fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-06 18:21:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security/rve-2023-3-4' into develop

Browse source
This commit is contained in:
Kijin Sung 2023-09-13 11:02:59 +09:00
commit 71e4118bd5
3 changed files with 99 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

83
modules/document/document.controller.php
View file

@ -646,6 +646,8 @@ class DocumentController extends Document
if(!$grant->manager)
{
unset($obj->regdate);
unset($obj->last_update);
unset($obj->last_updater);
}
// Serialize the $extra_vars, check the extra_vars type, because duplicate serialized avoid
@ -664,8 +666,22 @@ class DocumentController extends Document
unset($obj->_saved_doc_content);
unset($obj->_saved_doc_message);
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
unset($obj->manual_member_info);
// Add the current user's info, unless it is a guest post
$logged_info = Context::get('logged_info');
if($logged_info->member_srl && !$manual_inserted && !$isRestore)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
if(!$logged_info->member_srl && !$manual_inserted && !$isRestore)
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
@ -717,20 +733,6 @@ class DocumentController extends Document
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
}
// Insert member's information only if the member is logged-in and not manually registered.
$logged_info = Context::get('logged_info');
if(Context::get('is_logged') && !$manual_inserted && !$isRestore && !$obj->manual_member_info)
{
$obj->member_srl = $logged_info->member_srl;
// user_id, user_name and nick_name already encoded
$obj->user_id = htmlspecialchars_decode($logged_info->user_id);
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
// If the tile is empty, extract string from the contents.
$obj->title = escape($obj->title, false);
if($obj->title == '')
@ -900,8 +902,22 @@ class DocumentController extends Document
$this->_checkDocumentStatusForOldVersion($obj);
}
// Remove manual member info to prevent forgery. This variable can be set by triggers only.
unset($obj->manual_member_info);
// Preserve original author info.
if ($source_obj->get('member_srl'))
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_id = $source_obj->get('user_id');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
$obj->ipaddress = $source_obj->get('ipaddress');
}
else
{
unset($obj->member_srl);
unset($obj->user_id);
}
$obj->uploaded_count = FileModel::getFilesCount($obj->document_srl);
@ -947,6 +963,8 @@ class DocumentController extends Document
if(!$grant->manager)
{
unset($obj->regdate);
unset($obj->last_update);
unset($obj->list_order);
}
// Serialize the $extra_vars
@ -990,29 +1008,6 @@ class DocumentController extends Document
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
}
// If an author is identical to the modifier or history is used, use the logged-in user's information.
if(Context::get('is_logged') && !$manual_updated && !$obj->manual_member_info)
{
if($source_obj->get('member_srl')==$logged_info->member_srl)
{
$obj->member_srl = $logged_info->member_srl;
$obj->user_name = htmlspecialchars_decode($logged_info->user_name);
$obj->nick_name = htmlspecialchars_decode($logged_info->nick_name);
$obj->email_address = $logged_info->email_address;
$obj->homepage = $logged_info->homepage;
}
}
// For the document written by logged-in user however no nick_name exists
if($source_obj->get('member_srl')&& !$obj->nick_name && !$obj->manual_member_info)
{
$obj->member_srl = $source_obj->get('member_srl');
$obj->user_name = $source_obj->get('user_name');
$obj->nick_name = $source_obj->get('nick_name');
$obj->email_address = $source_obj->get('email_address');
$obj->homepage = $source_obj->get('homepage');
}
// If the tile is empty, extract string from the contents.
$obj->title = escape($obj->title, false);
if($obj->title == '')
@ -1068,10 +1063,6 @@ class DocumentController extends Document
$args->ipaddress = $source_obj->get('ipaddress');
$output = executeQuery("document.insertHistory", $args);
}
else
{
$obj->ipaddress = $source_obj->get('ipaddress');
}
// Set lang_code if the original document doesn't have it.
if (!$source_obj->get('lang_code'))
@ -3405,6 +3396,8 @@ Content;
$obj = Context::getRequestVars();
$obj->module_srl = $this->module_srl;
$obj->status = $this->getConfigStatus('temp');
$obj->list_order = $obj->update_order = 0;
unset($obj->extra_vars);
// unset document style if not manager
if(!$this->grant->manager)