fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix potential vulnerabilities

Browse source
This commit is contained in:
conory 2022-08-05 11:19:02 +09:00
parent 0dd567bc00
commit 99d16d84c3
4 changed files with 141 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

73
modules/comment/comment.controller.php
View file

@ -39,16 +39,22 @@ class commentController extends comment
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$oComment = CommentModel::getComment($comment_srl, false, false);
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE); if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$module_srl = $oComment->get('module_srl'); $module_srl = $oComment->get('module_srl');
if(!$module_srl) if(!$module_srl)
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl); $comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
if($comment_config->use_vote_up == 'N') if($comment_config->use_vote_up === 'N')
{ {
throw new Rhymix\Framework\Exceptions\FeatureDisabled; throw new Rhymix\Framework\Exceptions\FeatureDisabled;
} }
@ -70,13 +76,24 @@ class commentController extends comment
} }
$comment_srl = Context::get('target_srl'); $comment_srl = Context::get('target_srl');
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$comment_srl)
{
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE); throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oComment->get('voted_count') <= 0) if($oComment->get('voted_count') <= 0)
{ {
throw new Rhymix\Framework\Exception('failed_voted_canceled'); throw new Rhymix\Framework\Exception('failed_voted_canceled');
} }
$point = 1; $point = 1;
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point); $output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
@ -106,16 +123,22 @@ class commentController extends comment
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$oComment = CommentModel::getComment($comment_srl, false, false);
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE); if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$module_srl = $oComment->get('module_srl'); $module_srl = $oComment->get('module_srl');
if(!$module_srl) if(!$module_srl)
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$comment_config = ModuleModel::getModulePartConfig('comment', $module_srl); $comment_config = ModuleModel::getModulePartConfig('comment', $module_srl);
if($comment_config->use_vote_down == 'N') if($comment_config->use_vote_down === 'N')
{ {
throw new Rhymix\Framework\Exceptions\FeatureDisabled; throw new Rhymix\Framework\Exceptions\FeatureDisabled;
} }
@ -137,13 +160,24 @@ class commentController extends comment
} }
$comment_srl = Context::get('target_srl'); $comment_srl = Context::get('target_srl');
if(!$comment_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$comment_srl)
{
$oComment = CommentModel::getComment($comment_srl, FALSE, FALSE); throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oComment->get('blamed_count') >= 0) if($oComment->get('blamed_count') >= 0)
{ {
throw new Rhymix\Framework\Exception('failed_blamed_canceled'); throw new Rhymix\Framework\Exception('failed_blamed_canceled');
} }
$point = -1; $point = -1;
$output = $this->updateVotedCountCancel($comment_srl, $oComment, $point); $output = $this->updateVotedCountCancel($comment_srl, $oComment, $point);
@ -243,7 +277,16 @@ class commentController extends comment
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$oComment = CommentModel::getComment($comment_srl, false, false);
if(!$oComment->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oComment->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
// if an user select message from options, message would be the option. // if an user select message from options, message would be the option.
$message_option = strval(Context::get('message_option')); $message_option = strval(Context::get('message_option'));
$improper_comment_reasons = lang('improper_comment_reasons'); $improper_comment_reasons = lang('improper_comment_reasons');

2
modules/comment/comment.view.php
View file

@ -80,7 +80,7 @@ class commentView extends comment
throw new Rhymix\Framework\Exceptions\TargetNotFound; throw new Rhymix\Framework\Exceptions\TargetNotFound;
} }
// Check permissions // Check permissions
if(!$oComment->isAccessible()) if(!$oComment->isAccessible(true))
{ {
throw new Rhymix\Framework\Exceptions\NotPermitted; throw new Rhymix\Framework\Exceptions\NotPermitted;
} }

