From ce03006e3f779bdbecd9f10e4763e99d85b62ffa Mon Sep 17 00:00:00 2001
From: BJRambo <qw5414@naver.com>
Date: Mon, 2 Mar 2020 02:58:44 +0000
Subject: [PATCH] =?UTF-8?q?=EB=B3=B8=EC=9D=B8=EC=9D=98=20=ED=9A=8C?=
 =?UTF-8?q?=EC=9B=90=20=EC=A0=95=EB=B3=B4=EB=A7=8C=20=EC=A0=80=EC=9E=A5?=
 =?UTF-8?q?=ED=95=98=EB=8F=84=EB=A1=9D=20=EA=B0=9C=EC=84=A0=ED=95=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

만약 member_srl 를 파라미터로 넘겼을 때 본인이 아닌 경우 차단설정을 조회할 수 있는 문제점이 있다.
이를 막고 조회하지 못하도록 개선
---
 modules/ncenterlite/lang/ko.php          |  1 +
 modules/ncenterlite/ncenterlite.view.php | 24 +++++++++++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/modules/ncenterlite/lang/ko.php b/modules/ncenterlite/lang/ko.php
index 8c5377215..015302bdb 100644
--- a/modules/ncenterlite/lang/ko.php
+++ b/modules/ncenterlite/lang/ko.php
@@ -179,3 +179,4 @@ $lang->msg_not_use_user_setting = '유저 세팅을 제공하지 않습니다. 
 $lang->msg_denger_rhymix_user = '<strong>경고!</strong> 라이믹스에서는 코어에 포함된 순정 알림센터를 사용해야 합니다.<br />XE용 알림센터를 삭제하고, 라이믹스 알림센터를 다시 설치해 주시기 바랍니다.';
 $lang->msg_test_notifycation_success = '테스트알림더미를 정상적으로 생성하였습니다.';
 $lang->msg_unsubscribe_block_not_support = '개별 수신 거부 기능을 제공하지 않습니다. 관리자에게 문의하세요.';
+$lang->msg_unsubscribe_not_permission = '다른 회원의 구독리스트를 조회할 권한이 없습니다.';
diff --git a/modules/ncenterlite/ncenterlite.view.php b/modules/ncenterlite/ncenterlite.view.php
index a7ec81dbe..1e3744674 100644
--- a/modules/ncenterlite/ncenterlite.view.php
+++ b/modules/ncenterlite/ncenterlite.view.php
@@ -71,7 +71,11 @@ class ncenterliteView extends ncenterlite
 		Context::set('user_config', $output->data);
 		$this->setTemplateFile('userconfig');
 	}
-	
+
+	/**
+	 * Get to unsubscribe list.
+	 * @throws \Rhymix\Framework\Exception
+	 */
 	function dispNcenterliteUnsubscribeList()
 	{
 		/** @var ncenterliteModel $oNcenterliteModel */
@@ -95,6 +99,11 @@ class ncenterliteView extends ncenterlite
 			$member_srl = $this->user->member_srl;
 		}
 		
+		if($this->user->is_admin !== 'Y' && $this->user->member_srl != $member_srl)
+		{
+			throw new \Rhymix\Framework\Exception('msg_unsubscribe_not_permission');
+		}
+		
 		$args = new stdClass();
 		$args->page = Context::get('page');
 		$args->list_count = '20';
@@ -121,6 +130,16 @@ class ncenterliteView extends ncenterlite
 		
 		$member_srl = Context::get('member_srl');
 		
+		if(!$member_srl)
+		{
+			$member_srl = $this->user->member_srl;
+		}
+		
+		if($this->user->is_admin !== 'Y' && $member_srl !== $this->user->member_srl)
+		{
+			throw new \Rhymix\Framework\Exception('msg_invalid_request');
+		}
+		
 		if($unsubscribe_srl)
 		{
 			$output = $oNcenterliteModel->getUserUnsubscribeConfigByUnsubscribeSrl($unsubscribe_srl);
@@ -130,8 +149,7 @@ class ncenterliteView extends ncenterlite
 			$output = $oNcenterliteModel->getUserUnsubscribeConfigByTargetSrl($target_srl, $member_srl);
 		}
 		
-		
-		if((!$target_srl || !$unsubscribe_type) && !$output)
+		if((!$target_srl || !$unsubscribe_type) && empty($output))
 		{
 			throw new Rhymix\Framework\Exceptions\InvalidRequest;
 		}