mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-04 17:21:39 +09:00
Merge branch 'security/document-module-check' into develop
This commit is contained in:
Kijin Sung
commit
83e4b763ce
8 changed files with 168 additions and 54 deletions
|
|
@ -176,7 +176,7 @@ class ModuleHandler extends Handler
|
|||
}
|
||||
|
||||
// Get module info from document_srl.
|
||||
if($this->document_srl && !$this->module)
|
||||
if($this->document_srl)
|
||||
{
|
||||
$module_info = $this->_checkDocumentSrl();
|
||||
if ($module_info === false)
|
||||
|
|
|
|||
|
|
@ -176,6 +176,10 @@ class boardController extends board
|
|||
$obj->module_srl = $oDocument->get('module_srl');
|
||||
$obj->category_srl = $oDocument->get('category_srl');
|
||||
}
|
||||
else
|
||||
{
|
||||
$obj->module_srl = $oDocument->get('module_srl');
|
||||
}
|
||||
|
||||
// notice & document style same as before if not manager
|
||||
if(!$this->grant->manager)
|
||||
|
|
|
|||
|
|
@ -39,16 +39,17 @@ class commentController extends comment
|
|||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
|
||||
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
|
||||
$module_srl = $oComment->get('module_srl');
|
||||
if(!$module_srl)
|
||||
$oComment = CommentModel::getComment($comment_srl, false, false);
|
||||
if(!$oComment->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
|
||||
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
|
||||
if($comment_config->use_vote_up == 'N')
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
$comment_config = ModuleModel::getModulePartConfig('comment', $oComment->get('module_srl'));
|
||||
if($comment_config->use_vote_up === 'N')
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
}
|
||||
|
|
@ -70,13 +71,24 @@ class commentController extends comment
|
|||
}
|
||||
|
||||
$comment_srl = Context::get('target_srl');
|
||||
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
|
||||
if(!$comment_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
$oComment = CommentModel::getComment($comment_srl, false, false);
|
||||
if(!$oComment->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
if($oComment->get('voted_count') <= 0)
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('failed_voted_canceled');
|
||||
}
|
||||
|
||||
$point = 1;
|
||||
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
|
||||
|
||||
|
|
@ -106,16 +118,17 @@ class commentController extends comment
|
|||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
|
||||
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
|
||||
$module_srl = $oComment->get('module_srl');
|
||||
if(!$module_srl)
|
||||
$oComment = CommentModel::getComment($comment_srl, false, false);
|
||||
if(!$oComment->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
|
||||
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
|
||||
if($comment_config->use_vote_down == 'N')
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
$comment_config = ModuleModel::getModulePartConfig('comment', $oComment->get('module_srl'));
|
||||
if($comment_config->use_vote_down === 'N')
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
}
|
||||
|
|
@ -137,13 +150,24 @@ class commentController extends comment
|
|||
}
|
||||
|
||||
$comment_srl = Context::get('target_srl');
|
||||
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
|
||||
if(!$comment_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
$oComment = CommentModel::getComment($comment_srl, false, false);
|
||||
if(!$oComment->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
if($oComment->get('blamed_count') >= 0)
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('failed_blamed_canceled');
|
||||
}
|
||||
|
||||
$point = -1;
|
||||
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
|
||||
|
||||
|
|
@ -243,7 +267,16 @@ class commentController extends comment
|
|||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
|
||||
$oComment = CommentModel::getComment($comment_srl, false, false);
|
||||
if(!$oComment->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
|
||||
// if an user select message from options, message would be the option.
|
||||
$message_option = strval(Context::get('message_option'));
|
||||
$improper_comment_reasons = lang('improper_comment_reasons');
|
||||
|
|
|
|||
|
|
@ -188,13 +188,27 @@ class commentItem extends BaseObject
|
|||
}
|
||||
}
|
||||
|
||||
function isAccessible()
|
||||
function isAccessible($strict = false)
|
||||
{
|
||||
if(!$this->isExists())
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($strict)
|
||||
{
|
||||
$module_info = ModuleModel::getModuleInfoByModuleSrl($this->get('module_srl'));
|
||||
if (!$module_info)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
$grant = ModuleModel::getGrant($module_info, Context::get('logged_info'));
|
||||
if (isset($grant->list) && isset($grant->view) && ($grant->list !== true || $grant->view !== true))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_SESSION['accessible'][$this->comment_srl]) && $_SESSION['accessible'][$this->comment_srl] === $this->get('last_update'))
|
||||
{
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ class commentView extends comment
|
|||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
// Check permissions
|
||||
if(!$oComment->isAccessible())
|
||||
if(!$oComment->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ class documentController extends document
|
|||
{
|
||||
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
|
||||
}
|
||||
|
||||
if($module_info->non_login_vote !== 'Y')
|
||||
{
|
||||
if(!Context::get('is_logged'))
|
||||
|
|
@ -45,11 +44,19 @@ class documentController extends document
|
|||
}
|
||||
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
$module_srl = $oDocument->get('module_srl');
|
||||
if(!$module_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
$document_config = ModuleModel::getModulePartConfig('document',$module_srl);