103
modules/document/document.controller.php
View file

@ -35,7 +35,6 @@ class documentController extends document
{ {
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl); $module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
} }
if($module_info->non_login_vote !== 'Y') if($module_info->non_login_vote !== 'Y')
{ {
if(!Context::get('is_logged')) if(!Context::get('is_logged'))
@ -45,11 +44,24 @@ class documentController extends document
} }
$oDocument = DocumentModel::getDocument($document_srl, false, false); $oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$module_srl = $oDocument->get('module_srl'); $module_srl = $oDocument->get('module_srl');
if(!$module_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$module_srl)
{
$document_config = ModuleModel::getModulePartConfig('document',$module_srl); throw new Rhymix\Framework\Exceptions\InvalidRequest;
if($document_config->use_vote_up=='N') throw new Rhymix\Framework\Exceptions\FeatureDisabled; }
$document_config = ModuleModel::getModulePartConfig('document', $module_srl);
if($document_config->use_vote_up === 'N')
{
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
}
$point = 1; $point = 1;
$output = $this->updateVotedCount($document_srl, $point); $output = $this->updateVotedCount($document_srl, $point);
@ -74,7 +86,6 @@ class documentController extends document
{ {
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl); $module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
} }
if($module_info->non_login_vote !== 'Y') if($module_info->non_login_vote !== 'Y')
{ {
if(!Context::get('is_logged')) if(!Context::get('is_logged'))
@ -82,17 +93,25 @@ class documentController extends document
throw new Rhymix\Framework\Exceptions\NotPermitted; throw new Rhymix\Framework\Exceptions\NotPermitted;
} }
} }
if($module_info->cancel_vote !== 'Y') if($module_info->cancel_vote !== 'Y')
{ {
throw new Rhymix\Framework\Exception('failed_voted_cancel'); throw new Rhymix\Framework\Exception('failed_voted_cancel');
} }
$oDocument = DocumentModel::getDocument($document_srl, false, false); $oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oDocument->get('voted_count') <= 0) if($oDocument->get('voted_count') <= 0)
{ {
throw new Rhymix\Framework\Exception('failed_voted_canceled'); throw new Rhymix\Framework\Exception('failed_voted_canceled');
} }
$point = 1; $point = 1;
$output = $this->updateVotedCountCancel($document_srl, $oDocument, $point); $output = $this->updateVotedCountCancel($document_srl, $oDocument, $point);
if(!$output->toBool()) if(!$output->toBool())
@ -139,15 +158,30 @@ class documentController extends document
} }
$document_srl = Context::get('target_srl'); $document_srl = Context::get('target_srl');
if(!$document_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$document_srl)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oDocument = DocumentModel::getDocument($document_srl, false, false); $oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$module_srl = $oDocument->get('module_srl'); $module_srl = $oDocument->get('module_srl');
if(!$module_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$module_srl)
{
$document_config = ModuleModel::getModulePartConfig('document',$module_srl); throw new Rhymix\Framework\Exceptions\InvalidRequest;
if($document_config->use_vote_down=='N') throw new Rhymix\Framework\Exceptions\FeatureDisabled; }
$document_config = ModuleModel::getModulePartConfig('document', $module_srl);
if($document_config->use_vote_down === 'N')
{
throw new Rhymix\Framework\Exceptions\FeatureDisabled;
}
$point = -1; $point = -1;
$output = $this->updateVotedCount($document_srl, $point); $output = $this->updateVotedCount($document_srl, $point);
if(!$output->toBool()) if(!$output->toBool())
@ -167,20 +201,30 @@ class documentController extends document
throw new Rhymix\Framework\Exceptions\NotPermitted; throw new Rhymix\Framework\Exceptions\NotPermitted;
} }
} }
if($this->module_info->cancel_vote !== 'Y') if($this->module_info->cancel_vote !== 'Y')
{ {
return new Rhymix\Framework\Exception('failed_voted_canceled'); return new Rhymix\Framework\Exception('failed_voted_canceled');
} }
$document_srl = Context::get('target_srl'); $document_srl = Context::get('target_srl');
if(!$document_srl) throw new Rhymix\Framework\Exceptions\InvalidRequest; if(!$document_srl)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oDocument = DocumentModel::getDocument($document_srl, false, false); $oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
if($oDocument->get('blamed_count') >= 0) if($oDocument->get('blamed_count') >= 0)
{ {
throw new Rhymix\Framework\Exception('failed_blamed_canceled'); throw new Rhymix\Framework\Exception('failed_blamed_canceled');
} }
$point = -1; $point = -1;
$output = $this->updateVotedCountCancel($document_srl, $oDocument, $point); $output = $this->updateVotedCountCancel($document_srl, $oDocument, $point);
if(!$output->toBool()) if(!$output->toBool())
@ -289,11 +333,20 @@ class documentController extends document
throw new Rhymix\Framework\Exceptions\MustLogin; throw new Rhymix\Framework\Exceptions\MustLogin;
} }
$document_srl = intval(Context::get('target_srl')); $document_srl = Context::get('target_srl');
if(!$document_srl) if(!$document_srl)
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
$oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists())
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
// if an user select message from options, message would be the option. // if an user select message from options, message would be the option.
$message_option = strval(Context::get('message_option')); $message_option = strval(Context::get('message_option'));
@ -321,15 +374,21 @@ class documentController extends document
{ {
throw new Rhymix\Framework\Exceptions\MustLogin; throw new Rhymix\Framework\Exceptions\MustLogin;
} }
$document_srl = intval(Context::get('target_srl'));
$oDocument = DocumentModel::getDocument($document_srl); $document_srl = Context::get('target_srl');
if(!$document_srl)
{
throw new Rhymix\Framework\Exceptions\InvalidRequest;
}
$oDocument = DocumentModel::getDocument($document_srl, false, false);
if(!$oDocument->isExists()) if(!$oDocument->isExists())
{ {
throw new Rhymix\Framework\Exceptions\InvalidRequest; throw new Rhymix\Framework\Exceptions\InvalidRequest;
} }
if(!$oDocument->isAccessible(true))
{
throw new Rhymix\Framework\Exceptions\NotPermitted;
}
$module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl); $module_info = ModuleModel::getModuleInfoByDocumentSrl($document_srl);
if($module_info->cancel_vote !== 'Y') if($module_info->cancel_vote !== 'Y')
{ {

2
modules/document/document.view.php
View file

@ -238,7 +238,7 @@ class documentView extends document
throw new Rhymix\Framework\Exceptions\TargetNotFound; throw new Rhymix\Framework\Exceptions\TargetNotFound;
} }
// Check permissions // Check permissions
if(!$oDocument->isAccessible()) if(!$oDocument->isAccessible(true))
{ {
throw new Rhymix\Framework\Exceptions\NotPermitted; throw new Rhymix\Framework\Exceptions\NotPermitted;
} }