18 files changed, 409 insertions, 193 deletions

diff --git a/engine/lib/access.php b/engine/lib/access.php
index 3b2b7aeaa..f7d3bf7ea 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -12,6 +12,26 @@
  */
 
 /**
+ * Return an ElggCache static variable cache for the access caches
+ *
+ * @staticvar ElggStaticVariableCache $access_cache
+ * @return \ElggStaticVariableCache
+ * @access private
+ */
+function _elgg_get_access_cache() {
+	/**
+	 * A default filestore cache using the dataroot.
+	 */
+	static $access_cache;
+
+	if (!$access_cache) {
+		$access_cache = new ElggStaticVariableCache('access');
+	}
+
+	return $access_cache;
+}
+
+/**
  * Return a string of access_ids for $user_id appropriate for inserting into an SQL IN clause.
  *
  * @uses get_access_array
@@ -29,10 +49,10 @@
  */
 function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
 	global $CONFIG, $init_finished;
-	static $access_list;
-
-	if (!isset($access_list)) {
-		$access_list = array();
+	$cache = _elgg_get_access_cache();
+	
+	if ($flush) {
+		$cache->clear();
 	}
 
 	if ($user_id == 0) {
@@ -45,20 +65,20 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
 	$user_id = (int) $user_id;
 	$site_id = (int) $site_id;
 
-	if (isset($access_list[$user_id]) && $flush == false) {
-		return $access_list[$user_id];
-	}
+	$hash = $user_id . $site_id . 'get_access_list';
 
-	$access = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";
+	if ($cache[$hash]) {
+		return $cache[$hash];
+	}
+	
+	$access_array = get_access_array($user_id, $site_id, $flush);
+	$access = "(" . implode(",", $access_array) . ")";
 
-	// only cache if done with init and access is enabled (unless admin user)
-	// session is loaded before init is finished, so don't need to check for user session
-	if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
-		$access_list[$user_id] = $access;
-		return $access_list[$user_id];
-	} else {
-		return $access;
+	if ($init_finished) {
+		$cache[$hash] = $access;
 	}
+	
+	return $access;
 }
 
 /**
@@ -86,9 +106,11 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
 function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
 	global $CONFIG, $init_finished;
 
-	// @todo everything from the db is cached.
-	// this cache might be redundant. But db cache is flushed on every db write.
-	static $access_array = array();
+	$cache = _elgg_get_access_cache();
+
+	if ($flush) {
+		$cache->clear();
+	}
 
 	if ($user_id == 0) {
 		$user_id = elgg_get_logged_in_user_guid();
@@ -101,35 +123,41 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
 	$user_id = (int) $user_id;
 	$site_id = (int) $site_id;
 
-	if (empty($access_array[$user_id]) || $flush == true) {
-		$tmp_access_array = array(ACCESS_PUBLIC);
+	$hash = $user_id . $site_id . 'get_access_array';
+
+	if ($cache[$hash]) {
+		$access_array = $cache[$hash];
+	} else {
+		$access_array = array(ACCESS_PUBLIC);
 
 		// The following can only return sensible data if the user is logged in.
 		if (elgg_is_logged_in()) {
-			$tmp_access_array[] = ACCESS_LOGGED_IN;
+			$access_array[] = ACCESS_LOGGED_IN;
 
 			// Get ACL memberships
 			$query = "SELECT am.access_collection_id"
 				. " FROM {$CONFIG->dbprefix}access_collection_membership am"
 				. " LEFT JOIN {$CONFIG->dbprefix}access_collections ag ON ag.id = am.access_collection_id"
-				. " WHERE am.user_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
+				. " WHERE am.user_guid = $user_id AND (ag.site_guid = $site_id OR ag.site_guid = 0)";
 
-			if ($collections = get_data($query)) {
+			$collections = get_data($query);
+			if ($collections) {
 				foreach ($collections as $collection) {
 					if (!empty($collection->access_collection_id)) {
-						$tmp_access_array[] = (int)$collection->access_collection_id;
+						$access_array[] = (int)$collection->access_collection_id;
 					}
 				}
 			}
 
 			// Get ACLs owned.
 			$query = "SELECT ag.id FROM {$CONFIG->dbprefix}access_collections ag ";
-			$query .= "WHERE ag.owner_guid = {$user_id} AND (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
+			$query .= "WHERE ag.owner_guid = $user_id AND (ag.site_guid = $site_id OR ag.site_guid = 0)";
 
-			if ($collections = get_data($query)) {
+			$collections = get_data($query);
+			if ($collections) {
 				foreach ($collections as $collection) {
 					if (!empty($collection->id)) {
-						$tmp_access_array[] = (int)$collection->id;
+						$access_array[] = (int)$collection->id;
 					}
 				}
 			}
@@ -137,21 +165,21 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
 			$ignore_access = elgg_check_access_overrides($user_id);
 
 			if ($ignore_access == true) {
-				$tmp_access_array[] = ACCESS_PRIVATE;
+				$access_array[] = ACCESS_PRIVATE;
 			}
+		}
 
