From 51a910a3104a2f223b4d4dcce55c6df70e605169 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sun, 21 May 2023 19:51:41 +0900
Subject: [PATCH] Fix #2117: don't allow adding comments to secret posts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 비밀글이나 비밀댓글에 댓글이나 대댓글을 달 수 없도록 변경
- 댓글 작성을 시도중인 글이 부모댓글의 document_srl과 일치하는지 확인
- 문서 체크를 본문 내용 검증보다 먼저 수행
---
 modules/board/board.controller.php | 41 +++++++++++++++++-------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/modules/board/board.controller.php b/modules/board/board.controller.php
index 6bd316b04..4bbde3069 100644
--- a/modules/board/board.controller.php
+++ b/modules/board/board.controller.php
@@ -407,6 +407,20 @@ class boardController extends board
 		// get the relevant data for inserting comment
 		$obj = Context::getRequestVars();
 
+		// Check the document.
+		$oDocument = DocumentModel::getDocument($obj->document_srl);
+		if(!$oDocument->isExists())
+		{
+			throw new Rhymix\Framework\Exceptions\TargetNotFound;
+		}
+		if(!$oDocument->isAccessible())
+		{
+			throw new Rhymix\Framework\Exceptions\NotPermitted;
+		}
+
+		// Comments belong in the same module_srl as the document.
+		$obj->module_srl = $oDocument->get('module_srl');
+
 		// Remove disallowed Unicode symbols.
 		if ($this->module_info->filter_specialchars !== 'N')
 		{
@@ -445,15 +459,6 @@ class boardController extends board
 			$this->module_info->secret = 'N';
 		}
 
-		// check if the doument is existed
-		$oDocument = DocumentModel::getDocument($obj->document_srl);
-		if(!$oDocument->isExists())
-		{
-			throw new Rhymix\Framework\Exceptions\TargetNotFound;
-		}
-
-		$obj->module_srl = $oDocument->get('module_srl');
-
 		// For anonymous use, remove writer's information and notifying information
 		if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y'))
 		{
@@ -506,25 +511,27 @@ class boardController extends board
 			// Update document last_update info?
 			$update_document = $this->module_info->update_order_on_comment === 'N' ? false : true;
 
-			// Parent exists.
+			// Check parent comment.
 			if($obj->parent_srl)
 			{
 				$parent_comment = CommentModel::getComment($obj->parent_srl);
-				if(!$parent_comment->comment_srl)
+				if(!$parent_comment->comment_srl || $parent_comment->get('document_srl') != $oDocument->get('document_srl'))
 				{
 					throw new Rhymix\Framework\Exceptions\TargetNotFound;
 				}
+				if(!$parent_comment->isAccessible())
+				{
+					throw new Rhymix\Framework\Exceptions\NotPermitted;
+				}
 				if($parent_comment->isSecret() && $this->module_info->secret === 'Y')
 				{
 					$obj->is_secret = 'Y';
 				}
-				$output = $oCommentController->insertComment($obj, $manual, $update_document);
-			}
-			// Parent does not exist.
-			else
-			{
-				$output = $oCommentController->insertComment($obj, $manual, $update_document);
 			}
+
+			// Insert comment.
+			$output = $oCommentController->insertComment($obj, $manual, $update_document);
+
 			// Set grant for the new comment.
 			if ($output->toBool())
 			{