fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix #1731 Admin 액션에 checkCSRF() 적용

Browse source
This commit is contained in:
bnu 2015-09-04 13:16:22 +09:00
parent a87efd502c
commit 068ce27fb8
1 changed files with 24 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

41
classes/module/ModuleHandler.class.php
View file

@ -116,7 +116,6 @@ class ModuleHandler extends Handler
* */ * */
function init() function init()
{ {
$oModuleModel = getModel('module'); $oModuleModel = getModel('module');
$site_module_info = Context::get('site_module_info'); $site_module_info = Context::get('site_module_info');
@ -317,13 +316,13 @@ class ModuleHandler extends Handler
function procModule() function procModule()
{ {
$oModuleModel = getModel('module'); $oModuleModel = getModel('module');
$display_mode = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
// If error occurred while preparation, return a message instance // If error occurred while preparation, return a message instance
if($this->error) if($this->error)
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -359,8 +358,7 @@ class ModuleHandler extends Handler
$this->httpStatusCode = '404'; $this->httpStatusCode = '404';
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -397,7 +395,7 @@ class ModuleHandler extends Handler
if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList)) if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
{ {
$this->error = "msg_invalid_request"; $this->error = "msg_invalid_request";
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view'); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -410,13 +408,24 @@ class ModuleHandler extends Handler
Mobile::setMobile(FALSE); Mobile::setMobile(FALSE);
} }
// Admin ip
$logged_info = Context::get('logged_info'); $logged_info = Context::get('logged_info');
// check CSRF for admin actions
if($kind === 'admin' && Context::getRequestMethod() === 'POST' && !checkCSRF()) {
$this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
// Admin ip
if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y') if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y')
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = "msg_not_permitted_act"; $this->error = "msg_not_permitted_act";
$oMessageObject = ModuleHandler::getModuleInstance('message', $type); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -446,8 +455,7 @@ class ModuleHandler extends Handler
if(!is_object($oModule)) if(!is_object($oModule))
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -466,7 +474,7 @@ class ModuleHandler extends Handler
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = 'msg_invalid_request'; $this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', $type); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -495,7 +503,7 @@ class ModuleHandler extends Handler
else else
{ {
$this->error = 'msg_invalid_request'; $this->error = 'msg_invalid_request';
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view'); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -537,9 +545,8 @@ class ModuleHandler extends Handler
if(!is_object($oModule)) if(!is_object($oModule))
{ {
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$oMessageObject = ModuleHandler::getModuleInstance('message', $type); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage('msg_module_is_not_exists'); $oMessageObject->setMessage('msg_module_is_not_exists');
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -569,7 +576,7 @@ class ModuleHandler extends Handler
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = 'msg_is_not_administrator'; $this->error = 'msg_is_not_administrator';
$oMessageObject = ModuleHandler::getModuleInstance('message', $type); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -583,7 +590,7 @@ class ModuleHandler extends Handler
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = 'msg_is_not_manager'; $this->error = 'msg_is_not_manager';
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view'); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
@ -595,7 +602,7 @@ class ModuleHandler extends Handler
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = 'msg_is_not_administrator'; $this->error = 'msg_is_not_administrator';
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view'); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
$oMessageObject->setError(-1); $oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error); $oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();