66 files changed, 1922 insertions, 1511 deletions
diff --git a/actions/admin/delete_admin_notice.php b/actions/admin/delete_admin_notice.php
new file mode 100644
index 000000000..a9c3b8758
--- /dev/null
+++ b/actions/admin/delete_admin_notice.php
@@ -0,0 +1,13 @@
+<?php
+/**
+ * Removes an admin notice.
+ */
+
+$guid = get_input('guid');
+$notice = get_entity($guid);
+
+if (!(elgg_instanceof($notice, 'object', 'admin_notice') && $notice->delete())) {
+	register_error(elgg_echo("admin:notices:could_not_delete"));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/menu/save.php b/actions/admin/menu/save.php
new file mode 100644
index 000000000..66ce71082
--- /dev/null
+++ b/actions/admin/menu/save.php
@@ -0,0 +1,34 @@
+<?php
+/**
+ * Save menu items.
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
+
+// featured menu items
+$featured_names = get_input('featured_menu_names', array());
+$featured_names = array_unique($featured_names);
+if (in_array(' ', $featured_names)) {
+	unset($featured_names[array_search(' ', $featured_names)]);
+}
+elgg_save_config('site_featured_menu_names', $featured_names);
+
+// custom menu items
+$custom_menu_titles = get_input('custom_menu_titles', array());
+$custom_menu_urls = get_input('custom_menu_urls', array());
+$num_menu_items = count($custom_menu_titles);
+$custom_menu_items = array();
+for ($i = 0; $i < $num_menu_items; $i++) {
+	if (trim($custom_menu_urls[$i]) && trim($custom_menu_titles[$i])) {
+		$url = $custom_menu_urls[$i];
+		$title = $custom_menu_titles[$i];
+		$custom_menu_items[$title] = $url;
+	}
+}
+elgg_save_config('site_custom_menu_items', $custom_menu_items);
+
+
+system_message(elgg_echo('admin:menu_items:saved'));
+
+forward(REFERER);
diff --git a/actions/admin/plugins/activate.php b/actions/admin/plugins/activate.php
new file mode 100644
index 000000000..5234a4ca5
--- /dev/null
+++ b/actions/admin/plugins/activate.php
@@ -0,0 +1,59 @@
+<?php
+/**
+ * Activate a plugin or plugins.
+ *
+ * Plugins to be activated are passed via $_REQUEST['plugin_guids'] as GUIDs.
+ * After activating the plugin(s), the views cache and simplecache are invalidated.
+ *
+ * @uses mixed $_GET['plugin_guids'] The GUIDs of the plugin to activate. Can be an array.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Plugins
+ */
+
+$plugin_guids = get_input('plugin_guids');
+
+if (!is_array($plugin_guids)) {
+	$plugin_guids = array($plugin_guids);
+}
+
+$activated_guids = array();
+foreach ($plugin_guids as $guid) {
+	$plugin = get_entity($guid);
+
+	if (!($plugin instanceof ElggPlugin)) {
+		register_error(elgg_echo('admin:plugins:activate:no', array($guid)));
+		continue;
+	}
+
+	if ($plugin->activate()) {
+		$activated_guids[] = $guid;
+	} else {
+		$msg = $plugin->getError();
+		$string = ($msg) ? 'admin:plugins:activate:no_with_msg' : 'admin:plugins:activate:no';
+		register_error(elgg_echo($string, array($plugin->getFriendlyName(), $plugin->getError())));
+	}
+}
+
+// don't regenerate the simplecache because the plugin won't be
+// loaded until next run.  Just invalidate and let it regenerate as needed
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+if (count($activated_guids) === 1) {
+	$url = 'admin/plugins';
+	$query = (string)parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY);
+	if ($query) {
+		$url .= "?$query";
+	}
+	$plugin = get_entity($plugin_guids[0]);
+	$id = $css_id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID());
+	forward("$url#$id");
+} else {
+	// forward to top of page with a failure so remove any #foo
+	$url = $_SERVER['HTTP_REFERER'];
+	if (strpos($url, '#')) {
+		$url = substr(0, strpos($url, '#'));
+	}
+	forward($url);
+}
+\ No newline at end of file
diff --git a/actions/admin/plugins/activate_all.php b/actions/admin/plugins/activate_all.php
new file mode 100644
index 000000000..4514ccbdf
--- /dev/null
+++ b/actions/admin/plugins/activate_all.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ * Activates all specified installed and inactive plugins.
+ *
+ * All specified plugins in the mod/ directory are that aren't active are activated and the views
+ * cache and simplecache are invalidated.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Plugins
+ */
+
+$guids = get_input('guids');
+$guids = explode(',', $guids);
+
+foreach ($guids as $guid) {
+	$plugin = get_entity($guid);
+	if (!$plugin->isActive()) {
+		if ($plugin->activate()) {
+			//system_message(elgg_echo('admin:plugins:activate:yes', array($plugin->getManifest()->getName())));
+		} else {
+			$msg = $plugin->getError();
+			$string = ($msg) ? 'admin:plugins:activate:no_with_msg' : 'admin:plugins:activate:no';
+			register_error(elgg_echo($string, array($plugin->getFriendlyName(), $plugin->getError())));
+		}
+	}
+}
+
+// don't regenerate the simplecache because the plugin won't be
+// loaded until next run.  Just invalidate and let it regnerate as needed
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/plugins/deactivate.php b/actions/admin/plugins/deactivate.php
new file mode 100644
index 000000000..354f4717d
--- /dev/null
+++ b/actions/admin/plugins/deactivate.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * Deactivate a plugin or plugins.
+ *
+ * Plugins to be deactivated are passed via $_REQUEST['plugin_guids'] as GUIDs.
+ * After deactivating the plugin(s), the views cache and simplecache are invalidated.
+ *
+ * @uses mixed $_GET['plugin_guids'] The GUIDs of the plugin to deactivate. Can be an array.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Plugins
+ */
+
+$plugin_guids = get_input('plugin_guids');
+
+if (!is_array($plugin_guids)) {
+	$plugin_guids = array($plugin_guids);
+}
+
+foreach ($plugin_guids as $guid) {
+	$plugin = get_entity($guid);
+
+	if (!($plugin instanceof ElggPlugin)) {
+		register_error(elgg_echo('admin:plugins:deactivate:no', array($guid)));
+		continue;
+	}
+
+	if ($plugin->deactivate()) {
+		//system_message(elgg_echo('admin:plugins:deactivate:yes', array($plugin->getManifest()->getName())));
+	} else {
+		$msg = $plugin->getError();
+		$string = ($msg) ? 'admin:plugins:deactivate:no_with_msg' : 'admin:plugins:deactivate:no';
+		register_error(elgg_echo($string, array($plugin->getFriendlyName(), $plugin->getError())));
+	}
+}
+
+// don't regenerate the simplecache because the plugin won't be
+// loaded until next run.  Just invalidate and let it regnerate as needed
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+if (count($plugin_guids) == 1) {
+	$url = 'admin/plugins';
+	$query = (string)parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY);
+	if ($query) {
+		$url .= "?$query";
+	}
+	$plugin = get_entity($plugin_guids[0]);
+	$id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID());
+	forward("$url#$id");
+} else {
+	forward(REFERER);
+}
diff --git a/actions/admin/plugins/deactivate_all.php b/actions/admin/plugins/deactivate_all.php
new file mode 100644
index 000000000..8b347a633
--- /dev/null
+++ b/actions/admin/plugins/deactivate_all.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ * Disable all specified installed plugins.
+ *
+ * Specified plugins in the mod/ directory are disabled and the views cache and simplecache
+ * are reset.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Plugins
+ */
+
+$guids = get_input('guids');
+$guids = explode(',', $guids);
+
+foreach ($guids as $guid) {
+	$plugin = get_entity($guid);
+	if ($plugin->isActive()) {
+		if ($plugin->deactivate()) {
+			//system_message(elgg_echo('admin:plugins:activate:yes', array($plugin->getManifest()->getName())));
+		} else {
+			$msg = $plugin->getError();
+			$string = ($msg) ? 'admin:plugins:deactivate:no_with_msg' : 'admin:plugins:deactivate:no';
+			register_error(elgg_echo($string, array($plugin->getFriendlyName(), $plugin->getError())));
+		}
+	}
+}
+
+// don't regenerate the simplecache because the plugin won't be
+// loaded until next run.  Just invalidate and let it regnerate as needed
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+forward(REFERER);
diff --git a/actions/admin/plugins/disable.php b/actions/admin/plugins/disable.php
deleted file mode 100644
index b41a7603e..000000000
--- a/actions/admin/plugins/disable.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-	/**
-	 * Disable plugin action.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	
-	// block non-admin users
-	admin_gatekeeper();
-	
-	// Validate the action
-	action_gatekeeper();
-	
-	// Get the user 
-	$plugin = get_input('plugin');
-	
-	// Disable
-	if (disable_plugin($plugin))
-		system_message(sprintf(elgg_echo('admin:plugins:disable:yes'), $plugin));
-	else
-		register_error(sprintf(elgg_echo('admin:plugins:disable:no'), $plugin));		
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
diff --git a/actions/admin/plugins/enable.php b/actions/admin/plugins/enable.php
deleted file mode 100644
index 537079112..000000000
--- a/actions/admin/plugins/enable.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-	/**
-	 * Enable plugin action.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	
-	// block non-admin users
-	admin_gatekeeper();
-	
-	// Validate the action
-	action_gatekeeper();
-	
-	// Get the user 
-	$plugin = get_input('plugin');
-	
-	// Disable
-	if (enable_plugin($plugin))
-		system_message(sprintf(elgg_echo('admin:plugins:enable:yes'), $plugin));
-	else
-		register_error(sprintf(elgg_echo('admin:plugins:enable:no'), $plugin));		
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
diff --git a/actions/admin/plugins/reorder.php b/actions/admin/plugins/reorder.php
deleted file mode 100644
index e1a45f368..000000000
--- a/actions/admin/plugins/reorder.php
+++ /dev/null
@@ -1,51 +0,0 @@
-<?php
-	/**
-	 * Reorder plugin action.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	
-	// block non-admin users
-	admin_gatekeeper();
-	
-	// Validate the action
-	action_gatekeeper();
-	
-	// Get the plugin 
-	$mod = get_input('plugin');
-	$mod = str_replace('.','',$mod);
-	$mod = str_replace('/','',$mod);
-	
-	// Get the new order
-	$order = (int) get_input('order');
-	
-	// Get the current plugin list
-	$plugins = get_plugin_list();
-
-	// Inject the plugin order back into the list
-	if ($key = array_search($mod, $plugins)) {
-		
-		unset($plugins[$key]);
-		while (isset($plugins[$order])) {
-			$order++;
-		}
-		
-		$plugins[$order] = $mod;
-	}
-	
-	// Disable
-	if (regenerate_plugin_list($plugins))
-		system_message(sprintf(elgg_echo('admin:plugins:reorder:yes'), $plugin));
-	else
-		register_error(sprintf(elgg_echo('admin:plugins:reorder:no'), $plugin));		
-		
-	forward($_SERVER['HTTP_REFERER']);
-
-?>
-\ No newline at end of file
diff --git a/actions/admin/plugins/set_priority.php b/actions/admin/plugins/set_priority.php
new file mode 100644
index 000000000..edd735371
--- /dev/null
+++ b/actions/admin/plugins/set_priority.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * Changes the load priority of a plugin.
+ *
+ * Plugin priority affects view, action, and page handler
+ * overriding as well as the order of view extensions.  Plugins with higher
+ * priority are loaded after and override plugins with lower priorities.
+ *
+ * NOTE: When viewing the plugin admin page, plugins LOWER on the page
+ * have HIGHER priority and will override views, etc from plugins above them.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Plugins
+ */
+
+$plugin_guid = get_input('plugin_guid');
+$priority = get_input('priority');
+
+$plugin = get_entity($plugin_guid);
+
+if (!($plugin instanceof ElggPlugin)) {
+	register_error(elgg_echo('admin:plugins:set_priority:no', array($plugin_guid)));
+	forward(REFERER);
+}
+
+if ($plugin->setPriority($priority)) {
+	//system_message(elgg_echo('admin:plugins:set_priority:yes', array($plugin->getManifest()->getName())));
+} else {
+	$msg = $plugin->getError();
+	$string = ($msg) ? 'admin:plugins:set_priority:no_with_msg' : 'admin:plugins:set_priority:no';
+	register_error(elgg_echo($string, array($plugin->getFriendlyName(), $plugin->getError())));
+}
+
+// don't regenerate the simplecache because the plugin won't be
+// loaded until next run.  Just invalidate and let it regnerate as needed
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/site/flush_cache.php b/actions/admin/site/flush_cache.php
new file mode 100644
index 000000000..ebb8296c7
--- /dev/null
+++ b/actions/admin/site/flush_cache.php
@@ -0,0 +1,10 @@
+<?php
+/**
+ * Flush all the caches
+ */
+
+elgg_invalidate_simplecache();
+elgg_reset_system_cache();
+
+system_message(elgg_echo('admin:cache:flushed'));
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/site/regenerate_secret.php b/actions/admin/site/regenerate_secret.php
new file mode 100644
index 000000000..3112fb5f3
--- /dev/null
+++ b/actions/admin/site/regenerate_secret.php
@@ -0,0 +1,11 @@
+<?php
+/**
+ * Generate a new site secret
+ */
+
+init_site_secret();
+elgg_reset_system_cache();
+
+system_message(elgg_echo('admin:site:secret_regenerated'));
+
+forward(REFERER);
diff --git a/actions/admin/site/unlock_upgrade.php b/actions/admin/site/unlock_upgrade.php
new file mode 100644
index 000000000..b625b1d26
--- /dev/null
+++ b/actions/admin/site/unlock_upgrade.php
@@ -0,0 +1,10 @@
+<?php
+/**
+ * Unlocks the upgrade script 
+ */
+
+if (_elgg_upgrade_is_locked()) {
+	_elgg_upgrade_unlock();
+}
+system_message(elgg_echo('upgrade:unlock:success'));
+forward(REFERER);
diff --git a/actions/admin/site/update_advanced.php b/actions/admin/site/update_advanced.php
new file mode 100644
index 000000000..4888b0a8d
--- /dev/null
+++ b/actions/admin/site/update_advanced.php
@@ -0,0 +1,98 @@
+<?php
+/**
+ * Updates the advanced settings for the primary site object.
+ *
+ * Options are saved among metadata on the site object, entries
+ * in the datalist table, and entries in the config table.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Site
+ */
+
+if ($site = elgg_get_site_entity()) {
+	if (!($site instanceof ElggSite)) {
+		throw new InstallationException(elgg_echo('InvalidParameterException:NonElggSite'));
+	}
+
+	$site->url = rtrim(get_input('wwwroot', '', false), '/') . '/';
+
+	datalist_set('path', sanitise_filepath(get_input('path', '', false)));
+	$dataroot = sanitise_filepath(get_input('dataroot', '', false));
+
+	// check for relative paths
+	if (stripos(PHP_OS, 'win') === 0) {
+		if (strpos($dataroot, ':') !== 1) {
+			$msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+			register_error($msg);
+			forward(REFERER);
+		}
+	} else {
+		if (strpos($dataroot, '/') !== 0) {
+			$msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+			register_error($msg);
+			forward(REFERER);
+		}
+	}
+
+	datalist_set('dataroot', $dataroot);
+
+	if (get_input('simplecache_enabled')) {
+		elgg_enable_simplecache();
+	} else {
+		elgg_disable_simplecache();
+	}
+
+	if (get_input('system_cache_enabled')) {
+		elgg_enable_system_cache();
+	} else {
+		elgg_disable_system_cache();
+	}
+
+	set_config('default_access', get_input('default_access', ACCESS_PRIVATE), $site->getGUID());
+
+	$user_default_access = (get_input('allow_user_default_access')) ? 1 : 0;
+	set_config('allow_user_default_access', $user_default_access, $site->getGUID());
+
+	$debug = get_input('debug');
+	if ($debug) {
+		set_config('debug', $debug, $site->getGUID());
+	} else {
+		unset_config('debug', $site->getGUID());
+	}
+
+	// allow new user registration?
+	if (get_input('allow_registration', FALSE)) {
+		set_config('allow_registration', TRUE, $site->getGUID());
+	} else {
+		set_config('allow_registration', FALSE, $site->getGUID());
+	}
+
+	// setup walled garden
+	if (get_input('walled_garden', FALSE)) {
+		set_config('walled_garden', TRUE, $site->getGUID());
+	} else {
+		set_config('walled_garden', FALSE, $site->getGUID());
+	}
+
+	$https_login = get_input('https_login');
+	if ($https_login) {
+		set_config('https_login', 1, $site->getGUID());
+	} else {
+		unset_config('https_login', $site->getGUID());
+	}
+
+	$api = get_input('api');
+	if ($api) {
+		unset_config('disable_api', $site->getGUID());
+	} else {
+		set_config('disable_api', 'disabled', $site->getGUID());
+	}
+
+	if ($site->save()) {
+		system_message(elgg_echo("admin:configuration:success"));
+	} else {
+		register_error(elgg_echo("admin:configuration:fail"));
+	}
+
+	forward(REFERER);
+}
+\ No newline at end of file
diff --git a/actions/admin/site/update_basic.php b/actions/admin/site/update_basic.php
index 5710e63b9..9765182cc 100644
--- a/actions/admin/site/update_basic.php
+++ b/actions/admin/site/update_basic.php
@@ -1,79 +1,27 @@
-<?php
-
-	/**
-	 * Elgg update site action
-	 * 
-	 * This is an update version of the sitesettings/install action which is used by the admin panel to modify basic settings.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+<?php
+/**
+ * Updates the basic settings for the primary site object.
+ *
+ * Basic site settings are saved as metadata on the site object,
+ * with the exception of the default language, which is saved in
+ * the config table.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.Site
+ */
 
