История коммитов

Build complete breadcrumb chains on album/photo pages and their
actions so every page links back to the user's album list, the album
and (for photo actions) the photo.

- Insert the 'user albums' level (Your/User albums) and the album/photo
links on show, photo view, comments, upload, edit/create/delete album
and edit/move/delete photo pages.
- Inject User into the six write controllers to label the user level.
- Make the album name a plain leaf on the album page (was a self-link).

Escape audit of the album module (escape-on-output model).

- Escape the username and album URL in user_row.phtml (an XSS hole
affecting the album list and users pages); also escape the filter
links in users.phtml.
- Stop double-escaping album names/descriptions: checkout() already
runs htmlentities(), so drop it from PhotoPresenter::previewText
and presentDetail, UserAlbumsController, and the breadcrumb titles
in ShowAlbumController and PhotoCommentsController (the breadcrumbs
template escapes on render). Templates now escape these values once.
- Drop the now-unused Tools injection from UserAlbumsController and
PhotoCommentsController.

Move all album routes into one $router->group('') with a shared
AuthorizedUserMiddleware (mirroring the profile module) instead of
per-route middleware. Numeric path params use the inline {id:number}
syntax; the filter/type enum params keep explicit requirements.

All actions are migrated to the new architecture, so the legacy
front controller can go.

- Delete index.php, lib/Photo.php and the empty includes/ directory.
- Drop the legacy catch-all route (album.legacy); the Aura autoload
registration is removed with index.php.
- Point the sitemap album entry at /album (the migrated route).

Move the vote action to POST /album/photo/{img}/vote/{type} with CSRF.

- Add VoteType enum, EnsureVoteAccessUseCase (can_vote policy),
GetVotePhotoContextUseCase, VotePhotoUseCase and VotePhotoController.
- Add vote repository methods (hasUserVote/addVote) and atomic
vote counter increments on the photo repository.
- Update PhotoPresenter vote URLs and convert vote links to inline
POST forms in top/show/show_one templates.
- Remove legacy includes/vote.php and drop it from the dispatcher.

Add DeletePhotoController (GET confirm + POST submit) with CSRF token
validation, GetDeletePhotoContextUseCase guard (owner / rights>=6) and
DeletePhotoUseCase cascading file/vote/comment removal.

New route POST/GET /album/photo/{img}/delete replaces legacy
?act=image_delete; remove includes/image_delete.php and the legacy
image_delete.phtml template (reuse generic confirm_delete.phtml).

Add MovePhotoController (GET album picker + POST submit) with
GetMovePhotoContextUseCase guard (owner or rights>=6) and MovePhotoUseCase
validating the target album belongs to the photo owner and moving the photo
(inheriting the target album's access). New repository helpers
getUserAlbumsExcept and moveToAlbum. New routes GET+POST
/album/photo/{img}/move; drop the image_move action from the legacy dispatcher
and point the photo move link to the new URL.

Add EditPhotoController (GET form + POST save) with GetEditPhotoContextUseCase
guard (owner or rights>=6) and EditPhotoUseCase updating the description
(<=1500 chars) through AlbumPhotoRepository::updateDescription. New routes
GET+POST /album/photo/{img}/edit; drop the image_edit action from the legacy
dispatcher and point the photo edit link to the new URL.

Add UploadPhotoController (GET form + POST submit) with
GetUploadPhotoContextUseCase guard (owner not banned or rights>=7) and
UploadPhotoUseCase processing the image via Intervention ImageManager
(1920x1080 original + 400x300 blurred-backdrop thumbnail, 1:1 with legacy) and
persisting it through AlbumPhotoRepository::create. New routes
GET+POST /album/{al}/upload; drop the image_upload action from the legacy
dispatcher and point the album view upload button to the new URL.

Add SortAlbumController (move-up/move-down) with GetSortAlbumContextUseCase
guard (owner or rights>=7) and MoveAlbumUseCase swapping the sort value with
the neighbouring album. Convert the legacy GET action to POST routes
/album/{al}/move-up and /album/{al}/move-down protected by csrf_token; render
the list Up/Down controls as inline POST forms. Drop the sort action from the
legacy dispatcher.