-			// only cache if done with init and access is enabled (unless admin user)
-			// session is loaded before init is finished, so don't need to check for user session
-			if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
-				$access_array[$user_id] = $tmp_access_array;
-			}
+		if ($init_finished) {
+			$cache[$hash] = $access_array;
 		}
-	} else {
-		$tmp_access_array = $access_array[$user_id];
 	}
 
-	$options = array('user_id' => $user_id, 'site_id' => $site_id);
-	return elgg_trigger_plugin_hook('access:collections:read', 'user', $options, $tmp_access_array);
+	$options = array(
+		'user_id' => $user_id,
+		'site_id' => $site_id
+	);
+	
+	return elgg_trigger_plugin_hook('access:collections:read', 'user', $options, $access_array);
 }
 
 /**
@@ -397,9 +425,12 @@ function has_access_to_entity($entity, $user = null) {
  * @link http://docs.elgg.org/Access
  */
 function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) {
-	global $CONFIG;
-	//@todo this is probably not needed since caching happens at the DB level.
-	static $access_array;
+	global $CONFIG, $init_finished;
+	$cache = _elgg_get_access_cache();
+
+	if ($flush) {
+		$cache->clear();
+	}
 
 	if ($user_id == 0) {
 		$user_id = elgg_get_logged_in_user_guid();
@@ -412,37 +443,41 @@ function get_write_access_array($user_id = 0, $site_id = 0, $flush = false) {
 	$user_id = (int) $user_id;
 	$site_id = (int) $site_id;
 
-	if (empty($access_array[$user_id]) || $flush == true) {
-		$query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag ";
-		$query .= " WHERE (ag.site_guid = {$site_id} OR ag.site_guid = 0)";
-		$query .= " AND (ag.owner_guid = {$user_id})";
-		// ACCESS_PRIVATE through ACCESS_PUBLIC take 0 through 2
-		// @todo this AND clause is unnecessary because of id starts at 3 for table
-		$query .= " AND ag.id >= 3";
+	$hash = $user_id . $site_id . 'get_write_access_array';
 
-		$tmp_access_array = array(
+	if ($cache[$hash]) {
+		$access_array = $cache[$hash];
+	} else {
+		// @todo is there such a thing as public write access?
+		$access_array = array(
 			ACCESS_PRIVATE => elgg_echo("PRIVATE"),
 			ACCESS_FRIENDS => elgg_echo("access:friends:label"),
 			ACCESS_LOGGED_IN => elgg_echo("LOGGED_IN"),
 			ACCESS_PUBLIC => elgg_echo("PUBLIC")
 		);
+		
+		$query = "SELECT ag.* FROM {$CONFIG->dbprefix}access_collections ag ";
+		$query .= " WHERE (ag.site_guid = $site_id OR ag.site_guid = 0)";
+		$query .= " AND (ag.owner_guid = $user_id)";
+
 		$collections = get_data($query);
 		if ($collections) {
 			foreach ($collections as $collection) {
-				$tmp_access_array[$collection->id] = $collection->name;
+				$access_array[$collection->id] = $collection->name;
 			}
 		}
 
-		$access_array[$user_id] = $tmp_access_array;
-	} else {
-		$tmp_access_array = $access_array[$user_id];
+		if ($init_finished) {
+			$cache[$hash] = $access_array;
+		}
 	}
 
-	$options = array('user_id' => $user_id, 'site_id' => $site_id);
-	$tmp_access_array = elgg_trigger_plugin_hook('access:collections:write', 'user',
-		$options, $tmp_access_array);
-
-	return $tmp_access_array;
+	$options = array(
+		'user_id' => $user_id,
+		'site_id' => $site_id
+	);
+	return elgg_trigger_plugin_hook('access:collections:write', 'user',
+		$options, $access_array);
 }
 
 /**
@@ -871,6 +906,8 @@ function get_readable_access_level($entity_access_id) {
  * @tip Use this to access entities in automated scripts
  * when no user is logged in.
  *
+ * @note This clears the access cache.
+ *
  * @warning This will not show disabled entities.
  * Use {@link access_show_hidden_entities()} to access disabled entities.
  *
@@ -882,6 +919,8 @@ function get_readable_access_level($entity_access_id) {
  * @see elgg_get_ignore_access()
  */
 function elgg_set_ignore_access($ignore = true) {
+	$cache = _elgg_get_access_cache();
+	$cache->clear();
 	$elgg_access = elgg_get_access_object();
 	return $elgg_access->setIgnoreAccess($ignore);
 }
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 3f23f079c..35ab5599d 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -233,6 +233,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_basic', '', 'admin');
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
+	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -422,7 +423,7 @@ function admin_pagesetup() {
 		elgg_register_menu_item('admin_footer', array(
 			'name' => 'community_forums',
 			'text' => elgg_echo('admin:footer:community_forums'),
-			'href' => 'http://community.elgg.org/pg/groups/world/',
+			'href' => 'http://community.elgg.org/groups/all/',
 		));
 