-	global $CONFIG;
-	
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	if (get_input('settings') == 'go') {
-		
-		if (datalist_get('default_site')) {
-			
-			$site = get_entity(datalist_get('default_site'));
-			if (!($site instanceof ElggSite)) 
-				throw new InstallationException(elgg_echo('InvalidParameterException:NonElggSite'));
-			
-			$site->description = get_input('sitedescription');
-			$site->name = get_input('sitename');
-			$site->email = get_input('siteemail');
-			$site->url = get_input('wwwroot');
-			
-			datalist_set('path',sanitise_filepath(get_input('path')));
-			datalist_set('dataroot',sanitise_filepath(get_input('dataroot')));
-			
-			set_config('language', get_input('language'), $site->getGUID());
-			
-			set_config('view', get_input('view'), $site->getGUID());
-			
-			$debug = get_input('debug');
-			if ($debug)
-				set_config('debug', 1, $site->getGUID());
-			else
-				unset_config('debug', $site->getGUID());
-				
-			$usage = get_input('usage');
-			if ($usage)
-				unset_config('ping_home', $site->getGUID());
-			else
-				set_config('ping_home', 'disabled', $site->getGUID());
-				
-			$api = get_input('api');
-			if ($api)
-				unset_config('disable_api', $site->getGUID());
-			else
-				set_config('disable_api', 'disabled', $site->getGUID());
-			
-			// Now ping home
-			//if ((!isset($usage)) || ($usage!='disabled'))
-			//{
-			//	ping_home($site);
-			//}
-				
-			if ($site->save())
-				system_message(elgg_echo("admin:configuration:success"));
-			else
-				register_error(elgg_echo("admin:configuration:fail"));
-			
-			//header("Location: {$CONFIG->wwwroot}admin/site/");
-			forward($_SERVER['HTTP_REFERER']);
-			exit;
-			
-		}
-		
-	}
-
-?>
-\ No newline at end of file
+if ($site = elgg_get_site_entity()) {
+	if (!($site instanceof ElggSite)) {
+		throw new InstallationException(elgg_echo('InvalidParameterException:NonElggSite'));
+	}
+
+	$site->description = get_input('sitedescription');
+	$site->name = strip_tags(get_input('sitename'));
+	$site->email = get_input('siteemail');
+	$site->save();
+
+	set_config('language', get_input('language'), $site->getGUID());
+}
+
+system_message(elgg_echo('admin:configuration:success'));
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/user/ban.php b/actions/admin/user/ban.php
index ce2631f54..209ece2a0 100644
--- a/actions/admin/user/ban.php
+++ b/actions/admin/user/ban.php
@@ -1,38 +1,30 @@
 <?php
-	/**
-	 * Elgg ban user
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Bans a user.
+ *
+ * User entities are banned by setting the 'banned' column
+ * to 'yes' in the users_entity table.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
 
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	// Get the user 
-	$guid = get_input('guid');
-	$obj = get_entity($guid);
-	
-	if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
-	{
-		disable_entities($obj->guid);
-		// Now actually disable it
-		if ($obj->disable('banned')) {
-			system_message(elgg_echo('admin:user:ban:yes'));
-		}
-		else
-			register_error(elgg_echo('admin:user:ban:no'));
-	}
-	else
+$guid = get_input('guid');
+$user = get_entity($guid);
+
+if ($guid == elgg_get_logged_in_user_guid()) {
+	register_error(elgg_echo('admin:user:self:ban:no'));
+	forward(REFERER);
+}
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->ban('banned')) {
+		system_message(elgg_echo('admin:user:ban:yes'));
+	} else {
 		register_error(elgg_echo('admin:user:ban:no'));
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+	}
+} else {
+	register_error(elgg_echo('admin:user:ban:no'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/user/delete.php b/actions/admin/user/delete.php
index ea5f79079..7cfbd0925 100644
--- a/actions/admin/user/delete.php
+++ b/actions/admin/user/delete.php
@@ -1,35 +1,40 @@
 <?php
-	/**
-	 * Elgg delete user
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Delete a user.
+ *
+ * The user will be deleted recursively, meaning all entities
+ * owned or contained by the user will also be removed.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
 
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
+// Get the user
+$guid = get_input('guid');
+$user = get_entity($guid);
 
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	// Get the user 
-	$guid = get_input('guid');
-	$obj = get_entity($guid);
-	
-	if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
-	{
-		if ($obj->delete())
-			system_message(elgg_echo('admin:user:delete:yes'));
-		else
-			register_error(elgg_echo('admin:user:delete:no'));
-	}
-	else
+if ($guid == elgg_get_logged_in_user_guid()) {
+	register_error(elgg_echo('admin:user:self:delete:no'));
+	forward(REFERER);
+}
+
+$name = $user->name;
+$username = $user->username;
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->delete()) {
+		system_message(elgg_echo('admin:user:delete:yes', array($name)));
+	} else {
 		register_error(elgg_echo('admin:user:delete:no'));
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+	}
+} else {
+	register_error(elgg_echo('admin:user:delete:no'));
+}
+
+// forward to user administration if on a user's page as it no longer exists
+$forward = REFERER;
+if (strpos($_SERVER['HTTP_REFERER'], $username) != FALSE) {
+	$forward = "admin/users/newest";
+}
+
+forward($forward);
diff --git a/actions/admin/user/makeadmin.php b/actions/admin/user/makeadmin.php
index 6466966c9..54b0b7070 100644
--- a/actions/admin/user/makeadmin.php
+++ b/actions/admin/user/makeadmin.php
@@ -1,37 +1,27 @@
 <?php
-	/**
-	 * Make another user an admin.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Grants admin privileges to a user.
+ *
+ * In >=1.7.1, admin is flagged by setting the admin
+ * column in the users_entity table.
+ *
+ * In <1.7.1, admin is a piece of metadata on the user object.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
 
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	global $CONFIG;
-	
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	// Get the user 
-	$guid = get_input('guid');
-	$obj = get_entity($guid);
-	
-	if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
-	{
-		$result = $obj->admin = 'yes';
-		if ($result)
-			system_message(elgg_echo('admin:user:makeadmin:yes'));
-		else
-			register_error(elgg_echo('admin:user:makeadmin:no'));
-	}
-	else
+$guid = get_input('guid');
+$user = get_entity($guid);
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->makeAdmin()) {
+		system_message(elgg_echo('admin:user:makeadmin:yes'));
+	} else {
 		register_error(elgg_echo('admin:user:makeadmin:no'));
-	
-	forward($_SERVER['HTTP_REFERER']);
+	}
+} else {
+	register_error(elgg_echo('admin:user:makeadmin:no'));
+}
 
-?>
-\ No newline at end of file
+forward(REFERER);
diff --git a/actions/admin/user/removeadmin.php b/actions/admin/user/removeadmin.php
new file mode 100644
index 000000000..8cebc7078
--- /dev/null
+++ b/actions/admin/user/removeadmin.php
@@ -0,0 +1,27 @@
+<?php
+/**
+ * Revokes admin privileges from a user.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
+
+$guid = get_input('guid');
+$user = get_entity($guid);
+
+if ($guid == elgg_get_logged_in_user_guid()) {
+	register_error(elgg_echo('admin:user:self:removeadmin:no'));
+	forward(REFERER);
+}
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->removeAdmin()) {
+		system_message(elgg_echo('admin:user:removeadmin:yes'));
+	} else {
+		register_error(elgg_echo('admin:user:removeadmin:no'));
+	}
+} else {
+	register_error(elgg_echo('admin:user:removeadmin:no'));
+}
+
+forward(REFERER);
diff --git a/actions/admin/user/resetpassword.php b/actions/admin/user/resetpassword.php
index 60d739cf9..d019a7f55 100644
--- a/actions/admin/user/resetpassword.php
+++ b/actions/admin/user/resetpassword.php
@@ -1,43 +1,43 @@
 <?php
-	/**
-	 * Admin password reset.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Reset a user's password.
+ *
+ * This is an admin action that generates a new salt and password
+ * for a user, then emails the password to the user's registered
+ * email address.
+ *
+ * NOTE: This is different to the "reset password" link users
+ * can use in that it does not first email the user asking if
+ * they want to have their password reset.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
 
