fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-09 20:12:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix unauthorized manipulation of documents via procDocumentManageCheckedDocument

Browse source 
xpressengine/xe-core#2044
This commit is contained in:
Kijin Sung 2017-03-02 00:05:06 +09:00
parent dc84dd1310
commit 1bd32d8d71
1 changed files with 51 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

82
modules/document/document.controller.php
View file

@ -2480,22 +2480,20 @@ class documentController extends document
{ {
@set_time_limit(0); @set_time_limit(0);
if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted'); if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted');
$logged_info = Context::get('logged_info');
if(!checkCSRF()) // Get request parameters.
{ $cart = Context::get('cart');
return new Object(-1, 'msg_invalid_request'); if(!is_array($cart)) $cart = explode('|@|', $cart);
} $cart = array_unique(array_map('intval', $cart));
$type = Context::get('type'); $type = Context::get('type');
$target_module = Context::get('target_module'); $target_module_srl = Context::get('module_srl') ?: Context::get('target_module');
$module_srl = Context::get('module_srl'); $target_category_srl = Context::get('target_category');
if($target_module && !$module_srl) $module_srl = $target_module;
$category_srl = Context::get('target_category');
// send default message - misol 2015-07-23 // send default message - misol 2015-07-23
$send_default_message = Context::get('send_default_message'); $send_default_message = Context::get('send_default_message');
if($send_default_message === 'Y') if($send_default_message === 'Y')
{ {
$logged_info = Context::get('logged_info');
$message_content = ''; $message_content = '';
$default_message_verbs = lang('default_message_verbs'); $default_message_verbs = lang('default_message_verbs');
if(isset($default_message_verbs[$type]) && is_string($default_message_verbs[$type])) if(isset($default_message_verbs[$type]) && is_string($default_message_verbs[$type]))
@ -2509,31 +2507,54 @@ class documentController extends document
if($message_content) $message_content = nl2br($message_content); if($message_content) $message_content = nl2br($message_content);
} }
$cart = Context::get('cart'); // Check permissions on all documents.
if(!is_array($cart)) $document_srl_list = explode('|@|', $cart);
else $document_srl_list = $cart;
$document_srl_count = count($document_srl_list);
$oDocumentModel = getModel('document');
$document_items = array(); $document_items = array();
foreach($document_srl_list as $document_srl) $document_srl_list = array();
$module_srl_list = array();
$oDocumentModel = getModel('document');
foreach ($cart as $document_srl)
{ {
$oDocument = $oDocumentModel->getDocument($document_srl); $oDocument = $oDocumentModel->getDocument($document_srl);
$document_items[] = $oDocument; $document_items[] = $oDocument;
if(!$oDocument->isGranted()) return $this->stop('msg_not_permitted'); $document_srl_list[] = $document_srl;
$module_srl_list[] = $oDocument->get('module_srl');
if (!$oDocument->isGranted())
{
return $this->stop('msg_not_permitted');
}
}
// Check permissions on all modules.
$oModuleModel = getModel('module');
if (!in_array($target_module_srl, $module_srl_list))
{
$module_srl_list[] = $target_module_srl;
}
foreach ($module_srl_list as $module_srl)
{
$module_info = $oModuleModel->getModuleInfoByModuleSrl($module_srl);
if (!$module_info->module_srl)
{
return new Object(-1, 'msg_invalid_request');
}
$module_grant = $oModuleModel->getGrant($module_info, $logged_info);
if (!$module_grant->manager)
{
return new Object(-1, 'msg_not_permitted');
}
} }
// Set a spam-filer not to be filtered to spams // Set a spam-filer not to be filtered to spams
$oSpamController = getController('spamfilter'); $oSpamController = getController('spamfilter');
$oSpamController->setAvoidLog(); $oSpamController->setAvoidLog();
$oDocumentAdminController = getAdminController('document');
if($type == 'move') if($type == 'move')
{ {
if(!$module_srl) return new Object(-1, 'fail_to_move'); if(!$target_module_srl) return new Object(-1, 'fail_to_move');
$output = $oDocumentAdminController->moveDocumentModule($document_srl_list, $module_srl, $category_srl); $oDocumentAdminController = getAdminController('document');
$output = $oDocumentAdminController->moveDocumentModule($document_srl_list, $target_module_srl, $target_category_srl);
if(!$output->toBool()) return new Object(-1, 'fail_to_move'); if(!$output->toBool()) return new Object(-1, 'fail_to_move');
$msg_code = 'success_moved'; $msg_code = 'success_moved';
@ -2541,9 +2562,10 @@ class documentController extends document
} }
else if($type == 'copy') else if($type == 'copy')
{ {
if(!$module_srl) return new Object(-1, 'fail_to_move'); if(!$target_module_srl) return new Object(-1, 'fail_to_move');
$output = $oDocumentAdminController->copyDocumentModule($document_srl_list, $module_srl, $category_srl); $oDocumentAdminController = getAdminController('document');
$output = $oDocumentAdminController->copyDocumentModule($document_srl_list, $target_module_srl, $target_category_srl);
if(!$output->toBool()) return new Object(-1, 'fail_to_move'); if(!$output->toBool()) return new Object(-1, 'fail_to_move');
$msg_code = 'success_copied'; $msg_code = 'success_copied';
@ -2552,9 +2574,8 @@ class documentController extends document
{ {
$oDB = &DB::getInstance(); $oDB = &DB::getInstance();
$oDB->begin(); $oDB->begin();
for($i=0;$i<$document_srl_count;$i++) foreach ($document_srl_list as $document_srl)
{ {
$document_srl = $document_srl_list[$i];
$output = $this->deleteDocument($document_srl, true); $output = $this->deleteDocument($document_srl, true);
if(!$output->toBool()) return new Object(-1, 'fail_to_delete'); if(!$output->toBool()) return new Object(-1, 'fail_to_delete');
} }
@ -2568,8 +2589,9 @@ class documentController extends document
$oDB = &DB::getInstance(); $oDB = &DB::getInstance();
$oDB->begin(); $oDB->begin();
for($i=0;$i<$document_srl_count;$i++) { foreach ($document_srl_list as $document_srl)
$args->document_srl = $document_srl_list[$i]; {
$args->document_srl = $document_srl;
$output = $this->moveDocumentToTrash($args); $output = $this->moveDocumentToTrash($args);
if(!$output || !$output->toBool()) return new Object(-1, 'fail_to_trash'); if(!$output || !$output->toBool()) return new Object(-1, 'fail_to_trash');
} }
@ -2587,11 +2609,7 @@ class documentController extends document
// Send a message // Send a message
if($message_content) if($message_content)
{ {
$oCommunicationController = getController('communication'); $oCommunicationController = getController('communication');
$logged_info = Context::get('logged_info');
$title = cut_str($message_content,10,'...'); $title = cut_str($message_content,10,'...');
$sender_member_srl = $logged_info->member_srl; $sender_member_srl = $logged_info->member_srl;