From da73eb742783cd60a329b4292a74ed70fe7be234 Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Fri, 3 Jul 2020 15:47:52 +0900 Subject: [PATCH] Use static method calls and consistent permission checks throughout the Board module --- modules/board/board.admin.view.php | 6 +- modules/board/board.controller.php | 82 ++++++------- modules/board/board.model.php | 17 +-- modules/board/board.view.php | 147 +++++++++-------------- modules/comment/comment.controller.php | 73 ++++++----- modules/document/document.controller.php | 59 +++++---- 6 files changed, 181 insertions(+), 203 deletions(-) diff --git a/modules/board/board.admin.view.php b/modules/board/board.admin.view.php index 75cf3ce11..08fc83251 100644 --- a/modules/board/board.admin.view.php +++ b/modules/board/board.admin.view.php @@ -168,14 +168,12 @@ class boardAdminView extends board { $documentStatusList = $oDocumentModel->getStatusNameList(); Context::set('document_status_list', $documentStatusList); - $oBoardModel = getModel('board'); - // setup the extra vaiables - $extra_vars = $oBoardModel->getDefaultListConfig($this->module_info->module_srl); + $extra_vars = BoardModel::getDefaultListConfig($this->module_info->module_srl); Context::set('extra_vars', $extra_vars); // setup the list config (install the default value if there is no list config) - Context::set('list_config', $oBoardModel->getListConfig($this->module_info->module_srl)); + Context::set('list_config', BoardModel::getListConfig($this->module_info->module_srl)); // setup extra_order_target $module_extra_vars = $oDocumentModel->getExtraKeys($this->module_info->module_srl); diff --git a/modules/board/board.controller.php b/modules/board/board.controller.php index 981f38451..c28ef4531 100644 --- a/modules/board/board.controller.php +++ b/modules/board/board.controller.php @@ -57,21 +57,20 @@ class boardController extends board $obj->is_admin = 'Y'; } - $oDocumentModel = getModel('document'); $oDocumentController = getController('document'); - $_SECRET = $oDocumentModel->getConfigStatus('secret'); + $secret_status = DocumentModel::getConfigStatus('secret'); $use_status = explode('|@|', $this->module_info->use_status); // Set status - if(($obj->is_secret == 'Y' || $obj->status == $_SECRET) && is_array($use_status) && in_array($_SECRET, $use_status)) + if(($obj->is_secret == 'Y' || $obj->status == $secret_status) && is_array($use_status) && in_array($secret_status, $use_status)) { - $obj->status = $_SECRET; + $obj->status = $secret_status; } else { unset($obj->is_secret); - $obj->status = $oDocumentModel->getConfigStatus('public'); + $obj->status = DocumentModel::getConfigStatus('public'); } // Set update log @@ -102,7 +101,7 @@ class boardController extends board } // Update if the document already exists. - $oDocument = $oDocumentModel->getDocument($obj->document_srl, $this->grant->manager); + $oDocument = DocumentModel::getDocument($obj->document_srl, $this->grant->manager); if($oDocument->isExists()) { if(!$oDocument->isGranted()) @@ -111,14 +110,14 @@ class boardController extends board } // Protect admin document - $member_info = getModel('member')->getMemberInfoByMemberSrl($oDocument->get('member_srl')); + $member_info = MemberModel::getMemberInfo($oDocument->get('member_srl')); if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') { throw new Rhymix\Framework\Exception('msg_admin_document_no_modify'); } // if document status is temp - if($oDocument->get('status') == $oDocumentModel->getConfigStatus('temp')) + if($oDocument->get('status') == DocumentModel::getConfigStatus('temp')) { // if use anonymous, set the member_srl to a negative number if($this->module_info->use_anonymous == 'Y') @@ -188,7 +187,7 @@ class boardController extends board if ($output->toBool()) { // Set grant for the new document. - $oDocument = $oDocumentModel->getDocument($output->get('document_srl')); + $oDocument = DocumentModel::getDocument($output->get('document_srl')); $oDocument->setGrantForSession(); // send an email to admin user @@ -240,13 +239,12 @@ class boardController extends board throw new Rhymix\Framework\Exception('msg_no_update_id'); } - $oDocumentModel = getModel('document'); $oDocumentController = getController('document'); - $update_log = $oDocumentModel->getUpdateLog($update_id); + $update_log = DocumentModel::getUpdateLog($update_id); if($logged_info->is_admin != 'Y') { - $Exists_log = $oDocumentModel->getUpdateLogAdminisExists($update_log->document_srl); + $Exists_log = DocumentModel::getUpdateLogAdminisExists($update_log->document_srl); if($Exists_log === true) { throw new Rhymix\Framework\Exception('msg_admin_update_log'); @@ -258,7 +256,7 @@ class boardController extends board throw new Rhymix\Framework\Exception('msg_no_update_log'); } - $oDocument = $oDocumentModel->getDocument($update_log->document_srl); + $oDocument = DocumentModel::getDocument($update_log->document_srl); $obj = new stdClass(); $obj->title = $update_log->title; $obj->document_srl = $update_log->document_srl; @@ -287,8 +285,7 @@ class boardController extends board throw new Rhymix\Framework\Exception('msg_invalid_document'); } - $oDocumentModel = &getModel('document'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); // check protect content if($this->module_info->protect_content == 'Y' || $this->module_info->protect_delete_content == 'Y') { @@ -396,8 +393,7 @@ class boardController extends board } // check if the doument is existed - $oDocumentModel = getModel('document'); - $oDocument = $oDocumentModel->getDocument($obj->document_srl); + $oDocument = DocumentModel::getDocument($obj->document_srl); if(!$oDocument->isExists()) { throw new Rhymix\Framework\Exceptions\TargetNotFound; @@ -418,9 +414,6 @@ class boardController extends board $manual = false; } - // generate comment module model object - $oCommentModel = getModel('comment'); - // generate comment module controller object $oCommentController = getController('comment'); @@ -432,10 +425,10 @@ class boardController extends board } else { - $comment = $oCommentModel->getComment($obj->comment_srl, $this->grant->manager); + $comment = CommentModel::getComment($obj->comment_srl, $this->grant->manager); if($this->module_info->protect_update_comment === 'Y' && $this->grant->manager == false) { - $childs = $oCommentModel->getChildComments($obj->comment_srl); + $childs = CommentModel::getChildComments($obj->comment_srl); if(count($childs) > 0) { throw new Rhymix\Framework\Exception('msg_board_update_protect_comment'); @@ -443,9 +436,7 @@ class boardController extends board } } - $oMemberModel = getModel('member'); - $member_info = $oMemberModel->getMemberInfoByMemberSrl($comment->member_srl); - + $member_info = MemberModel::getMemberInfo($comment->member_srl); if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') { throw new Rhymix\Framework\Exception('msg_admin_comment_no_modify'); @@ -460,7 +451,7 @@ class boardController extends board // Parent exists. if($obj->parent_srl) { - $parent_comment = $oCommentModel->getComment($obj->parent_srl); + $parent_comment = CommentModel::getComment($obj->parent_srl); if(!$parent_comment->comment_srl) { throw new Rhymix\Framework\Exceptions\TargetNotFound; @@ -479,7 +470,7 @@ class boardController extends board // Set grant for the new comment. if ($output->toBool()) { - $comment = $oCommentModel->getComment($output->get('comment_srl')); + $comment = CommentModel::getComment($output->get('comment_srl')); $comment->setGrantForSession(); } } @@ -523,6 +514,10 @@ class boardController extends board { // get the comment_srl $comment_srl = Context::get('comment_srl'); + if(!$comment_srl) + { + throw new Rhymix\Framework\Exceptions\InvalidRequest; + } $instant_delete = null; if($this->grant->manager == true) @@ -530,22 +525,25 @@ class boardController extends board $instant_delete = Context::get('instant_delete'); } - if(!$comment_srl) + $comment = CommentModel::getComment($comment_srl, $this->grant->manager); + if(!$comment->isExists()) { - throw new Rhymix\Framework\Exceptions\InvalidRequest; + throw new Rhymix\Framework\Exceptions\TargetNotFound; } - - $oCommentModel = getModel('comment'); - + if(!$comment->isGranted()) + { + throw new Rhymix\Framework\Exceptions\NotPermitted; + } + + $childs = null; if($this->module_info->protect_delete_comment === 'Y' && $this->grant->manager == false) { - $childs = $oCommentModel->getChildComments($comment_srl); + $childs = CommentModel::getChildComments($comment_srl); if(count($childs) > 0) { throw new Rhymix\Framework\Exception('msg_board_delete_protect_comment'); } } - $comment = $oCommentModel->getComment($comment_srl, $this->grant->manager); if($this->module_info->protect_comment_regdate > 0 && $this->grant->manager == false) { if($comment->get('regdate') < date('YmdHis', strtotime('-'.