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	global $CONFIG;
-	
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	// Get the user 
-	$guid = get_input('guid');
-	$obj = get_entity($guid);
-	
-	if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
-	{
-		$password = generate_random_cleartext_password();
-		
-		$obj->password = generate_user_password($obj, $password);
-		
-		if ($obj->save())
-		{
-			system_message(elgg_echo('admin:user:resetpassword:yes'));
-			
-			notify_user($obj->guid, $CONFIG->site->guid, elgg_echo('email:resetpassword:subject'), sprintf(elgg_echo('email:resetpassword:body'), $obj->username, $password), NULL, 'email');
-		} else
-			register_error(elgg_echo('admin:user:resetpassword:no'));
-	}
-	else
+$guid = get_input('guid');
+$user = get_entity($guid);
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	$password = generate_random_cleartext_password();
+
+	// Always reset the salt before generating the user password.
+	$user->salt = generate_random_cleartext_password();
+	$user->password = generate_user_password($user, $password);
+
+	if ($user->save()) {
+		system_message(elgg_echo('admin:user:resetpassword:yes'));
+
+		notify_user($user->guid,
+			elgg_get_site_entity()->guid,
+			elgg_echo('email:resetpassword:subject'),
+			elgg_echo('email:resetpassword:body', array($user->username, $password)),
+			NULL,
+			'email');
+	} else {
 		register_error(elgg_echo('admin:user:resetpassword:no'));
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+	}
+} else {
+	register_error(elgg_echo('admin:user:resetpassword:no'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/admin/user/unban.php b/actions/admin/user/unban.php
index 7f7ce3157..7a772a0d3 100644
--- a/actions/admin/user/unban.php
+++ b/actions/admin/user/unban.php
@@ -1,41 +1,27 @@
 <?php
-	/**
-	 * Elgg ban user
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Unbans a user.
+ *
+ * @package Elgg.Core
+ * @subpackage Administration.User
+ */
 
-	require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/engine/start.php");
-	
-	// block non-admin users
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	$access_status = access_get_show_hidden_status();
-	access_show_hidden_entities(true);
-	
-	// Get the user 
-	$guid = get_input('guid');
-	$obj = get_entity($guid);
-	
-	if ( ($obj instanceof ElggUser) && ($obj->canEdit()))
-	{
-		// Now actually disable it
-		if ($obj->enable())
-			system_message(elgg_echo('admin:user:unban:yes'));
-		else
-			register_error(elgg_echo('admin:user:unban:no'));
-	}
-	else
+$access_status = access_get_show_hidden_status();
+access_show_hidden_entities(true);
+
+$guid = get_input('guid');
+$user = get_entity($guid);
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->unban()) {
+		system_message(elgg_echo('admin:user:unban:yes'));
+	} else {
 		register_error(elgg_echo('admin:user:unban:no'));
-		
-	access_show_hidden_entities($access_status);
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+	}
+} else {
+	register_error(elgg_echo('admin:user:unban:no'));
+}
+
+access_show_hidden_entities($access_status);
+
+forward(REFERER);
diff --git a/actions/avatar/crop.php b/actions/avatar/crop.php
new file mode 100644
index 000000000..b9a80f331
--- /dev/null
+++ b/actions/avatar/crop.php
@@ -0,0 +1,72 @@
+<?php
+/**
+ * Avatar crop action
+ *
+ */
+
+$guid = get_input('guid');
+$owner = get_entity($guid);
+
+if (!$owner || !($owner instanceof ElggUser) || !$owner->canEdit()) {
+	register_error(elgg_echo('avatar:crop:fail'));
+	forward(REFERER);
+}
+
+$x1 = (int) get_input('x1', 0);
+$y1 = (int) get_input('y1', 0);
+$x2 = (int) get_input('x2', 0);
+$y2 = (int) get_input('y2', 0);
+
+$filehandler = new ElggFile();
+$filehandler->owner_guid = $owner->getGUID();
+$filehandler->setFilename("profile/" . $owner->guid . "master" . ".jpg");
+$filename = $filehandler->getFilenameOnFilestore();
+
+// ensuring the avatar image exists in the first place
+if (!file_exists($filename)) {
+	register_error(elgg_echo('avatar:crop:fail'));
+	forward(REFERER);
+}
+
+$icon_sizes = elgg_get_config('icon_sizes');
+unset($icon_sizes['master']);
+
+// get the images and save their file handlers into an array
+// so we can do clean up if one fails.
+$files = array();
+foreach ($icon_sizes as $name => $size_info) {
+	$resized = get_resized_image_from_existing_file($filename, $size_info['w'], $size_info['h'], $size_info['square'], $x1, $y1, $x2, $y2, $size_info['upscale']);
+
+	if ($resized) {
+		//@todo Make these actual entities.  See exts #348.
+		$file = new ElggFile();
+		$file->owner_guid = $guid;
+		$file->setFilename("profile/{$guid}{$name}.jpg");
+		$file->open('write');
+		$file->write($resized);
+		$file->close();
+		$files[] = $file;
+	} else {
+		// cleanup on fail
+		foreach ($files as $file) {
+			$file->delete();
+		}
+
+		register_error(elgg_echo('avatar:resize:fail'));
+		forward(REFERER);
+	}
+}
+
+$owner->icontime = time();
+
+$owner->x1 = $x1;
+$owner->x2 = $x2;
+$owner->y1 = $y1;
+$owner->y2 = $y2;
+
+system_message(elgg_echo('avatar:crop:success'));
+$view = 'river/user/default/profileiconupdate';
+elgg_delete_river(array('subject_guid' => $owner->guid, 'view' => $view));
+add_to_river($view, 'update', $owner->guid, $owner->guid);
+
+forward(REFERER);
diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php
new file mode 100644
index 000000000..9cb40a760
--- /dev/null
+++ b/actions/avatar/remove.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * Avatar remove action
+ */
+
+$user_guid = get_input('guid');
+$user = get_user($user_guid);
+
+if (!$user || !$user->canEdit()) {
+	register_error(elgg_echo('avatar:remove:fail'));
+	forward(REFERER);
+}
+
+// Delete all icons from diskspace
+$icon_sizes = elgg_get_config('icon_sizes');
+foreach ($icon_sizes as $name => $size_info) {
+	$file = new ElggFile();
+	$file->owner_guid = $user_guid;
+	$file->setFilename("profile/{$user_guid}{$name}.jpg");
+	$filepath = $file->getFilenameOnFilestore();
+	if (!$file->delete()) {
+		elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING');
+	}
+}
+
+// Remove crop coords
+unset($user->x1);
+unset($user->x2);
+unset($user->y1);
+unset($user->y2);
+
+// Remove icon
+unset($user->icontime);
+
+system_message(elgg_echo('avatar:remove:success'));
+forward(REFERER);
diff --git a/actions/avatar/upload.php b/actions/avatar/upload.php
new file mode 100644
index 000000000..0752615e0
--- /dev/null
+++ b/actions/avatar/upload.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * Avatar upload action
+ */
+
+$guid = get_input('guid');
+$owner = get_entity($guid);
+
+if (!$owner || !($owner instanceof ElggUser) || !$owner->canEdit()) {
+	register_error(elgg_echo('avatar:upload:fail'));
+	forward(REFERER);
+}
+
+if ($_FILES['avatar']['error'] != 0) {
+	register_error(elgg_echo('avatar:upload:fail'));
+	forward(REFERER);
+}
+
+$icon_sizes = elgg_get_config('icon_sizes');
+
+// get the images and save their file handlers into an array
+// so we can do clean up if one fails.
+$files = array();
+foreach ($icon_sizes as $name => $size_info) {
+	$resized = get_resized_image_from_uploaded_file('avatar', $size_info['w'], $size_info['h'], $size_info['square'], $size_info['upscale']);
+
+	if ($resized) {
+		//@todo Make these actual entities.  See exts #348.
+		$file = new ElggFile();
+		$file->owner_guid = $guid;
+		$file->setFilename("profile/{$guid}{$name}.jpg");
+		$file->open('write');
+		$file->write($resized);
+		$file->close();
+		$files[] = $file;
+	} else {
+		// cleanup on fail
+		foreach ($files as $file) {
+			$file->delete();
+		}
+
+		register_error(elgg_echo('avatar:resize:fail'));
+		forward(REFERER);
+	}
+}
+
+// reset crop coordinates
+$owner->x1 = 0;
+$owner->x2 = 0;
+$owner->y1 = 0;
+$owner->y2 = 0;
+
+$owner->icontime = time();
+if (elgg_trigger_event('profileiconupdate', $owner->type, $owner)) {
+	system_message(elgg_echo("avatar:upload:success"));
+
+	$view = 'river/user/default/profileiconupdate';
+	elgg_delete_river(array('subject_guid' => $owner->guid, 'view' => $view));
+	add_to_river($view, 'update', $owner->guid, $owner->guid);
+}
+
+forward(REFERER);
diff --git a/actions/comments/add.php b/actions/comments/add.php
index e02079dbd..5bd741413 100644
--- a/actions/comments/add.php
+++ b/actions/comments/add.php
@@ -1,55 +1,62 @@
-<?php
-
-	/**
-	 * Elgg add comment action
-	 * 
-	 * @package Elgg
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider <curverider.co.uk>
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	// Make sure we're logged in; forward to the front page if not
-		gatekeeper();
-		action_gatekeeper();
-		
-	// Get input
-		$entity_guid = (int) get_input('entity_guid');
-		$comment_text = get_input('generic_comment');
-		
-	// Let's see if we can get an entity with the specified GUID
-		if ($entity = get_entity($entity_guid)) {
-			
-	        // If posting the comment was successful, say so
-				if ($entity->annotate('generic_comment',$comment_text,$entity->access_id, $_SESSION['guid'])) {
-					
-					if ($entity->owner_guid != $_SESSION['user']->getGUID())
-					notify_user($entity->owner_guid, $_SESSION['user']->getGUID(), elgg_echo('generic_comment:email:subject'), 
-						sprintf(
-									elgg_echo('generic_comment:email:body'),
-									$entity->title,
-									$_SESSION['user']->name,
-									$comment_text,
-									$entity->getURL(),
-									$_SESSION['user']->name,
-									$_SESSION['user']->getURL()
-								)
-					); 
-					
-					system_message(elgg_echo("generic_comment:posted"));
-					
-				} else {
-					register_error(elgg_echo("generic_comment:failure"));
-				}
-				
-		} else {
-		
-			register_error(elgg_echo("generic_comment:notfound"));
-			
-		}
-		
-	// Forward to the 
-		forward($entity->getURL());
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg add comment action
+ *
+ * @package Elgg.Core
+ * @subpackage Comments
+ */
+
+$entity_guid = (int) get_input('entity_guid');
+$comment_text = get_input('generic_comment');
+
+if (empty($comment_text)) {
+	register_error(elgg_echo("generic_comment:blank"));
+	forward(REFERER);
+}
+
+// Let's see if we can get an entity with the specified GUID
+$entity = get_entity($entity_guid);
+if (!$entity) {
+	register_error(elgg_echo("generic_comment:notfound"));
+	forward(REFERER);
+}
+
+$user = elgg_get_logged_in_user_entity();
+
+$annotation = create_annotation($entity->guid,
+								'generic_comment',
+								$comment_text,
+								"",
+								$user->guid,
+								$entity->access_id);
+
+// tell user annotation posted
+if (!$annotation) {
+	register_error(elgg_echo("generic_comment:failure"));
+	forward(REFERER);
+}
+
+// notify if poster wasn't owner
+if ($entity->owner_guid != $user->guid) {
+
+	notify_user($entity->owner_guid,
+				$user->guid,
+				elgg_echo('generic_comment:email:subject'),
+				elgg_echo('generic_comment:email:body', array(
+					$entity->title,
+					$user->name,
+					$comment_text,
+					$entity->getURL(),
+					$user->name,
+					$user->getURL()
+				))
+			);
+}
+
+system_message(elgg_echo("generic_comment:posted"));
+
+//add to river
+add_to_river('river/annotation/generic_comment/create', 'comment', $user->guid, $entity->guid, "", 0, $annotation);
+
+// Forward to the page the action occurred on
+forward(REFERER);
diff --git a/actions/comments/delete.php b/actions/comments/delete.php
index 4b5af9e18..c6b481da4 100644
--- a/actions/comments/delete.php
+++ b/actions/comments/delete.php
@@ -1,35 +1,18 @@
-<?php
-
-	/**
-	 * Elgg delete comment action
-	 * 
-	 * @package Elgg
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider <curverider.co.uk>
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	// Ensure we're logged in
-		if (!isloggedin()) forward();
-		
-	// Make sure we can get the comment in question
-		$annotation_id = (int) get_input('annotation_id');
-		if ($comment = get_annotation($annotation_id)) {
-    		
-    		$entity = get_entity($comment->entity_guid);
-			
-			if ($comment->canEdit()) {
-				$comment->delete();
-				system_message(elgg_echo("generic_comment:deleted"));
-				forward($entity->getURL());
-			}
-			
-		} else {
-			$url = "";
-		}
-		
-		register_error(elgg_echo("generic_comment:notdeleted"));
-		forward($entity->getURL());
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg delete comment action
+ *
+ * @package Elgg
+ */
+
+// Make sure we can get the comment in question
+$annotation_id = (int) get_input('annotation_id');
+$comment = elgg_get_annotation_from_id($annotation_id);
+if ($comment && $comment->canEdit()) {
+	$comment->delete();
+	system_message(elgg_echo("generic_comment:deleted"));
+} else {
+	register_error(elgg_echo("generic_comment:notdeleted"));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/email/save.php b/actions/email/save.php
deleted file mode 100644
index 236e011cb..000000000
--- a/actions/email/save.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-	/**
-	 * Action for saving a new email address for a user and triggering a confirmation.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-
-	gatekeeper();
-	
-	$email = get_input('email');
-	$user_id = get_input('guid');
-	$user = "";
-	
-	if (!$user_id)
-		$user = $_SESSION['user'];
-	else
-		$user = get_entity($user_id);
-		
-	if ($user)
-	{
-		if ($user->email != $email) {
-			$user->email = $email;
-			if ($user->save())
-			{
-				request_user_validation($user->getGUID());
-				system_message(elgg_echo('email:save:success'));
-			}
-			else
-				register_error(elgg_echo('email:save:fail'));
-		}
-	}
-	else
-		register_error(elgg_echo('email:save:fail'));
-	
-	//forward($_SERVER['HTTP_REFERER']);
-	//exit;
-?>
-\ No newline at end of file
diff --git a/actions/entities/delete.php b/actions/entities/delete.php
index 667e821b7..251e1f01c 100644
--- a/actions/entities/delete.php
+++ b/actions/entities/delete.php
@@ -1,32 +1,22 @@
 <?php
-	/**
-	 * Default entity delete action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Default entity delete action
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
 
