Fix editor module to prevent modification of editor config by non-admins

modules/editor/editor.controller.php

@@ -80,10 +80,30 @@ class editorController extends editor
 	 */
 	function procEditorInsertModuleConfig()
 	{
-		$module_srl = Context::get('target_module_srl');
 		// To configure many of modules at once
-		if(preg_match('/^([0-9,]+)$/',$module_srl)) $module_srl = explode(',',$module_srl);
-		else $module_srl = array($module_srl);
+		$target_module_srl = Context::get('target_module_srl');
+		$target_module_srl = array_map('trim', explode(',', $target_module_srl));
+		$logged_info = Context::get('logged_info');
+		$module_srl = array();
+		$oModuleModel = getModel('module');
+		foreach ($target_module_srl as $srl)
+		{
+			if (!$srl) continue;
+			
+			$module_info = $oModuleModel->getModuleInfoByModuleSrl($srl);
+			if (!$module_info->module_srl)
+			{
+				return new Object(-1, 'msg_invalid_request');
+			}
+			
+			$module_grant = $oModuleModel->getGrant($module_info, $logged_info);
+			if (!$module_grant->manager)
+			{
+				return new Object(-1, 'msg_not_permitted');
+			}
+			
+			$module_srl[] = $srl;
+		}
 
 		$editor_config = new stdClass;
 		$editor_config->default_editor_settings = Context::get('default_editor_settings');
@@ -134,10 +154,8 @@ class editorController extends editor
 		if($editor_config->enable_autosave != 'Y') $editor_config->enable_autosave = 'N';
 
 		$oModuleController = getController('module');
-		for($i=0;$i<count($module_srl);$i++)
+		foreach ($module_srl as $srl)
 		{
-			$srl = trim($module_srl[$i]);
-			if(!$srl) continue;
 			$oModuleController->insertModulePartConfig('editor',$srl,$editor_config);
 		}