$this->module_info->protect_document_regdate.' day'))) @@ -570,7 +568,7 @@ class boardController extends board } elseif(starts_with('only_comm', $this->module_info->comment_delete_message) && $instant_delete != 'Y') { - $childs = $oCommentModel->getChildComments($comment_srl); + $childs = ($childs !== null) ? $childs : CommentModel::getChildComments($comment_srl); if(count($childs) > 0) { $output = $oCommentController->updateCommentByDelete($comment, $this->grant->manager); @@ -654,21 +652,18 @@ class boardController extends board $document_srl = Context::get('document_srl'); $comment_srl = Context::get('comment_srl'); - $oMemberModel = getModel('member'); - // if the comment exists if($comment_srl) { // get the comment information - $oCommentModel = getModel('comment'); - $oComment = $oCommentModel->getComment($comment_srl); + $oComment = CommentModel::getComment($comment_srl); if(!$oComment->isExists()) { throw new Rhymix\Framework\Exceptions\TargetNotFound; } // compare the comment password and the user input password - if(!$oMemberModel->isValidPassword($oComment->get('password'),$password)) + if(!MemberModel::isValidPassword($oComment->get('password'), $password)) { throw new Rhymix\Framework\Exception('msg_invalid_password'); } @@ -676,15 +671,14 @@ class boardController extends board $oComment->setGrantForSession(); } else { // get the document information - $oDocumentModel = getModel('document'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); if(!$oDocument->isExists()) { throw new Rhymix\Framework\Exceptions\TargetNotFound; } // compare the document password and the user input password - if(!$oMemberModel->isValidPassword($oDocument->get('password'),$password)) + if(!MemberModel::isValidPassword($oDocument->get('password'), $password)) { throw new Rhymix\Framework\Exception('msg_invalid_password'); } @@ -704,7 +698,7 @@ class boardController extends board } // get the module information - $module_info = getModel('module')->getModuleInfoByMid($mid); + $module_info = ModuleModel::getModuleInfoByMid($mid); if(empty($module_info->module) || $module_info->module !== 'board' || $module_info->use_anonymous === 'Y') { return; diff --git a/modules/board/board.model.php b/modules/board/board.model.php index ef2fa52d3..962f05542 100644 --- a/modules/board/board.model.php +++ b/modules/board/board.model.php @@ -18,20 +18,17 @@ class boardModel extends module /** * @brief get the list configuration **/ - function getListConfig($module_srl) + public static function getListConfig($module_srl) { - $oModuleModel = getModel('module'); - $oDocumentModel = getModel('document'); - // get the list config value, if it is not exitsted then setup the default value - $list_config = $oModuleModel->getModulePartConfig('board', $module_srl); + $list_config = ModuleModel::getModulePartConfig('board', $module_srl); if(!is_array($list_config) || count($list_config) <= 0) { $list_config = array('no', 'title', 'nick_name','regdate','readed_count'); } // get the extra variables - $inserted_extra_vars = $oDocumentModel->getExtraKeys($module_srl); + $inserted_extra_vars = DocumentModel::getExtraKeys($module_srl); foreach($list_config as $key) { @@ -57,7 +54,7 @@ class boardModel extends module /** * @brief return the default list configration value **/ - function getDefaultListConfig($module_srl) + public static function getDefaultListConfig($module_srl) { // add virtual srl, title, registered date, update date, nickname, ID, name, readed count, voted count etc. $virtual_vars = array( 'no', 'title', 'regdate', 'last_update', 'last_post', 'nick_name', @@ -68,9 +65,7 @@ class boardModel extends module } // get the extra variables from the document model - $oDocumentModel = getModel('document'); - $inserted_extra_vars = $oDocumentModel->getExtraKeys($module_srl); - + $inserted_extra_vars = DocumentModel::getExtraKeys($module_srl); if(count($inserted_extra_vars)) { foreach($inserted_extra_vars as $obj) @@ -86,7 +81,7 @@ class boardModel extends module /** * @brief return module name in sitemap **/ - function triggerModuleListInSitemap(&$obj) + public function triggerModuleListInSitemap(&$obj) { array_push($obj, 'board'); } diff --git a/modules/board/board.view.php b/modules/board/board.view.php index 183ed018e..23a53ea08 100644 --- a/modules/board/board.view.php +++ b/modules/board/board.view.php @@ -38,16 +38,14 @@ class boardView extends board $this->except_notice = $this->module_info->except_notice == 'N' ? FALSE : TRUE; // $this->_getStatusNameListecret