 		elgg_register_menu_item('admin_footer', array(
diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 2036ccd61..3b9f84703 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -316,8 +316,6 @@ function elgg_list_annotations($options) {
  *
  *  annotation_owner_guids => NULL|ARR guids for annotaiton owners
  *
- *  annotation_ids => NULL|ARR Annotation IDs
- *
  * @return mixed If count, int. If not count, array. false on errors.
  * @since 1.7.0
  */
@@ -336,8 +334,6 @@ function elgg_get_entities_from_annotations(array $options = array()) {
 
 		'annotation_owner_guids'				=>	ELGG_ENTITIES_ANY_VALUE,
 
-		'annotation_ids'						=>	ELGG_ENTITIES_ANY_VALUE,
-
 		'order_by'								=>	'maxtime desc',
 		'group_by'								=>	'a.entity_guid'
 	);
@@ -345,12 +341,13 @@ function elgg_get_entities_from_annotations(array $options = array()) {
 	$options = array_merge($defaults, $options);
 
 	$singulars = array('annotation_name', 'annotation_value',
-	'annotation_name_value_pair', 'annotation_owner_guid', 'annotation_id');
+	'annotation_name_value_pair', 'annotation_owner_guid');
 
 	$options = elgg_normalise_plural_options_array($options, $singulars);
+	$options = elgg_entities_get_metastrings_options('annotation', $options);
 
-	if (!$options = elgg_entities_get_metastrings_options('annotation', $options)) {
-		return FALSE;
+	if (!$options) {
+		return false;
 	}
 
 	// special sorting for annotations
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index dd3cba25d..540605876 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -710,9 +710,12 @@ function elgg_register_event_handler($event, $object_type, $callback, $priority
  */
 function elgg_unregister_event_handler($event, $object_type, $callback) {
 	global $CONFIG;
-	foreach ($CONFIG->events[$event][$object_type] as $key => $event_callback) {
-		if ($event_callback == $callback) {
-			unset($CONFIG->events[$event][$object_type][$key]);
+
+	if (isset($CONFIG->events[$event]) && isset($CONFIG->events[$event][$object_type])) {
+		foreach ($CONFIG->events[$event][$object_type] as $key => $event_callback) {
+			if ($event_callback == $callback) {
+				unset($CONFIG->events[$event][$object_type][$key]);
+			}
 		}
 	}
 }
@@ -889,9 +892,12 @@ function elgg_register_plugin_hook_handler($hook, $type, $callback, $priority =
  */
 function elgg_unregister_plugin_hook_handler($hook, $entity_type, $callback) {
 	global $CONFIG;
-	foreach ($CONFIG->hooks[$hook][$entity_type] as $key => $hook_callback) {
-		if ($hook_callback == $callback) {
-			unset($CONFIG->hooks[$hook][$entity_type][$key]);
+
+	if (isset($CONFIG->hooks[$hook]) && isset($CONFIG->hooks[$hook][$entity_type])) {
+		foreach ($CONFIG->hooks[$hook][$entity_type] as $key => $hook_callback) {
+			if ($hook_callback == $callback) {
+				unset($CONFIG->hooks[$hook][$entity_type][$key]);
+			}
 		}
 	}
 }
@@ -1073,8 +1079,8 @@ function _elgg_php_error_handler($errno, $errmsg, $filename, $linenum, $vars) {
 		case E_USER_WARNING :
 		case E_RECOVERABLE_ERROR: // (e.g. type hint violation)
 			
-			// check if the error wasn't suppressed by @-functionname
-			if(error_reporting()){
+			// check if the error wasn't suppressed by the error control operator (@)
+			if (error_reporting()) {
 				error_log("PHP WARNING: $error");
 			}
 			break;
diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index fda554388..ce736ce05 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -773,7 +773,13 @@ function get_entity($guid) {
 		}
 	}
 
-	$new_entity = entity_row_to_elggstar($entity_row);
+	// don't let incomplete entities cause fatal exceptions
+	try {
+		$new_entity = entity_row_to_elggstar($entity_row);
+	} catch (IncompleteEntityException $e) {
+		return false;
+	}
+
 	if ($new_entity) {
 		cache_entity($new_entity);
 	}
@@ -1018,7 +1024,12 @@ function elgg_get_entities(array $options = array()) {
 			$query .= " LIMIT $offset, $limit";
 		}
 
