fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-09 12:02:24 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix direct file access via procFileGetList

Browse source 
@conory
This commit is contained in:
Kijin Sung 2017-03-08 17:14:23 +09:00
parent 23a130f53c
commit 910610e62d
2 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/file/conf/module.xml
View file

@ -2,6 +2,7 @@
<module> <module>
<grants /> <grants />
<permissions> <permissions>
<permission action="procFileGetList" target="manager" />
<permission action="procFileAdminInsertModuleConfig" target="manager" /> <permission action="procFileAdminInsertModuleConfig" target="manager" />
</permissions> </permissions>
<actions> <actions>

6
modules/file/file.controller.php
View file

@ -546,6 +546,12 @@ class fileController extends file
function procFileGetList() function procFileGetList()
{ {
if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted'); if(!Context::get('is_logged')) return new Object(-1,'msg_not_permitted');
$logged_info = Context::get('logged_info');
if($logged_info->is_admin !== 'Y' && !getModel('module')->isSiteAdmin($logged_info))
{
return new Object(-1,'msg_not_permitted');
}
$fileSrls = Context::get('file_srls'); $fileSrls = Context::get('file_srls');
if($fileSrls) $fileSrlList = explode(',', $fileSrls); if($fileSrls) $fileSrlList = explode(',', $fileSrls);