#3: Fixed a security issue where a user could move photos into an album they aren't allowed to upload photos into. Fixed the Select All|Select None links in the permissions drop-down

resources/views/themes/base/admin/create_album.blade.php

@@ -32,7 +32,7 @@
 
                     <div class="form-group">
                         <label class="form-control-label" for="album-description">@lang('forms.description_label')</label>
-                        <textarea class="form-control" id="album-description" name="description">{{ old('description') }}</textarea>
+                        <textarea class="form-control" id="album-description" name="description" rows="5">{{ old('description') }}</textarea>
                     </div>
 
                     <div class="form-group">

resources/views/themes/base/admin/show_album.blade.php

@@ -88,10 +88,12 @@
 
     // Populate the list of albums in the view model
     @foreach ($albums as $album)
-        editViewModel.data.albums.push({
-            'id': '{{ $album->id }}',
-            'name': '{!! addslashes($album->name) !!}'
-        });
+        @if(Gate::check('edit', $album) && Gate::check('upload-photos', $album))
+            editViewModel.data.albums.push({
+                'id': '{{ $album->id }}',
+                'name': '{!! addslashes($album->name) !!}'
+            });
+        @endif
     @endforeach
 
     $(document).ready(function() {
@@ -124,11 +126,11 @@
 
         {{-- Select All/None links on the permissions tab --}}
         $('a.select-all').click(function() {
-            $('input:checkbox', $(this).closest('.panel-body')).prop('checked', true);
+            $('input:checkbox', $(this).closest('.card-block')).prop('checked', true);
             return false;
         });
         $('a.select-none').click(function() {
-            $('input:checkbox', $(this).closest('.panel-body')).prop('checked', false);
+            $('input:checkbox', $(this).closest('.card-block')).prop('checked', false);
             return false;
         });