-		$dt = get_data($query, $options['callback']);
+		if ($options['callback'] === 'entity_row_to_elggstar') {
+			$dt = _elgg_fetch_entities_from_sql($query);
+		} else {
+			$dt = get_data($query, $options['callback']);
+		}
+
 		if ($dt) {
 			// populate entity and metadata caches
 			$guids = array();
@@ -1047,6 +1058,97 @@ function elgg_get_entities(array $options = array()) {
 }
 
 /**
+ * Return entities from an SQL query generated by elgg_get_entities.
+ *
+ * @param string $sql
+ * @return ElggEntity[]
+ *
+ * @access private
+ * @throws LogicException
+ */
+function _elgg_fetch_entities_from_sql($sql) {
+	static $plugin_subtype;
+	if (null === $plugin_subtype) {
+		$plugin_subtype = get_subtype_id('object', 'plugin');
+	}
+
+	// Keys are types, values are columns that, if present, suggest that the secondary
+	// table is already JOINed
+	$types_to_optimize = array(
+		'object' => 'title',
+		'user' => 'password',
+		'group' => 'name',
+	);
+
+	$rows = get_data($sql);
+
+	// guids to look up in each type
+	$lookup_types = array();
+	// maps GUIDs to the $rows key
+	$guid_to_key = array();
+
+	if (isset($rows[0]->type, $rows[0]->subtype)
+			&& $rows[0]->type === 'object'
+			&& $rows[0]->subtype == $plugin_subtype) {
+		// Likely the entire resultset is plugins, which have already been optimized
+		// to JOIN the secondary table. In this case we allow retrieving from cache,
+		// but abandon the extra queries.
+		$types_to_optimize = array();
+	}
+
+	// First pass: use cache where possible, gather GUIDs that we're optimizing
+	foreach ($rows as $i => $row) {
+		if (empty($row->guid) || empty($row->type)) {
+			throw new LogicException('Entity row missing guid or type');
+		}
+		if ($entity = retrieve_cached_entity($row->guid)) {
+			$rows[$i] = $entity;
+			continue;
+		}
+		if (isset($types_to_optimize[$row->type])) {
+			// check if row already looks JOINed.
+			if (isset($row->{$types_to_optimize[$row->type]})) {
+				// Row probably already contains JOINed secondary table. Don't make another query just
+				// to pull data that's already there
+				continue;
+			}
+			$lookup_types[$row->type][] = $row->guid;
+			$guid_to_key[$row->guid] = $i;
+		}
+	}
+	// Do secondary queries and merge rows
+	if ($lookup_types) {
+		$dbprefix = elgg_get_config('dbprefix');
+	}
+	foreach ($lookup_types as $type => $guids) {
+		$set = "(" . implode(',', $guids) . ")";
+		$sql = "SELECT * FROM {$dbprefix}{$type}s_entity WHERE guid IN $set";
+		$secondary_rows = get_data($sql);
+		if ($secondary_rows) {
+			foreach ($secondary_rows as $secondary_row) {
+				$key = $guid_to_key[$secondary_row->guid];
+				// cast to arrays to merge then cast back
+				$rows[$key] = (object)array_merge((array)$rows[$key], (array)$secondary_row);
+			}
+		}
+	}
+	// Second pass to finish conversion
+	foreach ($rows as $i => $row) {
+		if ($row instanceof ElggEntity) {
+			continue;
+		} else {
+			try {
+				$rows[$i] = entity_row_to_elggstar($row);
+			} catch (IncompleteEntityException $e) {
+				// don't let incomplete entities throw fatal errors
+				unset($rows[$i]);
+			}
+		}
+	}
+	return $rows;
+}
+
+/**
  * Returns SQL where clause for type and subtype on main entity table
  *
  * @param string     $table    Entity table prefix as defined in SELECT...FROM entities $table
diff --git a/engine/lib/group.php b/engine/lib/group.php
index feb1f1e7f..5a38e1ea6 100644
--- a/engine/lib/group.php
+++ b/engine/lib/group.php
@@ -33,6 +33,7 @@ function get_group_entity_as_row($guid) {
  * @param string $description Description
  *
  * @return bool
+ * @access private
  */
 function create_group_entity($guid, $name, $description) {
 	global $CONFIG;
@@ -247,48 +248,42 @@ function get_users_membership($user_guid) {
 }
 
 /**
- * Checks access to a group.
+ * May the current user access item(s) on this page? If the page owner is a group,
+ * membership, visibility, and logged in status are taken into account.
  *
  * @param boolean $forward If set to true (default), will forward the page;
  *                         if set to false, will return true or false.
  *
- * @return true|false If $forward is set to false.
+ * @return bool If $forward is set to false.
  */
 function group_gatekeeper($forward = true) {
-	$allowed = true;
-	$url = '';
-
-	if ($group = elgg_get_page_owner_entity()) {
-		if ($group instanceof ElggGroup) {
-			$url = $group->getURL();
-			if (!$group->isPublicMembership()) {
-				// closed group so must be member or an admin
-
-				if (!elgg_is_logged_in()) {
-					$allowed = false;
-					if ($forward == true) {
-						$_SESSION['last_forward_from'] = current_page_url();
-						register_error(elgg_echo('loggedinrequired'));
-						forward('', 'login');
-					}
-				} else if (!$group->isMember(elgg_get_logged_in_user_entity())) {
-					$allowed = false;
-				}
 
