fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-30 15:52:17 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security/document-module-check' into develop

Browse source
This commit is contained in:
Kijin Sung 2022-08-16 08:55:44 +09:00
commit 83e4b763ce
8 changed files with 168 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

79
modules/comment/comment.controller.php
View file

@ -39,16 +39,17 @@ class commentController extends comment
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
$module_srl = $oComment->get('module_srl');
if(!$module_srl)
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
if($comment_config->use_vote_up == 'N')
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$comment_config = ModuleModel::getModulePartConfig('comment', $oComment->get('module_srl'));
if($comment_config->use_vote_up === 'N')
{
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
}
@ -70,13 +71,24 @@ class commentController extends comment
}
$comment_srl = Context::get('target_srl');
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
if(!$comment_srl)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oComment->get('voted_count') <= 0)
{
throw new Rhymix\Framework\Exception('failed_voted_canceled');
}
$point = 1;
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
@ -106,16 +118,17 @@ class commentController extends comment
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
$module_srl = $oComment->get('module_srl');
if(!$module_srl)
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
if($comment_config->use_vote_down == 'N')
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$comment_config = ModuleModel::getModulePartConfig('comment', $oComment->get('module_srl'));
if($comment_config->use_vote_down === 'N')
{
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
}
@ -137,13 +150,24 @@ class commentController extends comment
}
$comment_srl = Context::get('target_srl');
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest;
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE);
if(!$comment_srl)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oComment->get('blamed_count') >= 0)
{
throw new Rhymix\Framework\Exception('failed_blamed_canceled');
}
$point = -1;
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
@ -243,7 +267,16 @@ class commentController extends comment
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
// if an user select message from options, message would be the option.
$message_option = strval(Context::get('message_option'));
$improper_comment_reasons = lang('improper_comment_reasons');

16
modules/comment/comment.item.php
View file

@ -188,13 +188,27 @@ class commentItem extends BaseObject
}
}
function isAccessible()
function isAccessible($strict = false)
{
if(!$this->isExists())
{
return false;
}
if ($strict)
{
$module_info = ModuleModel::getModuleInfoByModuleSrl($this->get('module_srl'));
if (!$module_info)
{
return false;
}
$grant = ModuleModel::getGrant($module_info, Context::get('logged_info'));
if (isset($grant->list) && isset($grant->view) && ($grant->list !== true || $grant->view !== true))
{
return false;
}
}
if (isset($_SESSION['accessible'][$this->comment_srl]) && $_SESSION['accessible'][$this->comment_srl] === $this->get('last_update'))
{
return true;

2
modules/comment/comment.view.php
View file

@ -80,7 +80,7 @@ class commentView extends comment
throw new Rhymix\Framework\Exceptions\TargetNotFound;
}
// Check permissions
if(!$oComment->isAccessible())
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}