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	
-	gatekeeper();
-	
-	$guid = get_input('guid');
-	
-	$entity = get_entity($guid);
-	
-	if (($entity) && ($entity->canEdit()))
-	{
-		if ($entity->delete())
-			system_message(sprintf(elgg_echo('entity:delete:success'), $guid));
-		else
-			register_error(sprintf(elgg_echo('entity:delete:fail'), $guid));
+$guid = get_input('guid');
+$entity = get_entity($guid);
+
+if (($entity) && ($entity->canEdit())) {
+	if ($entity->delete()) {
+		system_message(elgg_echo('entity:delete:success', array($guid)));
+	} else {
+		register_error(elgg_echo('entity:delete:fail', array($guid)));
 	}
-	else
-		register_error(sprintf(elgg_echo('entity:delete:fail'), $guid));
-		
-	forward($_SERVER['HTTP_REFERER']);
-?>
-\ No newline at end of file
+} else {
+	register_error(elgg_echo('entity:delete:fail', array($guid)));
+}
+
+forward(REFERER);
diff --git a/actions/friends/add.php b/actions/friends/add.php
index 760da81b7..d1800ee14 100644
--- a/actions/friends/add.php
+++ b/actions/friends/add.php
@@ -1,36 +1,35 @@
-<?php
-
-	/**
-	 * Elgg add friend action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	// Ensure we are logged in
-		gatekeeper();
-		
-	// Get the GUID of the user to friend
-		$friend_guid = get_input('friend');
-		$friend = get_entity($friend_guid);
-
-		$errors = false;
-		
-	// Get the user
-		try {
-			$_SESSION['user']->addFriend($friend_guid);
-		} catch (Exception $e) {
-			register_error(sprintf(elgg_echo("friends:add:failure"),$friend->name));
-			$errors = true;
-		}
-		if (!$errors)
-			system_message(sprintf(elgg_echo("friends:add:successful"),$friend->name));
-		
-	// Forward to the user friends page
-		forward("pg/friends/" . $_SESSION['user']->username . "/");
-		
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg add friend action
+ *
+ * @package Elgg.Core
+ * @subpackage Friends.Management
+ */
+
+// Get the GUID of the user to friend
+$friend_guid = get_input('friend');
+$friend = get_entity($friend_guid);
+if (!$friend) {
+	register_error(elgg_echo('error:missing_data'));
+	forward(REFERER);
+}
+
+$errors = false;
+
+// Get the user
+try {
+	if (!elgg_get_logged_in_user_entity()->addFriend($friend_guid)) {
+		$errors = true;
+	}
+} catch (Exception $e) {
+	register_error(elgg_echo("friends:add:failure", array($friend->name)));
+	$errors = true;
+}
+if (!$errors) {
+	// add to river
+	add_to_river('river/relationship/friend/create', 'friend', elgg_get_logged_in_user_guid(), $friend_guid);
+	system_message(elgg_echo("friends:add:successful", array($friend->name)));
+}
+
+// Forward back to the page you friended the user on
+forward(REFERER);
diff --git a/actions/friends/addcollection.php b/actions/friends/addcollection.php
deleted file mode 100644
index 5eb539445..000000000
--- a/actions/friends/addcollection.php
+++ /dev/null
@@ -1,50 +0,0 @@
-<?php
-
-	/**
-	 * Elgg collection add page
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-	 
-	 //must be logged in
-	 gatekeeper();
-	 action_gatekeeper();
-	 
-	 $collection_name = get_input('collection_name');
-	 $friends = get_input('friends_collection');
-	 
-    //first check to make sure that a collection name has been set and create the new colection
-    if($collection_name){
-        
-        //create the collection
-        $create_collection = create_access_collection($collection_name, $_SESSION['user']->getGUID());
-        
-        //if the collection was created and the user passed some friends from the form, add them
-        if($create_collection && (!empty($friends))){
-            
-            //add friends to the collection
-            foreach($friends as $friend){
-                add_user_to_access_collection($friend, $create_collection);
-	        }
-	        
-        }
-        
-        // Success message
-		system_message(elgg_echo("friends:collectionadded"));
-		// Forward to the collections page
-		forward("pg/collections/" . $_SESSION['user']->username);
-        
-    } else {
-        
-        register_error(elgg_echo("friends:nocollectionname"));
-        // Forward to the add collection page
-		forward("pg/collections/add");
-		
-    }
-	 
-?>
-\ No newline at end of file
diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php
new file mode 100644
index 000000000..e63a149f7
--- /dev/null
+++ b/actions/friends/collections/add.php
@@ -0,0 +1,31 @@
+<?php
+/**
+ * Elgg collection add page
+ *
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
+ */
+
+$collection_name = htmlspecialchars(get_input('collection_name', '', false), ENT_QUOTES, 'UTF-8');
+$friends = get_input('friends_collection');
+
+if (!$collection_name) {
+	register_error(elgg_echo("friends:nocollectionname"));
+	forward(REFERER);
+}
+
+$id = create_access_collection($collection_name);
+
+if ($id) {
+	$result = update_access_collection($id, $friends);
+	if ($result) {
+		system_message(elgg_echo("friends:collectionadded"));
+		forward("collections/" . elgg_get_logged_in_user_entity()->username);
+	} else {
+		register_error(elgg_echo("friends:nocollectionname"));
+		forward(REFERER);
+	}
+} else {
+	register_error(elgg_echo("friends:nocollectionname"));
+	forward(REFERER);
+}
+\ No newline at end of file
diff --git a/actions/friends/collections/delete.php b/actions/friends/collections/delete.php
new file mode 100644
index 000000000..ff8f1fb55
--- /dev/null
+++ b/actions/friends/collections/delete.php
@@ -0,0 +1,23 @@
+<?php
+/**
+ * Elgg friends: delete collection action
+ *
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
+ */
+
+$collection_id = (int) get_input('collection');
+
+// check the ACL exists and we can edit
+if (!can_edit_access_collection($collection_id)) {
+	register_error(elgg_echo("friends:collectiondeletefailed"));
+	forward(REFERER);
+}
+
+if (delete_access_collection($collection_id)) {
+	system_message(elgg_echo("friends:collectiondeleted"));
+} else {
+	register_error(elgg_echo("friends:collectiondeletefailed"));
+}
+
+forward(REFERER);
diff --git a/actions/friends/collections/edit.php b/actions/friends/collections/edit.php
new file mode 100644
index 000000000..9eb5e1eab
--- /dev/null
+++ b/actions/friends/collections/edit.php
@@ -0,0 +1,23 @@
+<?php
+/**
+ * Friends collection edit action
+ *
+ * @package Elgg.Core
+ * @subpackage Friends.Collections
+ */
+
+$collection_id = get_input('collection_id');
+$friends = get_input('friend');
+
+// check it exists and we can edit
+if (!can_edit_access_collection($collection_id)) {
+	system_message(elgg_echo('friends:collection:edit_failed'));
+}
+
+if (update_access_collection($collection_id, $friends)) {
+	system_message(elgg_echo('friends:collections:edited'));
+} else {
+	system_message(elgg_echo('friends:collection:edit_failed'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/friends/deletecollection.php b/actions/friends/deletecollection.php
deleted file mode 100644
index 0644cc6c1..000000000
--- a/actions/friends/deletecollection.php
+++ /dev/null
@@ -1,52 +0,0 @@
-<?php
-
-	/**
-	 * Elgg friends: delete collection action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	// Make sure we're logged in (send us to the front page if not)
-		gatekeeper();
-		
-		// Get input data
-		$collection_id = (int) get_input('collection');
-		
-		// Check to see that the access collection exist and grab its owner
-		$get_collection = get_access_collection($collection_id);
-		
-		if($get_collection){
-    		
-    		if($get_collection->owner_guid == $_SESSION['user']->getGUID()){
-		    
-	            $delete_collection = delete_access_collection($collection_id);
-	        
-	            // Success message
-		        if ($delete_collection) 
-		        	system_message(elgg_echo("friends:collectiondeleted"));
-		        else
-		        	register_error(elgg_echo("friends:collectiondeletefailed"));
-		        
-	        } else {
-    	        
-    	        // Failure message
-		        register_error(elgg_echo("friends:collectiondeletefailed"));
-		        
-	        }
-		
-		} else {
-    		
-    		// Failure message
-		    register_error(elgg_echo("friends:collectiondeletefailed"));
-		    
-	    }
-	    
-	     // Forward to the collections page
-		 forward("pg/collections/" . $_SESSION['user']->username);
-		
-?>
-\ No newline at end of file
diff --git a/actions/friends/editcollection.php b/actions/friends/editcollection.php
deleted file mode 100644
index ab19fae0f..000000000
--- a/actions/friends/editcollection.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-
-	/**
-	 * Elgg collection add page
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-	 
-	 $collection_id = get_input('collection_id');
-	 $friends = get_input('friend');
-	 
-	 //chech the collection exists and the current user owners it
-	 update_access_collection($collection_id, $friends);
-	 
-?>
-\ No newline at end of file
diff --git a/actions/friends/remove.php b/actions/friends/remove.php
index 1f3cdcc5b..d69d18f31 100644
--- a/actions/friends/remove.php
+++ b/actions/friends/remove.php
@@ -1,41 +1,32 @@
-<?php
-
-	/**
-	 * Elgg remove friend action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	// Ensure we are logged in
-		gatekeeper();
-		
-	// Get the GUID of the user to friend
-		$friend_guid = get_input('friend');
-		$friend = get_entity($friend_guid);
-		$errors = false;
-
-	// Get the user
-		try{
-			if ($friend instanceof ElggUser)
-				$_SESSION['user']->removeFriend($friend_guid);
-			else
-			{
-				register_error(sprintf(elgg_echo("friends:remove:failure"),$friend->name));
-				$errors = true;
-			}
-		} catch (Exception $e) {
-			register_error(sprintf(elgg_echo("friends:remove:failure"),$friend->name));
-			$errors = true;
-		}
-		if (!$errors)
-			system_message(sprintf(elgg_echo("friends:remove:successful"),$friend->name));			
-		
-	// Forward to the user friends page
-		forward("pg/friends/" . $_SESSION['user']->username . "/");
-		
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg remove friend action
+ *
+ * @package Elgg.Core
+ * @subpackage Friends.Management
+ */
+
+// Get the GUID of the user to friend
+$friend_guid = get_input('friend');
+$friend = get_entity($friend_guid);
+$errors = false;
+
+// Get the user
+try{
+	if ($friend instanceof ElggUser) {
+		elgg_get_logged_in_user_entity()->removeFriend($friend_guid);
+	} else {
+		register_error(elgg_echo("friends:remove:failure", array($friend->name)));
+		$errors = true;
+	}
+} catch (Exception $e) {
+	register_error(elgg_echo("friends:remove:failure", array($friend->name)));
+	$errors = true;
+}
+
+if (!$errors) {
+	system_message(elgg_echo("friends:remove:successful", array($friend->name)));
+}
+
+// Forward back to the page you made the friend on
+forward(REFERER);
diff --git a/actions/import/opendd.php b/actions/import/opendd.php
index 9121812e1..e63607145 100644
--- a/actions/import/opendd.php
+++ b/actions/import/opendd.php
@@ -1,32 +1,22 @@
 <?php
-	/**
-	 * Elgg OpenDD import action.
-	 * 
-	 * This action accepts data to import (in OpenDD format) and performs and import. It accepts 
-	 * data as $data.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Elgg OpenDD import action.
+ *
+ * This action accepts data to import (in OpenDD format) and performs and import. It accepts
+ * data as $data.
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
 
-	// Safety
-	admin_gatekeeper();
-	action_gatekeeper();
-	
-	// Get input
-	$data = get_input('data', '', false);
-	
-	// Import 
-	$return = import($data);
-	
-	if ($return)
-		system_message(elgg_echo('importsuccess'));
-	else
-		register_error(elgg_echo('importfail'));
-		
-	forward($_SERVER['HTTP_REFERER']);
-?>
-\ No newline at end of file
+$data = get_input('data', '', false);
+
+$return = import($data);
+
+if ($return) {
+	system_message(elgg_echo('importsuccess'));
+} else {
+	register_error(elgg_echo('importfail'));
+}
+
+forward(REFERER);
diff --git a/actions/login.php b/actions/login.php
index 774b6dfaa..bd7f91299 100644
--- a/actions/login.php
+++ b/actions/login.php
@@ -1,47 +1,69 @@
-<?php
-
-    /**
-	 * Elgg login action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-	 
-	// Safety first
-		action_gatekeeper();
-
-    // Get username and password
-    
-        $username = get_input('username');
-        $password = get_input("password");
-        $persistent = get_input("persistent");
-        
-    // If all is present and correct, try to log in  
-    	$result = false;          
-        if (!empty($username) && !empty($password)) {
-        	if ($user = authenticate($username,$password)) {
-        		$result = login($user, $persistent);
-        	}
-        }
-        
-    // Set the system_message as appropriate
-        
-        if ($result) {
-            system_message(elgg_echo('loginok'));
-            if ($_SESSION['last_forward_from'])
-            {
-            	$forward_url = $_SESSION['last_forward_from'];
-            	$_SESSION['last_forward_from'] = "";
-            	forward($forward_url);
-            }
-            else
-            	forward("pg/dashboard/");
-        } else {
-            register_error(elgg_echo('loginerror'));
-        }
-      
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg login action
+ *
+ * @package Elgg.Core
+ * @subpackage User.Authentication
+ */
+
+// set forward url
+if (!empty($_SESSION['last_forward_from'])) {
+	$forward_url = $_SESSION['last_forward_from'];
+} elseif (get_input('returntoreferer')) {
+	$forward_url = REFERER;
+} else {
+	// forward to main index page
+	$forward_url = '';
+}
+
+$username = get_input('username');
+$password = get_input('password', null, false);
+$persistent = (bool) get_input("persistent");
+$result = false;
+
+if (empty($username) || empty($password)) {
+	register_error(elgg_echo('login:empty'));
+	forward();
+}
+
+// check if logging in with email address
+if (strpos($username, '@') !== false && ($users = get_user_by_email($username))) {
+	$username = $users[0]->username;
+}
+
+$result = elgg_authenticate($username, $password);
+if ($result !== true) {
+	register_error($result);
+	forward(REFERER);
+}
+
+$user = get_user_by_username($username);
+if (!$user) {
+	register_error(elgg_echo('login:baduser'));
+	forward(REFERER);
+}
+
+try {
+	login($user, $persistent);
+	// re-register at least the core language file for users with language other than site default
+	register_translations(dirname(dirname(__FILE__)) . "/languages/");
+} catch (LoginException $e) {
+	register_error($e->getMessage());
+	forward(REFERER);
+}
+
+// elgg_echo() caches the language and does not provide a way to change the language.
+// @todo we need to use the config object to store this so that the current language
+// can be changed. Refs #4171
+if ($user->language) {
+	$message = elgg_echo('loginok', array(), $user->language);
+} else {
+	$message = elgg_echo('loginok');
+}
+
+if (isset($_SESSION['last_forward_from'])) {
+	unset($_SESSION['last_forward_from']);
+}
+
+system_message($message);
+forward($forward_url);
diff --git a/actions/logout.php b/actions/logout.php
index 8d4eaa16d..c48a26b15 100644
--- a/actions/logout.php
+++ b/actions/logout.php
@@ -1,25 +1,18 @@
-<?php
-
-    /**
-	 * Elgg logout action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-	    
-    // Log out
-        $result = logout();
-            
-    // Set the system_message as appropriate
-        
-        if ($result) {
-            system_message(elgg_echo('logoutok'));
-        } else {
-            register_error(elgg_echo('logouterror'));
-        }
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg logout action
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
+
+// Log out
+$result = logout();
+
+// Set the system_message as appropriate
+if ($result) {
+	system_message(elgg_echo('logoutok'));
+	forward();
+} else {
+	register_error(elgg_echo('logouterror'));
+}
+\ No newline at end of file
diff --git a/actions/notifications/settings/usersettings/save.php b/actions/notifications/settings/usersettings/save.php
index fe6a64b93..455a444e1 100644
--- a/actions/notifications/settings/usersettings/save.php
+++ b/actions/notifications/settings/usersettings/save.php
@@ -1,37 +1,29 @@
 <?php
-	/**
-	 * Elgg notifications user preference save acion.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Elgg notifications user preference save acion.
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
 
-	// Method
-	$method = get_input('method');
-	gatekeeper();
-	
-	$result = false;
-	foreach ($method as $k => $v)
-	{
-		$result = set_user_notification_setting($_SESSION['user']->guid, $k, ($v == 'yes') ? true : false);
-		
-		if (!$result)
-		{
-			register_error(elgg_echo('notifications:usersettings:save:fail'));
-			//forward($_SERVER['HTTP_REFERER']);
-			
-			//exit;
-		}
+$method = get_input('method');
+
+$current_settings = get_user_notification_settings();
+
+$result = false;
+foreach ($method as $k => $v) {
+	// check if setting has changed and skip if not
+	if ($current_settings->$k == ($v == 'yes')) {
+		continue;
 	}
-	
-	if ($result)
-		system_message(elgg_echo('notifications:usersettings:save:ok'));
-	else
+
+	$result = set_user_notification_setting(elgg_get_logged_in_user_guid(), $k, ($v == 'yes') ? true : false);
+
+	if (!$result) {
 		register_error(elgg_echo('notifications:usersettings:save:fail'));
-	
-	//forward($_SERVER['HTTP_REFERER']);
-?>
-\ No newline at end of file
+	}
+}
+
+if ($result) {
+	system_message(elgg_echo('notifications:usersettings:save:ok'));
+}
diff --git a/actions/plugins/settings/save.php b/actions/plugins/settings/save.php
index e21bc1122..581a2f9ec 100644
--- a/actions/plugins/settings/save.php
+++ b/actions/plugins/settings/save.php
@@ -1,42 +1,43 @@
 <?php
-	/**
-	 * Elgg plugin settings save action.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Saves global plugin settings.
+ *
+ * This action can be overriden for a specific plugin by creating the
+ * <plugin_id>/settings/save action in that plugin.
+ *
+ * @uses array $_REQUEST['params']    A set of key/value pairs to save to the ElggPlugin entity
+ * @uses int   $_REQUEST['plugin_id'] The ID of the plugin
+ *
+ * @package Elgg.Core
+ * @subpackage Plugins.Settings
+ */
 
-	$params = get_input('params');
-	$plugin = get_input('plugin');
+$params = get_input('params');
+$plugin_id = get_input('plugin_id');
+$plugin = elgg_get_plugin_from_id($plugin_id);
 
-	gatekeeper();
-	action_gatekeeper();
-	
-	$result = false;
-	
-	foreach ($params as $k => $v)
-	{
-		// Save
-		$result = set_plugin_setting($k, $v, $plugin);
-		
-		// Error?
-		if (!$result)
-		{
-			register_error(sprintf(elgg_echo('plugins:settings:save:fail'), $plugin));
-			
-			forward($_SERVER['HTTP_REFERER']);
-			
+if (!($plugin instanceof ElggPlugin)) {
+	register_error(elgg_echo('plugins:settings:save:fail', array($plugin_id)));
+	forward(REFERER);
+}
+
+$plugin_name = $plugin->getManifest()->getName();
+
+$result = false;
+
+// allow a plugin to override the save action for their settings
+if (elgg_action_exists("$plugin_id/settings/save")) {
+	action("$plugin_id/settings/save");
+} else {
+	foreach ($params as $k => $v) {
+		$result = $plugin->setSetting($k, $v);
+		if (!$result) {
+			register_error(elgg_echo('plugins:settings:save:fail', array($plugin_name)));
+			forward(REFERER);
 			exit;
 		}
 	}
+}
 
-	// An event to tell any interested plugins of the change is settings
-	trigger_elgg_event('plugin_settings_save', $plugin, find_plugin_settings($plugin));
-	
-	system_message(sprintf(elgg_echo('plugins:settings:save:ok'), $plugin));
-	forward($_SERVER['HTTP_REFERER']);
-?>
-\ No newline at end of file
+system_message(elgg_echo('plugins:settings:save:ok', array($plugin_name)));
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/plugins/usersettings/save.php b/actions/plugins/usersettings/save.php
index 342e6c444..f6b8ab0b6 100644
--- a/actions/plugins/usersettings/save.php
+++ b/actions/plugins/usersettings/save.php
@@ -1,42 +1,58 @@
 <?php
-	/**
-	 * Elgg plugin user settings save action.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	$params = get_input('params');
-	$plugin = get_input('plugin');
-
-	gatekeeper();
-	action_gatekeeper();
-	
-	$result = false;
-	
-	foreach ($params as $k => $v)
-	{
+/**
+ * Saves user-specific plugin settings.
+ *
+ * This action can be overriden for a specific plugin by creating the
+ * <plugin_id>/usersettings/save action in that plugin.
+ *
+ * @uses array $_REQUEST['params']    A set of key/value pairs to save to the ElggPlugin entity
+ * @uses int   $_REQUEST['plugin_id'] The id of the plugin
+ * @uses int   $_REQUEST['user_guid'] The GUID of the user to save settings for.
+ *
+ * @package Elgg.Core
+ * @subpackage Plugins.Settings
+ */
+
+$params = get_input('params');
+$plugin_id = get_input('plugin_id');
+$user_guid = get_input('user_guid', elgg_get_logged_in_user_guid());
+$plugin = elgg_get_plugin_from_id($plugin_id);
+$user = get_entity($user_guid);
+
+if (!($plugin instanceof ElggPlugin)) {
+	register_error(elgg_echo('plugins:usersettings:save:fail', array($plugin_id)));
+	forward(REFERER);
+}
+
+if (!($user instanceof ElggUser)) {
+	register_error(elgg_echo('plugins:usersettings:save:fail', array($plugin_id)));
+	forward(REFERER);
+}
+
+$plugin_name = $plugin->getManifest()->getName();
+
+// make sure we're admin or the user
+if (!$user->canEdit()) {
+	register_error(elgg_echo('plugins:usersettings:save:fail', array($plugin_name)));
+	forward(REFERER);
+}
+
+$result = false;
+
+if (elgg_action_exists("$plugin_id/usersettings/save")) {
+	action("$plugin_id/usersettings/save");
+} else {
+	foreach ($params as $k => $v) {
 		// Save
-		$result = set_plugin_usersetting($k, $v, $_SESSION['user']->guid, $plugin);
-		
+		$result = $plugin->setUserSetting($k, $v, $user->guid);
+
 		// Error?
-		if (!$result)
-		{
-			register_error(sprintf(elgg_echo('plugins:usersettings:save:fail'), $plugin));
-			
-			forward($_SERVER['HTTP_REFERER']);
-			
-			exit;
+		if (!$result) {
+			register_error(elgg_echo('plugins:usersettings:save:fail', array($plugin_name)));
+			forward(REFERER);
 		}
 	}
+}
 
-	// An event to tell any interested plugins of the change is settings
-	trigger_elgg_event('plugin_usersettings_save', $plugin, find_plugin_settings($plugin));
-	
-	system_message(sprintf(elgg_echo('plugins:usersettings:save:ok'), $plugin));
-	forward($_SERVER['HTTP_REFERER']);
-?>
-\ No newline at end of file
+system_message(elgg_echo('plugins:usersettings:save:ok', array($plugin_name)));
+forward(REFERER);
diff --git a/actions/profile/edit.php b/actions/profile/edit.php
new file mode 100644
index 000000000..e1f066e82
--- /dev/null
+++ b/actions/profile/edit.php
@@ -0,0 +1,116 @@
+<?php
+/**
+ * Elgg profile edit action
+ *
+ */
+
+elgg_make_sticky_form('profile:edit');
+
+$guid = get_input('guid');
+$owner = get_entity($guid);
+
+if (!$owner || !($owner instanceof ElggUser) || !$owner->canEdit()) {
+	register_error(elgg_echo('profile:edit:fail'));
+	forward(REFERER);
+}
+
+// grab the defined profile field names and their load the values from POST.
+// each field can have its own access, so sort that too.
+$input = array();
+$accesslevel = get_input('accesslevel');
+
+if (!is_array($accesslevel)) {
+	$accesslevel = array();
+}
+
+/**
+ * wrapper for recursive array walk decoding
+ */
+function profile_array_decoder(&$v) {
+	$v = _elgg_html_decode($v);
+}
+
+$profile_fields = elgg_get_config('profile_fields');
+foreach ($profile_fields as $shortname => $valuetype) {
+	// the decoding is a stop gap to prevent &amp;&amp; showing up in profile fields
+	// because it is escaped on both input (get_input()) and output (view:output/text). see #561 and #1405.
+	// must decode in utf8 or string corruption occurs. see #1567.
+	$value = get_input($shortname);
+	if (is_array($value)) {
+		array_walk_recursive($value, 'profile_array_decoder');
+	} else {
+		$value = _elgg_html_decode($value);
+	}
+
+	// limit to reasonable sizes
+	// @todo - throwing away changes due to this is dumb!
+	if (!is_array($value) && $valuetype != 'longtext' && elgg_strlen($value) > 250) {
+		$error = elgg_echo('profile:field_too_long', array(elgg_echo("profile:{$shortname}")));
+		register_error($error);
+		forward(REFERER);
+	}
+
+	if ($value && $valuetype == 'url' && !preg_match('~^https?\://~i', $value)) {
+		$value = "http://$value";
+	}
+
+	if ($valuetype == 'tags') {
+		$value = string_to_tag_array($value);
+	}
+	
+	$input[$shortname] = $value;
+}
+
+// display name is handled separately
+$name = strip_tags(get_input('name'));
+if ($name) {
+	if (elgg_strlen($name) > 50) {
+		register_error(elgg_echo('user:name:fail'));
+	} elseif ($owner->name != $name) {
+		$owner->name = $name;
+		$owner->save();
+	}
+}
+
+// go through custom fields
+if (sizeof($input) > 0) {
+	foreach ($input as $shortname => $value) {
+		$options = array(
+			'guid' => $owner->guid,
+			'metadata_name' => $shortname,
+			'limit' => false
+		);
+		elgg_delete_metadata($options);
+		
+		if (!is_null($value) && ($value !== '')) {
+			// only create metadata for non empty values (0 is allowed) to prevent metadata records with empty string values #4858
+			
+			if (isset($accesslevel[$shortname])) {
+				$access_id = (int) $accesslevel[$shortname];
+			} else {
+				// this should never be executed since the access level should always be set
+				$access_id = ACCESS_DEFAULT;
+			}
+			if (is_array($value)) {
+				$i = 0;
+				foreach ($value as $interval) {
+					$i++;
+					$multiple = ($i > 1) ? TRUE : FALSE;
+					create_metadata($owner->guid, $shortname, $interval, 'text', $owner->guid, $access_id, $multiple);
+				}
+			} else {
+				create_metadata($owner->getGUID(), $shortname, $value, 'text', $owner->getGUID(), $access_id);
+			}
+		}
+	}
+
+	$owner->save();
+
+	// Notify of profile update
+	elgg_trigger_event('profileupdate', $owner->type, $owner);
+
+	elgg_clear_sticky_form('profile:edit');
+	system_message(elgg_echo("profile:saved"));
+}
+
+forward($owner->getUrl());
diff --git a/actions/profile/fields/add.php b/actions/profile/fields/add.php
new file mode 100644
index 000000000..fce783092
--- /dev/null
+++ b/actions/profile/fields/add.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Elgg profile plugin edit default profile action
+ *
+ */
+
+$label = get_input('label');
+$type = get_input('type');
+
+$fieldlist = elgg_get_config('profile_custom_fields');
+if (!$fieldlist) {
+	$fieldlist = '';
+	$id = 1;
+} else {
+	$fieldlistarray = explode(',', $fieldlist);
+	foreach ($fieldlistarray as $key => $value) {
+		$fieldlistarray[$key] = (int)$value;
+	}
+	$id = max($fieldlistarray) + 1;
+}
+
+if (($label) && ($type)) {
+	if (!empty($fieldlist)) {
+		$fieldlist .= ',';
+	}
+	$fieldlist .= "$id";
+
+	if (elgg_save_config("admin_defined_profile_$id", $label) &&
+		elgg_save_config("admin_defined_profile_type_$id", $type) &&
+		elgg_save_config('profile_custom_fields', $fieldlist)) {
+
+		system_message(elgg_echo('profile:editdefault:success'));
+	} else {
+		register_error(elgg_echo('profile:editdefault:fail'));
+	}
+} else {
+	register_error(elgg_echo('profile:editdefault:fail'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/profile/fields/delete.php b/actions/profile/fields/delete.php
new file mode 100644
index 000000000..9879feb3f
--- /dev/null
+++ b/actions/profile/fields/delete.php
@@ -0,0 +1,28 @@
+<?php
+/**
+ * Elgg profile plugin edit default profile action removal
+ *
+ */
+
+$id = get_input('id');
+
+$fieldlist = elgg_get_config('profile_custom_fields');
+if (!$fieldlist) {
+	$fieldlist = '';
+}
+
+$fieldlist = str_replace("{$id},", "", $fieldlist);
+$fieldlist = str_replace(",{$id}", "", $fieldlist);
+$fieldlist = str_replace("{$id}", "", $fieldlist);
+
+if ($id &&
+	unset_config("admin_defined_profile_$id") &&
+	unset_config("admin_defined_profile_type_$id") &&
+	elgg_save_config('profile_custom_fields', $fieldlist)) {
+	
+	system_message(elgg_echo('profile:editdefault:delete:success'));
+} else {
+	register_error(elgg_echo('profile:editdefault:delete:fail'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/profile/fields/edit.php b/actions/profile/fields/edit.php
new file mode 100644
index 000000000..5fc84ff11
--- /dev/null
+++ b/actions/profile/fields/edit.php
@@ -0,0 +1,20 @@
+<?php
+/**
+ * Edit a custom profile field
+ */
+
+$id = get_input('id');
+$label = get_input('label');
+
+if (!elgg_get_config("admin_defined_profile_$id")) {
+	register_error(elgg_echo('profile:editdefault:fail'));
+	forward(REFERER);
+}
+
+if (elgg_save_config("admin_defined_profile_$id", $label)) {
+	system_message(elgg_echo('profile:editdefault:success'));
+} else {
+	register_error(elgg_echo('profile:editdefault:fail'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/profile/fields/reorder.php b/actions/profile/fields/reorder.php
new file mode 100644
index 000000000..27c716749
--- /dev/null
+++ b/actions/profile/fields/reorder.php
@@ -0,0 +1,12 @@
+<?php
+/**
+ * Elgg profile plugin reorder fields
+ *
+ */
+
+$ordering = get_input('fieldorder');
+
+$result = elgg_save_config('profile_custom_fields', $ordering);
+
+// called by ajax so we exit
+exit;
diff --git a/actions/profile/fields/reset.php b/actions/profile/fields/reset.php
new file mode 100644
index 000000000..19efae479
--- /dev/null
+++ b/actions/profile/fields/reset.php
@@ -0,0 +1,20 @@
+<?php
+/**
+ * Reset profile fields action
+ *
+ */
+
+$fieldlist = elgg_get_config('profile_custom_fields');
+if ($fieldlist) {
+	$fieldlistarray = explode(',', $fieldlist);
+	foreach ($fieldlistarray as $listitem) {
+		unset_config("admin_defined_profile_{$listitem}");
+		unset_config("admin_defined_profile_type_{$listitem}");
+	}
+}
+
+unset_config('profile_custom_fields');
+
+system_message(elgg_echo('profile:defaultprofile:reset'));
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/register.php b/actions/register.php
index 5cbb9afbf..73926232c 100644
--- a/actions/register.php
+++ b/actions/register.php
@@ -1,77 +1,80 @@
-<?php
-
-	/**
-	 * Elgg registration action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+<?php
+/**
+ * Elgg registration action
+ *
+ * @package Elgg.Core
+ * @subpackage User.Account
+ */
 
