fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-11 04:52:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

SECISSUE fix #953 모듈 관리자가 허용되지 않은 페이지에 접근할 수 있는 문제 고침

Browse source
This commit is contained in:
bnu 2014-09-03 16:40:36 +09:00
parent 887df6bc93
commit c7052f5769
2 changed files with 15 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
classes/module/ModuleHandler.class.php
View file

@ -577,7 +577,7 @@ class ModuleHandler extends Handler
if($kind == 'admin') if($kind == 'admin')
{ {
$grant = $oModuleModel->getGrant($this->module_info, $logged_info); $grant = $oModuleModel->getGrant($this->module_info, $logged_info);
if(!$grant->is_admin && !$grant->manager) if(!$grant->manager)
{ {
$this->_setInputErrorToContext(); $this->_setInputErrorToContext();
$this->error = 'msg_is_not_manager'; $this->error = 'msg_is_not_manager';
@ -587,6 +587,19 @@ class ModuleHandler extends Handler
$oMessageObject->dispMessage(); $oMessageObject->dispMessage();
return $oMessageObject; return $oMessageObject;
} }
else
{
if(!$grant->is_admin && $this->module != $this->orig_module->module && $xml_info->permission->{$this->act} != 'manager')
{
$this->_setInputErrorToContext();
$this->error = 'msg_is_not_administrator';
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
$oMessageObject->setError(-1);
$oMessageObject->setMessage($this->error);
$oMessageObject->dispMessage();
return $oMessageObject;
}
}
} }
} }
else if($xml_info->default_index_act && method_exists($oModule, $xml_info->default_index_act)) else if($xml_info->default_index_act && method_exists($oModule, $xml_info->default_index_act))

2
modules/module/module.model.php
View file

@ -2010,7 +2010,7 @@ class moduleModel extends module
$args->module_srl = $module_srl; $args->module_srl = $module_srl;
$args->member_srl = $member_info->member_srl; $args->member_srl = $member_info->member_srl;
$output = executeQuery('module.getModuleAdmin',$args); $output = executeQuery('module.getModuleAdmin',$args);
if($output->data && $output->data->member_srl == $member_info->member_srl) $grant->manager = $grant->is_admin = true; if($output->data && $output->data->member_srl == $member_info->member_srl) $grant->manager = true;
} }
// If not an administrator, get information from the DB and grant manager privilege. // If not an administrator, get information from the DB and grant manager privilege.
if(!$grant->manager) if(!$grant->manager)