From c7052f57696193f27b8156e4fc5ca461d6bf8c71 Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Wed, 3 Sep 2014 16:40:36 +0900
Subject: [PATCH] =?UTF-8?q?SECISSUE=20fix=20#953=20=EB=AA=A8=EB=93=88=20?=
 =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=EA=B0=80=20=ED=97=88=EC=9A=A9?=
 =?UTF-8?q?=EB=90=98=EC=A7=80=20=EC=95=8A=EC=9D=80=20=ED=8E=98=EC=9D=B4?=
 =?UTF-8?q?=EC=A7=80=EC=97=90=20=EC=A0=91=EA=B7=BC=ED=95=A0=20=EC=88=98=20?=
 =?UTF-8?q?=EC=9E=88=EB=8A=94=20=EB=AC=B8=EC=A0=9C=20=EA=B3=A0=EC=B9=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 classes/module/ModuleHandler.class.php | 15 ++++++++++++++-
 modules/module/module.model.php        |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php
index 75cf81bc1..40fe7039b 100644
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@@ -577,7 +577,7 @@ class ModuleHandler extends Handler
 				if($kind == 'admin')
 				{
 					$grant = $oModuleModel->getGrant($this->module_info, $logged_info);
-					if(!$grant->is_admin && !$grant->manager)
+					if(!$grant->manager)
 					{
 						$this->_setInputErrorToContext();
 						$this->error = 'msg_is_not_manager';
@@ -587,6 +587,19 @@ class ModuleHandler extends Handler
 						$oMessageObject->dispMessage();
 						return $oMessageObject;
 					}
+					else
+					{
+						if(!$grant->is_admin && $this->module != $this->orig_module->module && $xml_info->permission->{$this->act} != 'manager')
+						{
+							$this->_setInputErrorToContext();
+							$this->error = 'msg_is_not_administrator';
+							$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
+							$oMessageObject->setError(-1);
+							$oMessageObject->setMessage($this->error);
+							$oMessageObject->dispMessage();
+							return $oMessageObject;
+						}
+					}
 				}
 			}
 			else if($xml_info->default_index_act && method_exists($oModule, $xml_info->default_index_act))
diff --git a/modules/module/module.model.php b/modules/module/module.model.php
index e958b0bd3..cf9e509c7 100644
--- a/modules/module/module.model.php
+++ b/modules/module/module.model.php
@@ -2010,7 +2010,7 @@ class moduleModel extends module
 				$args->module_srl = $module_srl;
 				$args->member_srl = $member_info->member_srl;
 				$output = executeQuery('module.getModuleAdmin',$args);
-				if($output->data && $output->data->member_srl == $member_info->member_srl) $grant->manager = $grant->is_admin = true;
+				if($output->data && $output->data->member_srl == $member_info->member_srl) $grant->manager = true;
 			}
 			// If not an administrator, get information from the DB and grant manager privilege.
 			if(!$grant->manager)