|
||||
if($document_config->use_vote_up=='N') throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
$document_config = ModuleModel::getModulePartConfig('document', $oDocument->get('module_srl'));
|
||||
if($document_config->use_vote_up === 'N')
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
}
|
||||
|
||||
$point = 1;
|
||||
$output = $this->updateVotedCount($document_srl, $point);
|
||||
|
|
@ -74,7 +81,6 @@ class documentController extends document
|
|||
{
|
||||
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
|
||||
}
|
||||
|
||||
if($module_info->non_login_vote !== 'Y')
|
||||
{
|
||||
if(!Context::get('is_logged'))
|
||||
|
|
@ -82,17 +88,25 @@ class documentController extends document
|
|||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
}
|
||||
|
||||
if($module_info->cancel_vote !== 'Y')
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('failed_voted_cancel');
|
||||
}
|
||||
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
if($oDocument->get('voted_count') <= 0)
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('failed_voted_canceled');
|
||||
}
|
||||
|
||||
$point = 1;
|
||||
$output = $this->updateVotedCountCancel($document_srl, $oDocument, $point);
|
||||
if(!$output->toBool())
|
||||
|
|
@ -139,15 +153,25 @@ class documentController extends document
|
|||
}
|
||||
|
||||
$document_srl = Context::get('target_srl');
|
||||
if(!$document_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
if(!$document_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
$module_srl = $oDocument->get('module_srl');
|
||||
if(!$module_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
$document_config = ModuleModel::getModulePartConfig('document',$module_srl);
|
||||
if($document_config->use_vote_down=='N') throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
$document_config = ModuleModel::getModulePartConfig('document', $oDocument->get('module_srl'));
|
||||
if($document_config->use_vote_down === 'N')
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
|
||||
}
|
||||
|
||||
$point = -1;
|
||||
$output = $this->updateVotedCount($document_srl, $point);
|
||||
if(!$output->toBool())
|
||||
|
|
@ -167,20 +191,30 @@ class documentController extends document
|
|||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
}
|
||||
|
||||
if($this->module_info->cancel_vote !== 'Y')
|
||||
{
|
||||
return new Rhymix\Framework\Exception('failed_voted_canceled');
|
||||
}
|
||||
|
||||
$document_srl = Context::get('target_srl');
|
||||
if(!$document_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
|
||||
if(!$document_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
if($oDocument->get('blamed_count') >= 0)
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('failed_blamed_canceled');
|
||||
}
|
||||
|
||||
$point = -1;
|
||||
$output = $this->updateVotedCountCancel($document_srl, $oDocument, $point);
|
||||
if(!$output->toBool())
|
||||
|
|
@ -289,11 +323,20 @@ class documentController extends document
|
|||
throw new Rhymix\Framework\Exceptions\MustLogin;
|
||||
}
|
||||
|
||||
$document_srl = intval(Context::get('target_srl'));
|
||||
$document_srl = Context::get('target_srl');
|
||||
if(!$document_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
|
||||
// if an user select message from options, message would be the option.
|
||||
$message_option = strval(Context::get('message_option'));
|
||||
|
|
@ -321,15 +364,21 @@ class documentController extends document
|
|||
{
|
||||
throw new Rhymix\Framework\Exceptions\MustLogin;
|
||||
}
|
||||
|
||||
$document_srl = intval(Context::get('target_srl'));
|
||||
|
||||
$oDocument = DocumentModel::getDocument($document_srl);
|
||||
if(!$oDocument->isExists())
|
||||
$document_srl = Context::get('target_srl');
|
||||
if(!$document_srl)
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\InvalidRequest;
|
||||
}
|
||||
|
||||
$oDocument = DocumentModel::getDocument($document_srl, false, false);
|
||||
if(!$oDocument->isExists())
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
|
||||
if($module_info->cancel_vote !== 'Y')
|
||||
{
|
||||
|
|
|
|||
|
|
@ -237,13 +237,27 @@ class documentItem extends BaseObject
|
|||
$this->setGrant();
|
||||
}
|
||||
|
||||
function isAccessible()
|
||||
function isAccessible($strict = false)
|
||||
{
|
||||
if(!$this->isExists())
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($strict)
|
||||
{
|
||||
$module_info = ModuleModel::getModuleInfoByModuleSrl($this->get('module_srl'));
|
||||
if (!$module_info)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
$grant = ModuleModel::getGrant($module_info, Context::get('logged_info'));
|
||||
if (isset($grant->list) && isset($grant->view) && ($grant->list !== true || $grant->view !== true))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_SESSION['accessible'][$this->document_srl]) && $_SESSION['accessible'][$this->document_srl] === $this->get('last_update'))
|
||||
{
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class documentView extends document
|
|||
$oDocument = DocumentModel::getDocument($document_srl);
|
||||
if(!$oDocument->isExists()) throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
// Check permissions
|
||||
if(!$oDocument->isAccessible()) throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
if(!$oDocument->isAccessible(true)) throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
// Information setting module
|
||||
//Context::set('module_info', $module_info); //module_info not use in UI
|
||||
// Browser title settings
|
||||
|
|
@ -238,7 +238,7 @@ class documentView extends document
|
|||
throw new Rhymix\Framework\Exceptions\TargetNotFound;
|
||||
}
|
||||
// Check permissions
|
||||
if(!$oDocument->isAccessible())
|
||||
if(!$oDocument->isAccessible(true))
|
||||
{
|
||||
throw new Rhymix\Framework\Exceptions\NotPermitted;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue