diff --git a/modules/editor/editor.controller.php b/modules/editor/editor.controller.php index 420f08303..b0bb9b992 100644 --- a/modules/editor/editor.controller.php +++ b/modules/editor/editor.controller.php @@ -80,10 +80,30 @@ class editorController extends editor */ function procEditorInsertModuleConfig() { - $module_srl = Context::get('target_module_srl'); // To configure many of modules at once - if(preg_match('/^([0-9,]+)$/',$module_srl)) $module_srl = explode(',',$module_srl); - else $module_srl = array($module_srl); + $target_module_srl = Context::get('target_module_srl'); + $target_module_srl = array_map('trim', explode(',', $target_module_srl)); + $logged_info = Context::get('logged_info'); + $module_srl = array(); + $oModuleModel = getModel('module'); + foreach ($target_module_srl as $srl) + { + if (!$srl) continue; + + $module_info = $oModuleModel->getModuleInfoByModuleSrl($srl); + if (!$module_info->module_srl) + { + return new Object(-1, 'msg_invalid_request'); + } + + $module_grant = $oModuleModel->getGrant($module_info, $logged_info); + if (!$module_grant->manager) + { + return new Object(-1, 'msg_not_permitted'); + } + + $module_srl[] = $srl; + } $editor_config = new stdClass; $editor_config->default_editor_settings = Context::get('default_editor_settings'); @@ -134,10 +154,8 @@ class editorController extends editor if($editor_config->enable_autosave != 'Y') $editor_config->enable_autosave = 'N'; $oModuleController = getController('module'); - for($i=0;$iinsertModulePartConfig('editor',$srl,$editor_config); } diff --git a/modules/point/point.model.php b/modules/point/point.model.php index a50638745..28bfcfacd 100644 --- a/modules/point/point.model.php +++ b/modules/point/point.model.php @@ -75,9 +75,25 @@ class pointModel extends point function getMembersPointInfo() { $member_srls = Context::get('member_srls'); - $member_srls = explode(',',$member_srls); - if(count($member_srls)==0) return; - array_unique($member_srls); + $member_srls = array_unique(explode(',', $member_srls)); + if (!count($member_srls)) + { + return; + } + + $logged_info = Context::get('logged_info'); + if (!$logged_info->member_srl) + { + return; + } + if (!getModel('module')->isSiteAdmin($logged_info)) + { + $member_srls = array_filter($member_srls, function($member_srl) use($logged_info) { return $member_srl == $logged_info->member_srl; }); + if (!count($member_srls)) + { + return; + } + } $oModuleModel = getModel('module'); $config = $oModuleModel->getModuleConfig('point'); diff --git a/modules/widget/widget.controller.php b/modules/widget/widget.controller.php index ff39a044d..e5d3e6395 100644 --- a/modules/widget/widget.controller.php +++ b/modules/widget/widget.controller.php @@ -105,6 +105,7 @@ class widgetController extends widget $oLayoutModel = getModel('layout'); $layout_info = $oLayoutModel->getLayout($module_srl); if(!$layout_info || $layout_info->type != 'faceoff') $err++; + // Destination Information Wanted page module $oModuleModel = getModel('module'); $columnList = array('module_srl', 'module'); @@ -112,20 +113,19 @@ class widgetController extends widget if(!$page_info->module_srl || $page_info->module != 'page') $err++; if($err > 1) return new Object(-1,'msg_invalid_request'); + // Check permissions - $is_logged = Context::get('is_logged'); $logged_info = Context::get('logged_info'); - $user_group = $logged_info->group_list; - $is_admin = false; - if(count($user_group)&&count($page_info->grants['manager'])) + if (!$logged_info->member_srl) { - $manager_group = $page_info->grants['manager']; - foreach($user_group as $group_srl => $group_info) - { - if(in_array($group_srl, $manager_group)) $is_admin = true; - } + return new Object(-1,'msg_not_permitted'); } - if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted'); + $module_grant = $oModuleModel->getGrant($page_info, $logged_info); + if (!$module_grant->manager) + { + return new Object(-1,'msg_not_permitted'); + } + // Enter post $oDocumentModel = getModel('document'); $oDocumentController = getController('document'); @@ -145,8 +145,10 @@ class widgetController extends widget $output = $oDocumentController->insertDocument($obj); $obj->document_srl = $output->get('document_srl'); } + // Stop when an error occurs if(!$output->toBool()) return $output; + // Return results $this->add('document_srl', $obj->document_srl); } @@ -166,28 +168,28 @@ class widgetController extends widget $oDocument = $oDocumentModel->getDocument($document_srl, true); if(!$oDocument->isExists()) return new Object(-1,'msg_invalid_request'); $module_srl = $oDocument->get('module_srl'); + // Destination Information Wanted page module $oModuleModel = getModel('module'); $columnList = array('module_srl', 'module'); $page_info = $oModuleModel->getModuleInfoByModuleSrl($module_srl, $columnList); if(!$page_info->module_srl || $page_info->module != 'page') return new Object(-1,'msg_invalid_request'); + // Check permissions - $is_logged = Context::get('is_logged'); $logged_info = Context::get('logged_info'); - $user_group = $logged_info->group_list; - $is_admin = false; - if(count($user_group)&&count($page_info->grants['manager'])) + if (!$logged_info->member_srl) { - $manager_group = $page_info->grants['manager']; - foreach($user_group as $group_srl => $group_info) - { - if(in_array($group_srl, $manager_group)) $is_admin = true; - } + return new Object(-1,'msg_not_permitted'); } - if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted'); - + $module_grant = $oModuleModel->getGrant($page_info, $logged_info); + if (!$module_grant->manager) + { + return new Object(-1,'msg_not_permitted'); + } + $output = $oDocumentAdminController->copyDocumentModule(array($oDocument->get('document_srl')), $oDocument->get('module_srl'),0); if(!$output->toBool()) return $output; + // Return results $copied_srls = $output->get('copied_srls'); $this->add('document_srl', $copied_srls[$oDocument->get('document_srl')]); @@ -207,25 +209,24 @@ class widgetController extends widget $oDocument = $oDocumentModel->getDocument($document_srl, true); if(!$oDocument->isExists()) return new Object(); $module_srl = $oDocument->get('module_srl'); + // Destination Information Wanted page module $oModuleModel = getModel('module'); $page_info = $oModuleModel->getModuleInfoByModuleSrl($module_srl); if(!$page_info->module_srl || $page_info->module != 'page') return new Object(-1,'msg_invalid_request'); + // Check permissions - $is_logged = Context::get('is_logged'); $logged_info = Context::get('logged_info'); - $user_group = $logged_info->group_list; - $is_admin = false; - if(count($user_group)&&count($page_info->grants['manager'])) + if (!$logged_info->member_srl) { - $manager_group = $page_info->grants['manager']; - foreach($user_group as $group_srl => $group_info) - { - if(in_array($group_srl, $manager_group)) $is_admin = true; - } + return new Object(-1,'msg_not_permitted'); } - if(!$is_admin && !$is_logged && $logged_info->is_admin != 'Y' && !$oModuleModel->isSiteAdmin($logged_info) && !(is_array($page_info->admin_id) && in_array($logged_info->user_id, $page_info->admin_id))) return new Object(-1,'msg_not_permitted'); - + $module_grant = $oModuleModel->getGrant($page_info, $logged_info); + if (!$module_grant->manager) + { + return new Object(-1,'msg_not_permitted'); + } + $output = $oDocumentController->deleteDocument($oDocument->get('document_srl'), true); if(!$output->toBool()) return $output; }