From 11d296b19d49384ad69a6e63c79531e0b7c7a61e Mon Sep 17 00:00:00 2001
From: devjin <namnyams@gmail.com>
Date: Mon, 15 Oct 2012 12:42:37 +0000
Subject: [PATCH] issue 2561 had deploy a patch. (contributor by dowon2308)

git-svn-id: http://xe-core.googlecode.com/svn/branches/luminous@11719 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 .../communication.controller.php              | 16 ++++++++------
 modules/communication/communication.view.php  | 21 +++++++++++++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/modules/communication/communication.controller.php b/modules/communication/communication.controller.php
index 3362ef2cd..7965872e1 100644
--- a/modules/communication/communication.controller.php
+++ b/modules/communication/communication.controller.php
@@ -195,12 +195,16 @@
             $oCommunicationModel = &getModel('communication');
             $message = $oCommunicationModel->getSelectedMessage($message_srl);
             if(!$message) return new Object(-1,'msg_invalid_request');
-            // Check a message type if 'S' or 'R'
-            if($message->sender_srl == $member_srl && $message->message_type == 'S') {
-                if(!$message_srl) return new Object(-1, 'msg_invalid_request');
-            } elseif($message->receiver_srl == $member_srl && $message->message_type == 'R') {
-                if(!$message_srl) return new Object(-1, 'msg_invalid_request');
-            }
+            // Check the grant
+			switch($message->message_type)
+			{
+				case 'S':
+					if($message->sender_srl != $member_srl) return new Object(-1, 'msg_invalid_request');
+					break;
+				case 'R':
+					if($message->receiver_srl != $member_srl) return new Object(-1, 'msg_invalid_request');
+					break;
+			}
             // Delete
             $args->message_srl = $message_srl;
             $output = executeQuery('communication.deleteMessage', $args);
diff --git a/modules/communication/communication.view.php b/modules/communication/communication.view.php
index 92cbeb236..d30d20214 100644
--- a/modules/communication/communication.view.php
+++ b/modules/communication/communication.view.php
@@ -62,6 +62,27 @@
             if($message_srl) {
 				$columnList = array('message_srl', 'sender_srl', 'receiver_srl', 'message_type', 'title', 'content', 'readed', 'regdate');
                 $message = $oCommunicationModel->getSelectedMessage($message_srl, $columnList);
+				switch($message->message_type)
+				{
+					case 'R':
+						if($message->receiver_srl != $logged_info->member_srl)
+						{
+							return $this->stop('msg_invalid_request');
+						}
+						break;
+					case 'S':
+						if($message->sender_srl != $logged_info->member_srl)
+						{
+							return $this->stop('msg_invalid_request');
+						}
+						break;
+					case 'T':
+						if($message->receiver_srl != $logged_info->member_srl && $message->sender_srl != $logged_info->member_srl)
+						{
+							return $this->stop('msg_invalid_request');
+						}
+						break;
+				}
                 if($message->message_srl == $message_srl && ($message->receiver_srl == $logged_info->member_srl || $message->sender_srl == $logged_info->member_srl) ) {
 					stripEmbedTagForAdmin($message->content, $message->sender_srl);
 					Context::set('message', $message);