From 910610e62dc665b52da164d598baad1e1674a968 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Wed, 8 Mar 2017 17:14:23 +0900
Subject: [PATCH] Fix direct file access via procFileGetList

@conory
---
 modules/file/conf/module.xml     | 1 +
 modules/file/file.controller.php | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/modules/file/conf/module.xml b/modules/file/conf/module.xml
index cb0aba1ae..564ce3d78 100644
--- a/modules/file/conf/module.xml
+++ b/modules/file/conf/module.xml
@@ -2,6 +2,7 @@
 <module>
     <grants />
     <permissions>
+		<permission action="procFileGetList" target="manager" />
         <permission action="procFileAdminInsertModuleConfig" target="manager" />
     </permissions>
     <actions>
diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
index 7ec1cf5bf..43c288ebc 100644
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@@ -546,6 +546,12 @@ class fileController extends file
 	function procFileGetList()
 	{
 		if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted');
+		$logged_info = Context::get('logged_info');
+		if($logged_info->is_admin !== 'Y' && !getModel('module')->isSiteAdmin($logged_info))
+		{
+			return new Object(-1,'msg_not_permitted');
+		}
+		
 		$fileSrls = Context::get('file_srls');
 		if($fileSrls) $fileSrlList = explode(',', $fileSrls);