option backward compatibility - $oDocumentModel = getModel('document'); - - $statusList = $this->_getStatusNameList($oDocumentModel); + $statusList = $this->_getStatusNameList(); if(isset($statusList['SECRET'])) { $this->module_info->secret = 'Y'; } // use_category <=1.5.x, hide_category >=1.7.x - $count_category = count($oDocumentModel->getCategoryList($this->module_info->module_srl)); + $count_category = count(DocumentModel::getCategoryList($this->module_info->module_srl)); if($count_category) { if($this->module_info->hide_category) @@ -93,8 +91,7 @@ class boardView extends board /** * use context::set to setup extra variables **/ - $oDocumentModel = getModel('document'); - $extra_keys = $oDocumentModel->getExtraKeys($this->module_info->module_srl); + $extra_keys = DocumentModel::getExtraKeys($this->module_info->module_srl); Context::set('extra_keys', $extra_keys); /** @@ -158,7 +155,7 @@ class boardView extends board } } // remove a search option that is not public in member config - $memberConfig = getModel('module')->getModuleConfig('member'); + $memberConfig = ModuleModel::getModuleConfig('member'); foreach($memberConfig->signupForm as $signupFormElement) { if(in_array($signupFormElement->title, $search_option)) @@ -171,8 +168,7 @@ class boardView extends board } Context::set('search_option', $search_option); - $oDocumentModel = getModel('document'); - $statusNameList = $this->_getStatusNameList($oDocumentModel); + $statusNameList = $this->_getStatusNameList(); if(count($statusNameList) > 0) { Context::set('status_list', $statusNameList); @@ -182,8 +178,7 @@ class boardView extends board $this->dispBoardContentView(); // list config, columnList setting - $oBoardModel = getModel('board'); - $this->listConfig = $oBoardModel->getListConfig($this->module_info->module_srl); + $this->listConfig = BoardModel::getListConfig($this->module_info->module_srl); if(!$this->listConfig) $this->listConfig = array(); $this->_makeListColumnList(); @@ -219,8 +214,7 @@ class boardView extends board return; } - $oDocumentModel = getModel('document'); - Context::set('category_list', $oDocumentModel->getCategoryList($this->module_srl)); + Context::set('category_list', DocumentModel::getCategoryList($this->module_srl)); $oSecurity = new Security(); $oSecurity->encodeHTML('category_list.', 'category_list.childs.'); @@ -235,15 +229,12 @@ class boardView extends board $document_srl = Context::get('document_srl'); $page = Context::get('page'); - // generate document model object - $oDocumentModel = getModel('document'); - /** * if the document exists, then get the document information **/ if($document_srl) { - $oDocument = $oDocumentModel->getDocument($document_srl, false, true); + $oDocument = DocumentModel::getDocument($document_srl, false, true); // if the document is existed if($oDocument->isExists()) @@ -263,7 +254,7 @@ class boardView extends board $logged_info = Context::get('logged_info'); if(abs($oDocument->get('member_srl')) != $logged_info->member_srl) { - $oDocument = $oDocumentModel->getDocument(0); + $oDocument = DocumentModel::getDocument(0); } } @@ -272,7 +263,7 @@ class boardView extends board { if(!$oDocument->isGranted()) { - $oDocument = $oDocumentModel->getDocument(0); + $oDocument = DocumentModel::getDocument(0); } } @@ -290,7 +281,7 @@ class boardView extends board } else { - $oDocument = $oDocumentModel->getDocument(0); + $oDocument = DocumentModel::getDocument(0); } /** @@ -300,7 +291,7 @@ class boardView extends board { if(!$this->grant->view && !$oDocument->isGranted()) { - $oDocument = $oDocumentModel->getDocument(0); + $oDocument = DocumentModel::getDocument(0); Context::set('document_srl','',true); $this->alertMessage('msg_not_permitted', 403); } @@ -360,8 +351,7 @@ class boardView extends board // Check if a permission for file download is granted // Get configurations (using module model object) - $oModuleModel = getModel('module'); - $file_module_config = $oModuleModel->getModulePartConfig('file',$this->module_srl); + $file_module_config = ModuleModel::getModulePartConfig('file',$this->module_srl); $downloadGrantCount = 0; if(is_array($file_module_config->download_grant)) @@ -380,14 +370,12 @@ class boardView extends board $logged_info = Context::get('logged_info'); if($logged_info->is_admin != 'Y') { - $oModuleModel =& getModel('module'); $columnList = array('module_srl', 'site_srl'); - $module_info = $oModuleModel->getModuleInfoByModuleSrl($this->module_srl, $columnList); + $module_info = ModuleModel::getModuleInfoByModuleSrl($this->module_srl, $columnList); - if(!