-				// Admin override
-				if (elgg_is_admin_logged_in()) {
-					$allowed = true;
-				}
-			}
-		}
+	$page_owner_guid = elgg_get_page_owner_guid();
+	if (!$page_owner_guid) {
+		return true;
 	}
+	$visibility = ElggGroupItemVisibility::factory($page_owner_guid);
 
-	if ($forward && $allowed == false) {
-		register_error(elgg_echo('membershiprequired'));
-		forward($url, 'member');
+	if (!$visibility->shouldHideItems) {
+		return true;
+	}
+	if ($forward) {
+		// only forward to group if user can see it
+		$group = get_entity($page_owner_guid);
+		$forward_url = $group ? $group->getURL() : '';
+
+		if (!elgg_is_logged_in()) {
+			$_SESSION['last_forward_from'] = current_page_url();
+			$forward_reason = 'login';
+		} else {
+			$forward_reason = 'member';
+		}
+
+		register_error(elgg_echo($visibility->reasonHidden));
+		forward($forward_url, $forward_reason);
 	}
 
-	return $allowed;
+	return false;
 }
 
 /**
diff --git a/engine/lib/navigation.php b/engine/lib/navigation.php
index 8c3952594..86624cd7c 100644
--- a/engine/lib/navigation.php
+++ b/engine/lib/navigation.php
@@ -308,6 +308,32 @@ function elgg_site_menu_setup($hook, $type, $return, $params) {
 			$return['more'] = array_splice($return['default'], $max_display_items);
 		}
 	}
+	
+	// check if we have anything selected
+	$selected = false;
+	foreach ($return as $section_name => $section) {
+		foreach ($section as $key => $item) {
+			if ($item->getSelected()) {
+				$selected = true;
+				break 2;
+			}
+		}
+	}
+	
+	if (!$selected) {
+		// nothing selected, match name to context
+		foreach ($return as $section_name => $section) {
+			foreach ($section as $key => $item) {
+				// only highlight internal links
+				if (strpos($item->getHref(), elgg_get_site_url()) === 0) {
+					if ($item->getName() == elgg_get_context()) {
+						$return[$section_name][$key]->setSelected(true);
+						break 2;
+					}
+				}
+			}
+		}
+	}
 
 	return $return;
 }
diff --git a/engine/lib/objects.php b/engine/lib/objects.php
index f186c66cb..e5e8f67c4 100644
--- a/engine/lib/objects.php
+++ b/engine/lib/objects.php
@@ -31,6 +31,7 @@ function get_object_entity_as_row($guid) {
  * @param string $description The object's description
  *
  * @return bool
+ * @access private
  */
 function create_object_entity($guid, $title, $description) {
 	global $CONFIG;
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 352de863b..9295f2173 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -16,7 +16,7 @@
  **/
 function parse_urls($text) {
 	// @todo this causes problems with <attr = "val">
-	// must be ing <attr="val"> format (no space).
+	// must be in <attr="val"> format (no space).
 	// By default htmlawed rewrites tags to this format.
 	// if PHP supported conditional negative lookbehinds we could use this:
 	// $r = preg_replace_callback('/(?<!=)(?<![ ])?(?<!["\'])((ht|f)tps?:\/\/[^\s\r\n\t<>"\'\!\(\),]+)/i',
@@ -43,51 +43,26 @@ function parse_urls($text) {
 
 /**
  * Create paragraphs from text with line spacing
- * Borrowed from Wordpress.
  *
  * @param string $pee The string
- * @param bool   $br  Add BRs?
+ * @deprecated Use elgg_autop instead
+ * @todo Add deprecation warning in 1.9
  *
- * @todo Rewrite
  * @return string
  **/
-function autop($pee, $br = 1) {
-	$pee = $pee . "\n"; // just to make things a little easier, pad the end
-	$pee = preg_replace('|<br />\s*<br />|', "\n\n", $pee);
-	// Space things out a little
-	$allblocks = '(?:table|thead|tfoot|caption|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|form|map|area|blockquote|address|math|style|input|p|h[1-6]|hr)';
-	$pee = preg_replace('!(<' . $allblocks . '[^>]*>)!', "\n$1", $pee);
-	$pee = preg_replace('!(</' . $allblocks . '>)!', "$1\n\n", $pee);
-	$pee = str_replace(array("\r\n", "\r"), "\n", $pee); // cross-platform newlines
-	if (strpos($pee, '<object') !== false) {
-		$pee = preg_replace('|\s*<param([^>]*)>\s*|', "<param$1>", $pee); // no pee inside object/embed
-		$pee = preg_replace('|\s*</embed>\s*|', '</embed>', $pee);
-	}
-	$pee = preg_replace("/\n\n+/", "\n\n", $pee); // take care of duplicates
-	$pee = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $pee); // make paragraphs, including one at the end
-	$pee = preg_replace('|<p>\s*?</p>|', '', $pee); // under certain strange conditions it could create a P of entirely whitespace
-	$pee = preg_replace('!<p>([^<]+)\s*?(</(?:div|address|form)[^>]*>)!', "<p>$1</p>$2", $pee);
-	$pee = preg_replace('|<p>|', "$1<p>", $pee);
-	$pee = preg_replace('!<p>\s*(</?' . $allblocks . '[^>]*>)\s*</p>!', "$1", $pee); // don't pee all over a tag
-	$pee = preg_replace("|<p>(<li.+?)</p>|", "$1", $pee); // problem with nested lists
-	$pee = preg_replace('|<p><blockquote([^>]*)>|i', "<blockquote$1><p>", $pee);
-	$pee = str_replace('</blockquote></p>', '</p></blockquote>', $pee);
-	$pee = preg_replace('!<p>\s*(</?' . $allblocks . '[^>]*>)!', "$1", $pee);
-	$pee = preg_replace('!(</?' . $allblocks . '[^>]*>)\s*</p>!', "$1", $pee);
-	if ($br) {
-		$pee = preg_replace_callback('/<(script|style).*?<\/\\1>/s', create_function('$matches', 'return str_replace("\n", "<WPPreserveNewline />", $matches[0]);'), $pee);
-		$pee = preg_replace('|(?<!<br />)\s*\n|', "<br />\n", $pee); // optionally make line breaks
-		$pee = str_replace('<WPPreserveNewline />', "\n", $pee);
-	}
-	$pee = preg_replace('!(</?' . $allblocks . '[^>]*>)\s*<br />!', "$1", $pee);
-	$pee = preg_replace('!<br />(\s*</?(?:p|li|div|dl|dd|dt|th|pre|td|ul|ol)[^>]*>)!', '$1', $pee);
-	//if (strpos($pee, '<pre') !== false) {
-	//	mind the space between the ? and >.  Only there because of the comment.
-	//	$pee = preg_replace_callback('!(<pre.*? >)(.*?)</pre>!is', 'clean_pre', $pee );
-	//}
-	$pee = preg_replace("|\n</p>$|", '</p>', $pee);
-
-	return $pee;
+function autop($pee) {
+	return elgg_autop($pee);
+}
+
+/**
+ * Create paragraphs from text with line spacing
+ *
+ * @param string $string The string
+ *
+ * @return string
+ **/
+function elgg_autop($string) {
+	return ElggAutoP::getInstance()->process($string);
 }
 
 /**
@@ -312,6 +287,8 @@ function elgg_get_friendly_title($title) {
 
 	// handle some special cases
 	$title = str_replace('&amp;', 'and', $title);
+	// quotes and angle brackets stored in the database as html encoded
+	$title = htmlspecialchars_decode($title);
 
 	$title = ElggTranslit::urlize($title);
 
@@ -384,7 +361,7 @@ function elgg_get_friendly_time($time) {
 /**
  * Strip tags and offer plugins the chance.
  * Plugins register for output:strip_tags plugin hook.
- * 	Original string included in $params['original_string']
+ * Original string included in $params['original_string']
  *
  * @param string $string Formatted string
  *
@@ -440,3 +417,32 @@ function _elgg_html_decode($string) {
 	);
 	return $string;
 }
+
+/**
+ * Unit tests for Output
+ *
+ * @param sting  $hook   unit_test
+ * @param string $type   system
+ * @param mixed  $value  Array of tests
+ * @param mixed  $params Params
+ *
+ * @return array
+ * @access private
+ */
+function output_unit_test($hook, $type, $value, $params) {
+	global $CONFIG;
+	$value[] = $CONFIG->path . 'engine/tests/api/output.php';
+	return $value;
+}
+
+/**
+ * Initialise the Output subsystem.
+ *
+ * @return void
+ * @access private
+ */
+function output_init() {
+	elgg_register_plugin_hook_handler('unit_test', 'system', 'output_unit_test');
+}
+
+elgg_register_event_handler('init', 'system', 'output_init');
diff --git a/engine/lib/pageowner.php b/engine/lib/pageowner.php
index 0cf0e0625..94765feee 100644
--- a/engine/lib/pageowner.php
+++ b/engine/lib/pageowner.php
@@ -37,6 +37,8 @@ function elgg_get_page_owner_guid($guid = 0) {
 /**
  * Gets the owner entity for the current page.
  *
+ * @note Access is disabled when getting the page owner entity.
+ *
  * @return ElggEntity|false The current page owner or false if none.
  *
  * @since 1.8.0
@@ -44,10 +46,14 @@ function elgg_get_page_owner_guid($guid = 0) {
 function elgg_get_page_owner_entity() {
 	$guid = elgg_get_page_owner_guid();
 	if ($guid > 0) {
-		return get_entity($guid);
+		$ia = elgg_set_ignore_access(true);
+		$owner = get_entity($guid);
+		elgg_set_ignore_access($ia);
+
+		return $owner;
 	}
 
-	return FALSE;
+	return false;
 }
 
 /**
@@ -75,6 +81,8 @@ function elgg_set_page_owner_guid($guid) {
  *   <handler>/edit/<entity guid>
  *   <handler>/group/<group guid>
  *
+ * @note Access is disabled while finding the page owner for the group gatekeeper functions.
+ *
  *
  * @param string $hook        'page_owner'
  * @param string $entity_type 'system'
@@ -90,6 +98,8 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 		return $returnvalue;
 	}
 
+	$ia = elgg_set_ignore_access(true);
+
 	$username = get_input("username");
 	if ($username) {
 		// @todo using a username of group:<guid> is deprecated
@@ -97,6 +107,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 			preg_match('/group\:([0-9]+)/i', $username, $matches);
 			$guid = $matches[1];
 			if ($entity = get_entity($guid)) {
+				elgg_set_ignore_access($ia);
 				return $entity->getGUID();
 			}
 		}
@@ -109,6 +120,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 	$owner = get_input("owner_guid");
 	if ($owner) {
 		if ($user = get_entity($owner)) {
+			elgg_set_ignore_access($ia);
 			return $user->getGUID();
 		}
 	}
@@ -130,6 +142,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 				case 'friends':
 					$user = get_user_by_username($segments[2]);
 					if ($user) {
+						elgg_set_ignore_access($ia);
 						return $user->getGUID();
 					}
 					break;
@@ -137,6 +150,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 				case 'edit':
 					$entity = get_entity($segments[2]);
 					if ($entity) {
+						elgg_set_ignore_access($ia);
 						return $entity->getContainerGUID();
 					}
 					break;
@@ -144,6 +158,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 				case 'group':
 					$entity = get_entity($segments[2]);
 					if ($entity) {
+						elgg_set_ignore_access($ia);
 						return $entity->getGUID();
 					}
 					break;
@@ -151,7 +166,7 @@ function default_page_owner_handler($hook, $entity_type, $returnvalue, $params)
 		}
 	}
 
-	return $returnvalue;
+	elgg_set_ignore_access($ia);
 }
 
 /**
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index ca4a957f4..94aff277e 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -208,6 +208,7 @@ function elgg_get_plugin_from_id($plugin_id) {
 		'type' => 'object',
 		'subtype' => 'plugin',
 		'joins' => array("JOIN {$db_prefix}objects_entity oe on oe.guid = e.guid"),
+		'selects' => array("oe.title", "oe.description"),
 		'wheres' => array("oe.title = '$plugin_id'"),
 		'limit' => 1
 	);
diff --git a/engine/lib/private_settings.php b/engine/lib/private_settings.php
index 1fa9bdb66..7541f7b3b 100644
--- a/engine/lib/private_settings.php
+++ b/engine/lib/private_settings.php
@@ -349,11 +349,6 @@ function set_private_setting($entity_guid, $name, $value) {
 	$name = sanitise_string($name);
 	$value = sanitise_string($value);
 
-	$entity = get_entity($entity_guid);
-	if (!$entity instanceof ElggEntity) {
-		return false;
-	}
-
 	$result = insert_data("INSERT into {$CONFIG->dbprefix}private_settings
 		(entity_guid, name, value) VALUES
 		($entity_guid, '$name', '$value')
diff --git a/engine/lib/sites.php b/engine/lib/sites.php
index 8b772668d..d9eb2d25e 100644
--- a/engine/lib/sites.php
+++ b/engine/lib/sites.php
@@ -58,6 +58,7 @@ function get_site_entity_as_row($guid) {
  * @param string $url         URL of the site
  *
  * @return bool
+ * @access private
  */
 function create_site_entity($guid, $name, $description, $url) {
 	global $CONFIG;
diff --git a/engine/lib/upgrade.php b/engine/lib/upgrade.php
index f0874a483..f4f4b16f5 100644
--- a/engine/lib/upgrade.php
+++ b/engine/lib/upgrade.php
@@ -311,3 +311,58 @@ function elgg_upgrade_bootstrap_17_to_18() {
 
 	return elgg_set_processed_upgrades($processed_upgrades);
 }
+
+/**
+ * Creates a table {prefix}upgrade_lock that is used as a mutex for upgrades.
+ *
+ * @see _elgg_upgrade_lock()
+ *
+ * @return bool
+ * @access private
+ */
+function _elgg_upgrade_lock() {
+	global $CONFIG;
+	
+	if (!_elgg_upgrade_is_locked()) {
+		// lock it
+		insert_data("create table {$CONFIG->dbprefix}upgrade_lock (id INT)");
+		elgg_log('Locked for upgrade.', 'NOTICE');
+		return true;
+	}
+	
+	elgg_log('Cannot lock for upgrade: already locked.', 'WARNING');
+	return false;
+}
+
+/**
+ * Unlocks upgrade.
+ *
+ * @see _elgg_upgrade_lock()
+ *
+ * @access private
+ */
+function _elgg_upgrade_unlock() {
+	global $CONFIG;
+	delete_data("drop table {$CONFIG->dbprefix}upgrade_lock");
+	elgg_log('Upgrade unlocked.', 'NOTICE');
+}
+
+/**
+ * Checks if upgrade is locked
+ *
+ * @return bool
+ * @access private
+ */
+function _elgg_upgrade_is_locked() {
+	global $CONFIG, $DB_QUERY_CACHE;
+	
+	$is_locked = count(get_data("show tables like '{$CONFIG->dbprefix}upgrade_lock'"));
+	
+	// Invalidate query cache
+	if ($DB_QUERY_CACHE) {
+		$DB_QUERY_CACHE->clear();
+		elgg_log("Query cache invalidated", 'NOTICE');
+	}
+	
+	return $is_locked;
+}
diff --git a/engine/lib/upgrades/2011010101.php b/engine/lib/upgrades/2011010101.php
index a1ee92622..f4411ee20 100644
--- a/engine/lib/upgrades/2011010101.php
+++ b/engine/lib/upgrades/2011010101.php
@@ -93,4 +93,6 @@ $processed_upgrades[] = '2011010101.php';
 $processed_upgrades = array_unique($processed_upgrades);
 elgg_set_processed_upgrades($processed_upgrades);
 
+_elgg_upgrade_unlock();
+
 forward('upgrade.php');
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 527eff3cd..95ef9d176 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -44,6 +44,7 @@ function get_user_entity_as_row($guid) {
  * @param string $code     A code
  *
  * @return bool
+ * @access private
  */
 function create_user_entity($guid, $name, $username, $password, $salt, $email, $language, $code) {
 	global $CONFIG;
diff --git a/engine/lib/views.php b/engine/lib/views.php
index e24ccb942..01291b889 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -1236,6 +1236,15 @@ function elgg_view_river_item($item, array $vars = array()) {
 		// subject is disabled or subject/object deleted
 		return '';
 	}
+	// Don't hide objects in closed groups that a user can see.
+	// see http://trac.elgg.org/ticket/4789
+//	else {
+//		// hide based on object's container
+//		$visibility = ElggGroupItemVisibility::factory($object->container_guid);
+//		if ($visibility->shouldHideItems) {
+//			return '';
+//		}
+//	}
 
 	$vars['item'] = $item;
 
diff --git a/engine/lib/xml.php b/engine/lib/xml.php
index 813bc4ee0..ff82d7e8a 100644
--- a/engine/lib/xml.php
+++ b/engine/lib/xml.php
@@ -101,47 +101,11 @@ function serialise_array_to_xml(array $data, $n = 0) {
 
 /**
  * Parse an XML file into an object.
- * Based on code from http://de.php.net/manual/en/function.xml-parse-into-struct.php by
- * efredricksen at gmail dot com
  *
  * @param string $xml The XML
  *
  * @return object
  */
 function xml_to_object($xml) {
-	$parser = xml_parser_create();
-
-	// Parse $xml into a structure
-	xml_parser_set_option($parser, XML_OPTION_SKIP_WHITE, 1);
-	xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, 0);
-	xml_parse_into_struct($parser, $xml, $tags);
-
-	xml_parser_free($parser);
-
-	$elements = array();
-	$stack = array();
-
-	foreach ($tags as $tag) {
-		$index = count($elements);
-
-		if ($tag['type'] == "complete" || $tag['type'] == "open") {
-			$elements[$index] = new XmlElement;
-			$elements[$index]->name = $tag['tag'];
-			$elements[$index]->attributes = elgg_extract('attributes', $tag, '');
-			$elements[$index]->content = elgg_extract('value', $tag, '');
-
-			if ($tag['type'] == "open") {
-				$elements[$index]->children = array();
-				$stack[count($stack)] = &$elements;
-				$elements = &$elements[$index]->children;
-			}
-		}
-
-		if ($tag['type'] == "close") {
-			$elements = &$stack[count($stack) - 1];
-			unset($stack[count($stack) - 1]);
-		}
-	}
-
-	return $elements[0];
+	return new ElggXMLElement($xml);
 }