-	require_once(dirname(dirname(__FILE__)) . "/engine/start.php");
-	global $CONFIG;
-	
-	action_gatekeeper();
-
-	// Get variables
-		$username = get_input('username');
-		$password = get_input('password');
-		$password2 = get_input('password2');
-		$email = get_input('email');
-		$name = get_input('name');
-		$friend_guid = (int) get_input('friend_guid',0);
-		$invitecode = get_input('invitecode');
-		
-		$admin = get_input('admin');
-		if (is_array($admin)) $admin = $admin[0];
-		
-		
-		if (!$CONFIG->disable_registration)
-		{
-	// For now, just try and register the user
-	
-			try {
-				if (
-					(
-						(trim($password)!="") &&
-						(strcmp($password, $password2)==0) 
-					) &&
-					($guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode))
-				) {
-					
-					$new_user = get_entity($guid);
-					if (($guid) && ($admin))
-					{
-						admin_gatekeeper(); // Only admins can make someone an admin
-						$new_user->admin = 'yes';
-					}
-					
-					// Send user validation request on register only
-					request_user_validation($guid);
-					
-					if (!$new_user->admin)
-						$new_user->disable('new_user');	// Now disable if not an admin
-					
-					system_message(sprintf(elgg_echo("registerok"),$CONFIG->sitename));
-					
-					forward(); // Forward on success, assume everything else is an error...
-				} else {
-					register_error(elgg_echo("registerbad"));
-				}
-			} catch (RegistrationException $r) {
-				register_error($r->getMessage());
+elgg_make_sticky_form('register');
+
+// Get variables
+$username = get_input('username');
+$password = get_input('password', null, false);
+$password2 = get_input('password2', null, false);
+$email = get_input('email');
+$name = get_input('name');
+$friend_guid = (int) get_input('friend_guid', 0);
+$invitecode = get_input('invitecode');
+
+if (elgg_get_config('allow_registration')) {
+	try {
+		if (trim($password) == "" || trim($password2) == "") {
+			throw new RegistrationException(elgg_echo('RegistrationException:EmptyPassword'));
+		}
+
+		if (strcmp($password, $password2) != 0) {
+			throw new RegistrationException(elgg_echo('RegistrationException:PasswordMismatch'));
+		}
+
+		$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
+
+		if ($guid) {
+			$new_user = get_entity($guid);
+
+			// allow plugins to respond to self registration
+			// note: To catch all new users, even those created by an admin,
+			// register for the create, user event instead.
+			// only passing vars that aren't in ElggUser.
+			$params = array(
+				'user' => $new_user,
+				'password' => $password,
+				'friend_guid' => $friend_guid,
+				'invitecode' => $invitecode
+			);
+
+			// @todo should registration be allowed no matter what the plugins return?
+			if (!elgg_trigger_plugin_hook('register', 'user', $params, TRUE)) {
+				$ia = elgg_set_ignore_access(true);
+				$new_user->delete();
+				elgg_set_ignore_access($ia);
+				// @todo this is a generic messages. We could have plugins
+				// throw a RegistrationException, but that is very odd
+				// for the plugin hooks system.
+				throw new RegistrationException(elgg_echo('registerbad'));
 			}
+
+			elgg_clear_sticky_form('register');
+			system_message(elgg_echo("registerok", array(elgg_get_site_entity()->name)));
+
+			// if exception thrown, this probably means there is a validation
+			// plugin that has disabled the user
+			try {
+				login($new_user);
+			} catch (LoginException $e) {
+				// do nothing
+			}
+
+			// Forward on success, assume everything else is an error...
+			forward();
+		} else {
+			register_error(elgg_echo("registerbad"));
 		}
-		else
-			register_error(elgg_echo('registerdisabled'));
-			
-		$qs = explode('?',$_SERVER['HTTP_REFERER']);
-		$qs = $qs[0];
-		$qs .= "?u=" . urlencode($username) . "&e=" . urlencode($email) . "&n=" . urlencode($name) . "&friend_guid=" . $friend_guid;
-		
-		forward($qs);
-
-?>
-\ No newline at end of file
+	} catch (RegistrationException $r) {
+		register_error($r->getMessage());
+	}
+} else {
+	register_error(elgg_echo('registerdisabled'));
+}
+
+forward(REFERER);
diff --git a/actions/river/delete.php b/actions/river/delete.php
new file mode 100644
index 000000000..0d8297932
--- /dev/null
+++ b/actions/river/delete.php
@@ -0,0 +1,21 @@
+<?php
+/**
+ * River item delete action
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
+
+$id = get_input('id', false);
+
+if ($id !== false && elgg_is_admin_logged_in()) {
+	if (elgg_delete_river(array('id' => $id))) {
+		system_message(elgg_echo('river:delete:success'));
+	} else {
+		register_error(elgg_echo('river:delete:fail'));
+	}
+} else {
+	register_error(elgg_echo('river:delete:fail'));
+}
+
+forward(REFERER);
diff --git a/actions/security/refreshtoken.php b/actions/security/refreshtoken.php
new file mode 100644
index 000000000..74a72c4af
--- /dev/null
+++ b/actions/security/refreshtoken.php
@@ -0,0 +1,5 @@
+<?php
+$ts = time();
+$token = generate_action_token($ts);
+
+echo json_encode(array('__elgg_ts' => $ts, '__elgg_token' => $token));
+\ No newline at end of file
diff --git a/actions/systemsettings/install.php b/actions/systemsettings/install.php
deleted file mode 100644
index 25846d6f1..000000000
--- a/actions/systemsettings/install.php
+++ /dev/null
@@ -1,115 +0,0 @@
-<?php
-
-	/**
-	 * Elgg install site action
-	 * 
-	 * Creates a nwe site and sets it as the default
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	elgg_set_viewtype('failsafe'); // Set failsafe again incase we get an exception thrown
-	
-	if (is_installed()) forward();
-
-	if (get_input('settings') == 'go') {
-		
-		if (!datalist_get('default_site')) {
-			
-			// Sanitise
-			$path = sanitise_filepath(get_input('path'));
-			$dataroot = sanitise_filepath(get_input('dataroot'));
-			
-			// Blank?
-			if ($dataroot == "/")
-				throw new InstallationException(elgg_echo('InstallationException:DatarootBlank'));
-				
-			// That it's valid
-			if (stripos($dataroot, $path)!==false)
-				throw new InstallationException(sprintf(elgg_echo('InstallationException:DatarootUnderPath'), $dataroot));
-			
-			// Check data root is writable
-			if (!is_writable($dataroot))
-				throw new InstallationException(sprintf(elgg_echo('InstallationException:DatarootNotWritable'), $dataroot));
-			
-			
-			$site = new ElggSite();
-			$site->name = get_input('sitename');
-			$site->url = get_input('wwwroot');
-			$site->description = get_input('sitedescription');
-			$site->email = get_input('siteemail');
-			$site->access_id = 2; // The site is public
-			$guid = $site->save();
-			
-			if (!$guid)
-				throw new InstallationException(sprintf(elgg_echo('InstallationException:CantCreateSite'), get_input('sitename'), get_input('wwwroot')));
-			
-			datalist_set('installed',time());
-			
-			datalist_set('path', $path);
-			datalist_set('dataroot', $dataroot);
-			
-			datalist_set('default_site',$site->getGUID());
-			
-			set_config('view', get_input('view'), $site->getGUID());
-			set_config('language', get_input('language'), $site->getGUID());
-			
-			$debug = get_input('debug');
-			if ($debug)
-				set_config('debug', 1, $site->getGUID());
-			else
-				unset_config('debug', $site->getGUID());
-				
-			$usage = get_input('usage');
-			if (is_array($usage)) $usage = $usage[0];
-			
-			if ($usage)
-				unset_config('ping_home', $site->getGUID());
-			else
-				set_config('ping_home', 'disabled', $site->getGUID());
-				
-			$api = get_input('api');
-			if ($api)
-				unset_config('disable_api', $site->getGUID());
-			else
-				set_config('disable_api', 'disabled', $site->getGUID());
-			
-			
-			// activate some plugins by default
-			if (isset($CONFIG->default_plugins))
-			{
-				$plugins = explode(',', $CONFIG->default_plugins);
-				foreach ($plugins as $plugin)
-					enable_plugin(trim($plugins), $site->getGUID());
-			}
-			else
-			{
-				enable_plugin('profile', $site->getGUID());
-				enable_plugin('river', $site->getGUID());
-				enable_plugin('updateclient', $site->getGUID());
-				enable_plugin('logbrowser', $site->getGUID());
-				enable_plugin('diagnostics', $site->getGUID());
-				enable_plugin('uservalidationbyemail', $site->getGUID());
-			}
-				
-			// Now ping home
-			if ($usage)
-			{
-				ping_home($site);
-			}
-				
-			system_message(elgg_echo("installation:configuration:success"));
-			
-			header("Location: ../../account/register.php");
-			exit;
-			
-		}
-		
-	}
-
-?>
-\ No newline at end of file
diff --git a/actions/user/language.php b/actions/user/language.php
deleted file mode 100644
index 704939ca1..000000000
--- a/actions/user/language.php
+++ /dev/null
@@ -1,40 +0,0 @@
-<?php
-	/**
-	 * Action for changing a user's personal language settings
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-
-	gatekeeper();
-	
-	$language = get_input('language');
-	$user_id = get_input('guid');
-	$user = "";
-	
-	if (!$user_id)
-		$user = $_SESSION['user'];
-	else
-		$user = get_entity($user_id);
-		
-	if (($user) && ($language))
-	{
-		$user->language = $language;
-		if ($user->save())
-			system_message(elgg_echo('user:language:success'));
-		else
-			register_error(elgg_echo('user:language:fail'));
-	}
-	else
-		register_error(elgg_echo('user:language:fail'));
-	
-	//forward($_SERVER['HTTP_REFERER']);
-	//exit;
-?>
-\ No newline at end of file
diff --git a/actions/user/name.php b/actions/user/name.php
deleted file mode 100644
index 65809323c..000000000
--- a/actions/user/name.php
+++ /dev/null
@@ -1,40 +0,0 @@
-<?php
-	/**
-	 * Action for changing a user's name
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-
-	gatekeeper();
-	
-	$name = get_input('name');
-	$user_id = get_input('guid');
-	$user = "";
-	
-	if (!$user_id)
-		$user = $_SESSION['user'];
-	else
-		$user = get_entity($user_id);
-		
-	if (($user) && ($name))
-	{
-		$user->name = $name;
-		if ($user->save())
-			system_message(elgg_echo('user:name:success'));
-		else
-			register_error(elgg_echo('user:name:fail'));
-	}
-	else
-		register_error(elgg_echo('user:name:fail'));
-	
-	//forward($_SERVER['HTTP_REFERER']);
-	//exit;
-?>
-\ No newline at end of file
diff --git a/actions/user/password.php b/actions/user/password.php
deleted file mode 100644
index aae22cc02..000000000
--- a/actions/user/password.php
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-	/**
-	 * Action for changing a user's password
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-
-	gatekeeper();
-	
-	$password = get_input('password');
-	$password2 = get_input('password2');
-	$user_id = get_input('guid');
-	$user = "";
-	
-	if (!$user_id)
-		$user = $_SESSION['user'];
-	else
-		$user = get_entity($user_id);
-		
-	if (($user) && ($password!=""))
-	{
-		if (strlen($password)>=4)
-		{
-			if ($password == $password2)
-			{
-				$user->password = generate_user_password($user, $password);
-				if ($user->save())
-					system_message(elgg_echo('user:password:success'));
-				else
-					register_error(elgg_echo('user:password:fail'));
-			}
-			else
-				register_error(elgg_echo('user:password:fail:notsame'));
-		}
-		else
-			register_error(elgg_echo('user:password:fail:tooshort'));
-	}
-	
-	//forward($_SERVER['HTTP_REFERER']);
-	//exit;
-?>
-\ No newline at end of file
diff --git a/actions/user/passwordreset.php b/actions/user/passwordreset.php
index 683651d39..201d6abcf 100644
--- a/actions/user/passwordreset.php
+++ b/actions/user/passwordreset.php
@@ -1,27 +1,19 @@
 <?php
-	/**
-	 * Action to reset a password and send success email.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Action to reset a password and send success email.
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
 
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-	
-	$user_guid = get_input('u');
-	$code = get_input('c');
-	
-	if (execute_new_password_request($user_guid, $code))
-		system_message(elgg_echo('user:password:success'));
-	else
-		register_error(elgg_echo('user:password:fail'));
-		
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-	
-?>
-\ No newline at end of file
+$user_guid = get_input('u');
+$code = get_input('c');
+
+if (execute_new_password_request($user_guid, $code)) {
+	system_message(elgg_echo('user:password:success'));
+} else {
+	register_error(elgg_echo('user:password:fail'));
+}
+
+forward();
+exit;
diff --git a/actions/user/requestnewpassword.php b/actions/user/requestnewpassword.php
index 3ed2d604e..f1d4fa43c 100644
--- a/actions/user/requestnewpassword.php
+++ b/actions/user/requestnewpassword.php
@@ -1,33 +1,27 @@
 <?php
-	/**
-	 * Action to request a new password.
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
+/**
+ * Action to request a new password.
+ *
+ * @package Elgg.Core
+ * @subpackage User.Account
+ */
 
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-	
-	action_gatekeeper();
-	
-	$username = get_input('username');
-	
-	$user = get_user_by_username($username);
-	if ($user)
-	{
-		if (send_new_password_request($user->guid))
-			system_message(elgg_echo('user:password:resetreq:success'));
-		else
-			register_error(elgg_echo('user:password:resetreq:fail')); 
+$username = get_input('username');
+
+// allow email addresses
+if (strpos($username, '@') !== false && ($users = get_user_by_email($username))) {
+	$username = $users[0]->username;
+}
+
+$user = get_user_by_username($username);
+if ($user) {
+	if (send_new_password_request($user->guid)) {
+		system_message(elgg_echo('user:password:resetreq:success'));
+	} else {
+		register_error(elgg_echo('user:password:resetreq:fail'));
 	}
-	else
-		register_error(sprintf(elgg_echo('user:username:notfound'), $username));
-	
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+} else {
+	register_error(elgg_echo('user:username:notfound', array($username)));
+}
+
+forward();
diff --git a/actions/user/spotlight.php b/actions/user/spotlight.php
index b43af2f16..202dde387 100644
--- a/actions/user/spotlight.php
+++ b/actions/user/spotlight.php
@@ -1,15 +1,19 @@
-<?php
-
-		gatekeeper();
-		
-		$closed = get_input('closed','true');
-		if ($closed != 'true') {
-			$closed = false;
-		} else {
-			$closed = true;
-		}
-		
-		$_SESSION['user']->spotlightclosed = $closed;
-		exit;
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Close or open spotlight.
+ *
+ * @package Elgg.Core
+ * @subpackage Spotlight
+ * @todo This is deprecated in 1.8
+ */
+
+$closed = get_input('closed', 'true');
+if ($closed != 'true') {
+	$closed = false;
+} else {
+	$closed = true;
+}
+
+elgg_get_logged_in_user_entity()->spotlightclosed = $closed;
+// exit as this action is called through Ajax
+exit;
+\ No newline at end of file
diff --git a/actions/useradd.php b/actions/useradd.php
index b59dc36b1..17459021b 100644
--- a/actions/useradd.php
+++ b/actions/useradd.php
@@ -1,54 +1,69 @@
 <?php
+/**
+ * Elgg add action
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
 
