Merge branch 'pr/security-fixes' into develop

modules/editor/editor.controller.php

@@ -80,10 +80,30 @@ class editorController extends editor
 	 */
 	function procEditorInsertModuleConfig()
 	{
-		$module_srl = Context::get('target_module_srl');
 		// To configure many of modules at once
-		if(preg_match('/^([0-9,]+)$/',$module_srl)) $module_srl = explode(',',$module_srl);
-		else $module_srl = array($module_srl);
+		$target_module_srl = Context::get('target_module_srl');
+		$target_module_srl = array_map('trim', explode(',', $target_module_srl));
+		$logged_info = Context::get('logged_info');
+		$module_srl = array();
+		$oModuleModel = getModel('module');
+		foreach ($target_module_srl as $srl)
+		{
+			if (!$srl) continue;
+			
+			$module_info = $oModuleModel->getModuleInfoByModuleSrl($srl);
+			if (!$module_info->module_srl)
+			{
+				return new Object(-1, 'msg_invalid_request');
+			}
+			
+			$module_grant = $oModuleModel->getGrant($module_info, $logged_info);
+			if (!$module_grant->manager)
+			{
+				return new Object(-1, 'msg_not_permitted');
+			}
+			
+			$module_srl[] = $srl;
+		}
 
 		$editor_config = new stdClass;
 		$editor_config->default_editor_settings = Context::get('default_editor_settings');
@@ -134,10 +154,8 @@ class editorController extends editor
 		if($editor_config->enable_autosave != 'Y') $editor_config->enable_autosave = 'N';
 
 		$oModuleController = getController('module');
-		for($i=0;$i<count($module_srl);$i++)
+		foreach ($module_srl as $srl)
 		{
-			$srl = trim($module_srl[$i]);
-			if(!$srl) continue;
 			$oModuleController->insertModulePartConfig('editor',$srl,$editor_config);
 		}
 

modules/point/point.model.php

@@ -75,9 +75,25 @@ class pointModel extends point
 	function getMembersPointInfo()
 	{
 		$member_srls = Context::get('member_srls');
-		$member_srls = explode(',',$member_srls);
-		if(count($member_srls)==0) return;
-		array_unique($member_srls);
+		$member_srls = array_unique(explode(',', $member_srls));
+		if (!count($member_srls))
+		{
+			return;
+		}
+		
+		$logged_info = Context::get('logged_info');
+		if (!$logged_info->member_srl)
+		{
+			return;
+		}
+		if (!getModel('module')->isSiteAdmin($logged_info))
+		{
+			$member_srls = array_filter($member_srls, function($member_srl) use($logged_info) { return $member_srl == $logged_info->member_srl; });
+			if (!count($member_srls))
+			{
+				return;
+			}
+		}
 
 		$oModuleModel = getModel('module');
 		$config = $oModuleModel->getModuleConfig('point');

modules/widget/widget.controller.php

@@ -105,6 +105,7 @@ class widgetController extends widget
 		$oLayoutModel = getModel('layout');
 		$layout_info = $oLayoutModel->getLayout($module_srl);
 		if(!$layout_info || $layout_info->type != 'faceoff') $err++;
+		
 		// Destination Information Wanted page module
 		$oModuleModel = getModel('module');
 		$columnList = array('module_srl', 'module');
@@ -112,20 +113,19 @@ class widgetController extends widget
 		if(!$page_info->module_srl || $page_info->module != 'page') $err++;
 
