $admin) {
     $pass = $form_state['values']['pass'];
diff --git a/modules/user/user.test b/modules/user/user.test
index 40e6ec333..2efe5b070 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -1080,6 +1080,50 @@ class UserPictureTestCase extends DrupalWebTestCase {
     $this->assertEqual($pic_path, (string) $elements[0]['src'], t("User picture source is correct."));
   }
 
+  /**
+   * Tests deletion of user pictures.
+   */
+  function testDeletePicture() {
+    $this->drupalLogin($this->user);
+
+    $image = current($this->drupalGetTestFiles('image'));
+    $info = image_get_info($image->uri);
+
+    // Set new variables: valid dimensions, valid filesize (0 = no limit).
+    $test_dim = ($info['width'] + 10) . 'x' . ($info['height'] + 10);
+    variable_set('user_picture_dimensions', $test_dim);
+    variable_set('user_picture_file_size', 0);
+
+    // Save a new picture.
+    $edit = array('files[picture_upload]' => drupal_realpath($image->uri));
+    $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
+
+    // Load actual user data from database.
+    $account = user_load($this->user->uid, TRUE);
+    $pic_path = isset($account->picture) ? $account->picture->uri : NULL;
+
+    // Check if image is displayed in user's profile page.
+    $this->drupalGet('user');
+    $this->assertRaw(file_uri_target($pic_path), "Image is displayed in user's profile page");
+
+    // Check if file is located in proper directory.
+    $this->assertTrue(is_file($pic_path), 'File is located in proper directory');
+
+    $edit = array('picture_delete' => 1);
+    $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
+
+    // Load actual user data from database.
+    $account1 = user_load($this->user->uid, TRUE);
+    $this->assertNull($account1->picture, 'User object has no picture');
+
+    $file = file_load($account->picture->fid);
+    $this->assertFalse($file, 'File is removed from database');
+
+    // Clear out PHP's file stat cache so we see the current value.
+    clearstatcache();
+    $this->assertFalse(is_file($pic_path), 'File is removed from file system');
+  }
+
   function saveUserPicture($image) {
     $edit = array('files[picture_upload]' => drupal_realpath($image->uri));
     $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
@@ -1088,6 +1132,24 @@ class UserPictureTestCase extends DrupalWebTestCase {
     $account = user_load($this->user->uid, TRUE);
     return isset($account->picture) ? $account->picture->uri : NULL;
   }
+
+  /**
+   * Tests the admin form validates user picture settings.
+   */
+  function testUserPictureAdminFormValidation() {
+    $this->drupalLogin($this->drupalCreateUser(array('administer users')));
+
+    // The default values are valid.
+    $this->drupalPost('admin/config/people/accounts', array(), t('Save configuration'));
+    $this->assertText(t('The configuration options have been saved.'), 'The default values are valid.');
+
+    // The form does not save with an invalid file size.
+    $edit = array(
+      'user_picture_file_size' => $this->randomName(),
+    );
+    $this->drupalPost('admin/config/people/accounts', $edit, t('Save configuration'));
+    $this->assertNoText(t('The configuration options have been saved.'), 'The form does not save with an invalid file size.');
+  }
 }
 
 
@@ -1385,7 +1447,7 @@ class UserAccountLinksUnitTests extends DrupalWebTestCase {
   }
 
   /**
-   * Test the user login block.
+   * Tests the secondary menu.
    */
   function testSecondaryMenu() {
     // Create a regular user.
@@ -1517,7 +1579,7 @@ class UserBlocksUnitTests extends DrupalWebTestCase {
 }
 
 /**
- * Test case to test user_save() behaviour.
+ * Tests saving a user account.
  */
 class UserSaveTestCase extends DrupalWebTestCase {
 
@@ -1606,7 +1668,7 @@ class UserCreateTestCase extends DrupalWebTestCase {
 }
 
 /**
- * Test case to test user_save() behaviour.
+ * Tests editing a user account.
  */
 class UserEditTestCase extends DrupalWebTestCase {