fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-07 02:31:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix incorrect permission check when check_var is set but mid is not

Browse source
This commit is contained in:
Kijin Sung 2025-06-16 23:36:32 +09:00
parent ad6aeb4c00
commit 5e9cf872e7
2 changed files with 29 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

26
classes/module/ModuleObject.class.php
View file

@ -254,15 +254,15 @@ class ModuleObject extends BaseObject
// Get privileges(granted) information for target module by <permission check> of module.xml // Get privileges(granted) information for target module by <permission check> of module.xml
if(($permission = $this->xml_info->action->{$this->act}->permission) && $permission->check_var) if(($permission = $this->xml_info->action->{$this->act}->permission) && $permission->check_var)
{ {
// Check parameter // Ensure that the list of modules to check is the right type and not empty
if(empty($check_module_srl = trim(Context::get($permission->check_var)))) $check_var = Context::get($permission->check_var);
if (is_scalar($check_var))
{
if (empty($check_module_srl = trim($check_var)))
{ {
return false; return false;
} }
// If value is not array
if(!is_array($check_module_srl))
{
// Convert string to array. delimiter is ,(comma) or |@| // Convert string to array. delimiter is ,(comma) or |@|
if(preg_match('/,|\|@\|/', $check_module_srl, $delimiter) && $delimiter[0]) if(preg_match('/,|\|@\|/', $check_module_srl, $delimiter) && $delimiter[0])
{ {
@ -273,6 +273,14 @@ class ModuleObject extends BaseObject
$check_module_srl = array($check_module_srl); $check_module_srl = array($check_module_srl);
} }
} }
else
{
$check_module_srl = array_map('trim', $check_var);
if (!count($check_var))
{
return false;
}
}
// Check permission by privileges(granted) information for target module // Check permission by privileges(granted) information for target module
foreach($check_module_srl as $target_srl) foreach($check_module_srl as $target_srl)
@ -295,7 +303,15 @@ class ModuleObject extends BaseObject
} }
// Check permission based on the grant information for the current module. // Check permission based on the grant information for the current module.
if (isset($check_grant))
{
$grant = $check_grant;
}
else
{
$grant = ModuleModel::getInstance()->getGrant($this->module_info, $this->user, $this->xml_info); $grant = ModuleModel::getInstance()->getGrant($this->module_info, $this->user, $this->xml_info);
}
if(!$this->checkPermission($grant, $this->user, $failed_requirement)) if(!$this->checkPermission($grant, $this->user, $failed_requirement))
{ {
$this->stop($this->_generatePermissionError($failed_requirement)); $this->stop($this->_generatePermissionError($failed_requirement));

6
modules/module/models/Permission.php
View file

@ -103,7 +103,11 @@ class Permission
// Check if each permission is granted to the current user. // Check if each permission is granted to the current user.
foreach ($this->_spec as $key => $requirement) foreach ($this->_spec as $key => $requirement)
{ {
if ($requirement === 'guest') if ($key === 'manager' && $this->manager)
{
continue;
}
elseif ($requirement === 'guest')
{ {
$this->{$key} = true; $this->{$key} = true;
} }