-	/**
-	 * Elgg add action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(__FILE__)) . "/engine/start.php");
-
-	admin_gatekeeper(); // Only admins can make someone an admin
-	action_gatekeeper();
-	
-	// Get variables
-	$username = get_input('username');
-	$password = get_input('password');
-	$password2 = get_input('password2');
-	$email = get_input('email');
-	$name = get_input('name');
-	
-	$admin = get_input('admin');
-	if (is_array($admin)) $admin = $admin[0];
-	
-	// For now, just try and register the user
-	try {
-		if (
-			(
-				(trim($password)!="") &&
-				(strcmp($password, $password2)==0) 
-			) &&
-			($guid = register_user($username, $password, $name, $email, true))
-		) {
-			$new_user = get_entity($guid);
-			if (($guid) && ($admin))
-				$new_user->admin = 'yes';
-			
-			$new_user->admin_created = true;
-			
-			system_message(sprintf(elgg_echo("adduser:ok"),$CONFIG->sitename));
-		} else {
-			register_error(elgg_echo("adduser:bad"));
+elgg_make_sticky_form('useradd');
+
+// Get variables
+$username = get_input('username');
+$password = get_input('password', null, false);
+$password2 = get_input('password2', null, false);
+$email = get_input('email');
+$name = get_input('name');
+
+$admin = get_input('admin');
+if (is_array($admin)) {
+	$admin = $admin[0];
+}
+
+// no blank fields
+if ($username == '' || $password == '' || $password2 == '' || $email == '' || $name == '') {
+	register_error(elgg_echo('register:fields'));
+	forward(REFERER);
+}
+
+if (strcmp($password, $password2) != 0) {
+	register_error(elgg_echo('RegistrationException:PasswordMismatch'));
+	forward(REFERER);
+}
+
+// For now, just try and register the user
+try {
+	$guid = register_user($username, $password, $name, $email, TRUE);
+
+	if ($guid) {
+		$new_user = get_entity($guid);
+		if ($new_user && $admin && elgg_is_admin_logged_in()) {
+			$new_user->makeAdmin();
 		}
-	} catch (RegistrationException $r) {
-		register_error($r->getMessage());
+
+		elgg_clear_sticky_form('useradd');
+
+		$new_user->admin_created = TRUE;
+		// @todo ugh, saving a guid as metadata!
+		$new_user->created_by_guid = elgg_get_logged_in_user_guid();
+
+		$subject = elgg_echo('useradd:subject');
+		$body = elgg_echo('useradd:body', array(
+			$name,
+			elgg_get_site_entity()->name,
+			elgg_get_site_entity()->url,
+			$username,
+			$password,
+		));
+
+		notify_user($new_user->guid, elgg_get_site_entity()->guid, $subject, $body);
+
+		system_message(elgg_echo("adduser:ok", array(elgg_get_site_entity()->name)));
+	} else {
+		register_error(elgg_echo("adduser:bad"));
 	}
+} catch (RegistrationException $r) {
+	register_error($r->getMessage());
+}
 
-	forward($_SERVER['HTTP_REFERER']);
-	exit;
-?>
-\ No newline at end of file
+forward(REFERER);
diff --git a/actions/usersettings/save.php b/actions/usersettings/save.php
index 5b1b9f736..eb6cdbd5d 100644
--- a/actions/usersettings/save.php
+++ b/actions/usersettings/save.php
@@ -1,22 +1,11 @@
-<?php
-	/**
-	 * Aggregate action for saving settings
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-	require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
-	global $CONFIG;
-
-	gatekeeper();
-	action_gatekeeper();
-	
-	trigger_plugin_hook('usersettings:save','user');
-	
-	forward($_SERVER['HTTP_REFERER']);
-	
-?>
+<?php
+/**
+ * Aggregate action for saving settings
+ *
+ * @package Elgg.Core
+ * @subpackage UserSettings
+ */
+
+elgg_trigger_plugin_hook('usersettings:save', 'user');
+
+forward(REFERER);
diff --git a/actions/widgets/add.php b/actions/widgets/add.php
index 07e167a96..d7b2f291c 100644
--- a/actions/widgets/add.php
+++ b/actions/widgets/add.php
@@ -1,43 +1,42 @@
-<?php
-
-	/**
-	 * Elgg widget add action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-		$guid = get_input('user');
-		$handler = get_input('handler');
-		$context = get_input('context');
-		$column = get_input('column');
-		
-		$result = false;
-		
-		if (!empty($guid)) {
-			
-			if ($user = get_entity($guid)) {
-				
-				if ($user->canEdit()) {
-					
-					$result = add_widget($user->getGUID(),$handler,$context,0,$column);
-					
-				}
-				
-			}
-			
-		}
-		
-		if ($result) {
-			system_message(elgg_echo('widgets:save:success'));
-		} else {
-			system_message(elgg_echo('widgets:save:failure'));
-		}
-		
-		forward($_SERVER['HTTP_REFERER']);
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg widget add action
+ *
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ */
+
+$owner_guid = get_input('owner_guid');
+$handler = get_input('handler');
+$context = get_input('context');
+$show_access = (bool)get_input('show_access', true);
+$column = get_input('column', 1);
+$default_widgets = get_input('default_widgets', 0);
+
+elgg_push_context($context);
+if ($default_widgets) {
+	elgg_push_context('default_widgets');
+}
+elgg_push_context('widgets');
+
+if (!empty($owner_guid)) {
+	$owner = get_entity($owner_guid);
+	if ($owner && $owner->canEdit()) {
+		$guid = elgg_create_widget($owner->getGUID(), $handler, $context);
+		if ($guid) {
+			$widget = get_entity($guid);
+
+			// position the widget
+			$widget->move($column, 0);
+
+			// send widget html for insertion
+			echo elgg_view_entity($widget, array('show_access' => $show_access));
+
+			//system_message(elgg_echo('widgets:add:success'));
+			forward(REFERER);
+		}
+	}
+}
+
+register_error(elgg_echo('widgets:add:failure'));
+forward(REFERER);
diff --git a/actions/widgets/delete.php b/actions/widgets/delete.php
new file mode 100644
index 000000000..47920013d
--- /dev/null
+++ b/actions/widgets/delete.php
@@ -0,0 +1,20 @@
+<?php
+/**
+ * Elgg widget delete action
+ *
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ */
+
+$widget_guid = get_input('widget_guid');
+$owner_guid = get_input('owner_guid', elgg_get_logged_in_user_guid());
+
+$widget = get_entity($widget_guid);
+$owner = get_entity($owner_guid);
+
+if ($widget && $owner->canEdit() && $widget->delete()) {
+	forward(REFERER);
+}
+
+register_error(elgg_echo('widgets:remove:failure'));
+forward(REFERER);
diff --git a/actions/widgets/move.php b/actions/widgets/move.php
new file mode 100644
index 000000000..eab650c9c
--- /dev/null
+++ b/actions/widgets/move.php
@@ -0,0 +1,24 @@
+<?php
+/**
+ * Elgg widget move action
+ *
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ */
+
+$widget_guid = get_input('widget_guid');
+$column = get_input('column', 1);
+$position = get_input('position');
+$owner_guid = get_input('owner_guid', elgg_get_logged_in_user_guid());
+
+$widget = get_entity($widget_guid);
+$owner = get_entity($owner_guid);
+
+
+if ($widget && $owner->canEdit()) {
+	$widget->move($column, $position);
+	forward(REFERER);
+}
+
+register_error(elgg_echo('widgets:move:failure'));
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/widgets/reorder.php b/actions/widgets/reorder.php
index ff0fa4b52..e43a0ba73 100644
--- a/actions/widgets/reorder.php
+++ b/actions/widgets/reorder.php
@@ -1,32 +1,24 @@
-<?php
-
-	/**
-	 * Elgg widget reorder action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-
-		$owner = get_input('owner');
-		$context = get_input('context');
-		
-		$maincontent = get_input('debugField1');
-		$sidebar = get_input('debugField2');
-		$rightbar = get_input('debugField3');
-		
-		$result = reorder_widgets_from_panel($maincontent, $sidebar, $rightbar, $context, $owner);
-		
-		if ($result) {
-			system_message(elgg_echo('widgets:panel:save:success'));
-		} else {
-			system_message(elgg_echo('widgets:panel:save:failure'));
-		}
-		
-		forward($_SERVER['HTTP_REFERER']);
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg widget reorder action
+ *
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ */
+
+$owner = get_input('owner');
+$context = get_input('context');
+
+$maincontent = get_input('debugField1');
+$sidebar = get_input('debugField2');
+$rightbar = get_input('debugField3');
+
+$result = reorder_widgets_from_panel($maincontent, $sidebar, $rightbar, $context, $owner);
+
+if ($result) {
+	system_message(elgg_echo('widgets:panel:save:success'));
+} else {
+	register_error(elgg_echo('widgets:panel:save:failure'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/widgets/save.php b/actions/widgets/save.php
index fce221672..e15deab77 100644
--- a/actions/widgets/save.php
+++ b/actions/widgets/save.php
@@ -1,38 +1,44 @@
-<?php
-
-	/**
-	 * Elgg widget save action
-	 * 
-	 * @package Elgg
-	 * @subpackage Core
-	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
-	 * @author Curverider Ltd
-	 * @copyright Curverider Ltd 2008
-	 * @link http://elgg.org/
-	 */
-
-		action_gatekeeper();
-		
-		$guid = get_input('guid');
-		$params = $_REQUEST['params'];
-		$pageurl = get_input('pageurl');
-		$noforward = get_input('noforward',false);
-
-		$result = false;
-		
-		if (!empty($guid)) {
-			
-			$result = save_widget_info($guid,$params);
-			
-		}
-		
-		if ($result) {
-			system_message(elgg_echo('widgets:save:success'));
-		} else {
-			register_error(elgg_echo('widgets:save:failure'));
-		}
-		
-		if (!$noforward)
-			forward($_SERVER['HTTP_REFERER']);
-
-?>
-\ No newline at end of file
+<?php
+/**
+ * Elgg save widget settings action
+ *
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ *
+ * @uses int    $_REQUEST['guid']            The guid of the widget to save
+ * @uses array  $_REQUEST['params']          An array of params to set on the widget.
+ * @uses int    $_REQUEST['default_widgets'] Flag for if these settings are for default wigets.
+ * @uses string $_REQUEST['context']         An optional context of the widget. Used to return
+ *                                           the correct output if widget content changes
+ *                                           depending on context.
+ *
+ */
+
+elgg_set_context('widgets');
+
+$guid = get_input('guid');
+$params = get_input('params');
+$default_widgets = get_input('default_widgets', 0);
+$context = get_input('context');
+
+$widget = get_entity($guid);
+if ($widget && $widget->saveSettings($params)) {
+	elgg_set_page_owner_guid($widget->getContainerGUID());
+	if ($context) {
+		elgg_push_context($context);
+	}
+	
+	if (!$default_widgets) {
+		if (elgg_view_exists("widgets/$widget->handler/content")) {
+			$view = "widgets/$widget->handler/content";
+		} else {
+			elgg_deprecated_notice("widgets use content as the display view", 1.8);
+			$view = "widgets/$widget->handler/view";
+		}
+		echo elgg_view($view, array('entity' => $widget));
+	}
+} else {
+	register_error(elgg_echo('widgets:save:failure'));
+}
+
+forward(REFERER);
+\ No newline at end of file
diff --git a/actions/widgets/upgrade.php b/actions/widgets/upgrade.php
new file mode 100644
index 000000000..0a5cf8d48
--- /dev/null
+++ b/actions/widgets/upgrade.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ * Upgrade default widgets for Elgg 1.8
+ *
+ * Pre-1.8, default widgets were stored as metadata on a defaultwidgets object.
+ * Now they are stored as widget objects owned by the site.
+ * 
+ * @package Elgg.Core
+ * @subpackage Widgets.Management
+ */
+
+$object = elgg_get_entities(array(
+	'type' => 'object',
+	'subtype' => 'moddefaultwidgets',
+	'limit' => 1,
+));
+
+if (!$object) {
+	forward(REFERER);
+}
+
+$object = $object[0];
+
+$site = elgg_get_site_entity();
+
+$ia = elgg_set_ignore_access(true);
+foreach (array('profile', 'dashboard') as $context) {
+	if (isset($object->$context)) {
+		elgg_push_context($context);
+		elgg_push_context('default_widgets');
+		elgg_push_context('widgets');
+
+		// deserialize the widget information
+		list($left, $middle, $right) = split('%%', $object->$context);
+		$left_widgets = split('::', $left);
+		$middle_widgets = split('::', $middle);
+		$right_widgets = split('::', $right);
+
+		// 1st column is right column in default theme
+		$widgets = array(
+			1 => array_reverse($right_widgets),
+			2 => array_reverse($middle_widgets),
+			3 => array_reverse($left_widgets),
+		);
+
+		foreach ($widgets as $column => $column_widgets) {
+			foreach ($column_widgets as $handler) {
+				$guid = elgg_create_widget($site->getGUID(), $handler, $context);
+				if ($guid) {
+					$widget = get_entity($guid);
+					$widget->move($column, 0);
+				}
+			}
+		}
+
+		elgg_pop_context();
+		elgg_pop_context();
+		elgg_pop_context();
+	}
+}
+elgg_set_ignore_access($ia);
+
+$object->delete();
+system_message(elgg_echo('upgrade:core'));
+forward(REFERER);