 		if($err > 1) return new Object(-1,'msg_invalid_request');
+		
 		// Check permissions
-		$is_logged = Context::get('is_logged');
 		$logged_info = Context::get('logged_info');
-		$user_group = $logged_info->group_list;
-		$is_admin = false;
-		if(count($user_group)&&count($page_info->grants['manager']))
+		if (!$logged_info->member_srl)
 		{
-			$manager_group = $page_info->grants['manager'];
-			foreach($user_group as $group_srl => $group_info)
-			{
-				if(in_array($group_srl, $manager_group)) $is_admin = true;
-			}
+			return new Object(-1,'msg_not_permitted');
 		}
-		if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted');
+		$module_grant = $oModuleModel->getGrant($page_info, $logged_info);
+		if (!$module_grant->manager)
+		{
+			return new Object(-1,'msg_not_permitted');
+		}
+		
 		// Enter post
 		$oDocumentModel = getModel('document');
 		$oDocumentController = getController('document');
@@ -145,8 +145,10 @@ class widgetController extends widget
 			$output = $oDocumentController->insertDocument($obj);
 			$obj->document_srl = $output->get('document_srl');
 		}
+		
 		// Stop when an error occurs
 		if(!$output->toBool()) return $output;
+		
 		// Return results
 		$this->add('document_srl', $obj->document_srl);
 	}
@@ -166,28 +168,28 @@ class widgetController extends widget
 		$oDocument = $oDocumentModel->getDocument($document_srl, true);
 		if(!$oDocument->isExists()) return new Object(-1,'msg_invalid_request');
 		$module_srl = $oDocument->get('module_srl');
+		
 		// Destination Information Wanted page module
 		$oModuleModel = getModel('module');
 		$columnList = array('module_srl', 'module');
 		$page_info = $oModuleModel->getModuleInfoByModuleSrl($module_srl, $columnList);
 		if(!$page_info->module_srl || $page_info->module != 'page') return new Object(-1,'msg_invalid_request');
+		
 		// Check permissions
-		$is_logged = Context::get('is_logged');
 		$logged_info = Context::get('logged_info');
-		$user_group = $logged_info->group_list;
-		$is_admin = false;
-		if(count($user_group)&&count($page_info->grants['manager']))
+		if (!$logged_info->member_srl)
 		{
-			$manager_group = $page_info->grants['manager'];
-			foreach($user_group as $group_srl => $group_info)
-			{
-				if(in_array($group_srl, $manager_group)) $is_admin = true;
-			}
+			return new Object(-1,'msg_not_permitted');
 		}
-		if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted');
-
+		$module_grant = $oModuleModel->getGrant($page_info, $logged_info);
+		if (!$module_grant->manager)
+		{
+			return new Object(-1,'msg_not_permitted');
+		}
+		
 		$output = $oDocumentAdminController->copyDocumentModule(array($oDocument->get('document_srl')), $oDocument->get('module_srl'),0);
 		if(!$output->toBool()) return $output;
+		
 		// Return results
 		$copied_srls = $output->get('copied_srls');
 		$this->add('document_srl', $copied_srls[$oDocument->get('document_srl')]);
@@ -207,25 +209,24 @@ class widgetController extends widget
 		$oDocument = $oDocumentModel->getDocument($document_srl, true);
 		if(!$oDocument->isExists()) return new Object();
 		$module_srl = $oDocument->get('module_srl');
+		
 		// Destination Information Wanted page module
 		$oModuleModel = getModel('module');
 		$page_info = $oModuleModel->getModuleInfoByModuleSrl($module_srl);
 		if(!$page_info->module_srl || $page_info->module != 'page') return new Object(-1,'msg_invalid_request');
+		
 		// Check permissions
-		$is_logged = Context::get('is_logged');
 		$logged_info = Context::get('logged_info');
-		$user_group = $logged_info->group_list;
-		$is_admin = false;
-		if(count($user_group)&&count($page_info->grants['manager']))
+		if (!$logged_info->member_srl)
 		{
-			$manager_group = $page_info->grants['manager'];
-			foreach($user_group as $group_srl => $group_info)
-			{
-				if(in_array($group_srl, $manager_group)) $is_admin = true;
-			}
+			return new Object(-1,'msg_not_permitted');
 		}
-		if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted');
-
+		$module_grant = $oModuleModel->getGrant($page_info, $logged_info);
+		if (!$module_grant->manager)
+		{
+			return new Object(-1,'msg_not_permitted');
+		}
+		
 		$output = $oDocumentController->deleteDocument($oDocument->get('document_srl'), true);
 		if(!$output->toBool()) return $output;
 	}