$oModuleModel->isSiteAdmin($logged_info, $module_info->site_srl)) + if(!ModuleModel::isSiteAdmin($logged_info, $module_info->site_srl)) { - $oMemberModel =& getModel('member'); - $member_groups = $oMemberModel->getMemberGroups($logged_info->member_srl, $module_info->site_srl); + $member_groups = MemberModel::getMemberGroups($logged_info->member_srl, $module_info->site_srl); $is_permitted = false; for($i=0;$idownload_grant);$i++) @@ -407,9 +395,8 @@ class boardView extends board } } - $oDocumentModel = getModel('document'); $document_srl = Context::get('document_srl'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); Context::set('oDocument', $oDocument); Context::set('file_list',$oDocument->getUploadedFiles()); @@ -424,9 +411,8 @@ class boardView extends board // check document view grant $this->dispBoardContentView(); - $oDocumentModel = getModel('document'); $document_srl = Context::get('document_srl'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); $comment_list = $oDocument->getComments(); // setup the comment list @@ -455,10 +441,9 @@ class boardView extends board return; } - $oDocumentModel = getModel('document'); $args = new stdClass(); $args->module_srl = $this->module_srl; - $notice_output = $oDocumentModel->getNoticeList($args, $this->columnList); + $notice_output = DocumentModel::getNoticeList($args, $this->columnList); Context::set('notice_list', $notice_output->data); } @@ -477,8 +462,6 @@ class boardView extends board return; } - $oDocumentModel = getModel('document'); - // setup module_srl/page number/ list number/ page count $args = new stdClass(); $args->module_srl = $this->module_srl; @@ -534,7 +517,7 @@ class boardView extends board } elseif(!$args->page && $document_srl) { - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); if($oDocument->isExists() && !$oDocument->isNotice()) { $days = $this->module_info->skip_bottom_list_days ?: 30; @@ -544,7 +527,7 @@ class boardView extends board } else { - $args->page = $oDocumentModel->getDocumentPage($oDocument, $args); + $args->page = DocumentModel::getDocumentPage($oDocument, $args); Context::set('page', $args->page); } } @@ -575,7 +558,7 @@ class boardView extends board Context::set('list_config', $this->listConfig); // setup document list variables on context - $output = $oDocumentModel->getDocumentList($args, $this->except_notice, TRUE, $this->columnList); + $output = DocumentModel::getDocumentList($args, $this->except_notice, TRUE, $this->columnList); Context::set('document_list', $output->data); Context::set('total_count', $output->total_count); Context::set('total_page', $output->total_page); @@ -690,7 +673,7 @@ class boardView extends board throw new Rhymix\Framework\Exceptions\NotPermitted; } - $oDocument = getModel('document')->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); if(!$oDocument->isExists()) { throw new Rhymix\Framework\Exceptions\TargetNotFound; @@ -713,9 +696,6 @@ class boardView extends board return $this->dispBoardMessage('msg_not_permitted'); } - $oDocumentModel = getModel('document'); - $logged_info = Context::get('logged_info'); - /** * check if the category option is enabled not not **/ @@ -724,7 +704,7 @@ class boardView extends board // get the user group information if(Context::get('is_logged')) { - $group_srls = array_keys($logged_info->group_list); + $group_srls = array_keys($this->user->group_list); } else { @@ -734,7 +714,7 @@ class boardView extends board // check the grant after obtained the category list $category_list = array(); - $normal_category_list = $oDocumentModel->getCategoryList($this->module_srl); + $normal_category_list = DocumentModel::getCategoryList($this->module_srl); if(count($normal_category_list)) { foreach($normal_category_list as $category_srl => $category) @@ -773,11 +753,10 @@ class boardView extends board // GET parameter document_srl from request $document_srl = Context::get('document_srl'); - $oDocument = $oDocumentModel->getDocument(0, $this->grant->manager); + $oDocument = DocumentModel::getDocument(0, $this->grant->manager); $oDocument->setDocument($document_srl); - $oMemberModel = getModel('member'); - $member_info = $oMemberModel->getMemberInfoByMemberSrl($oDocument->get('member_srl')); + $member_info = MemberModel::getMemberInfo($oDocument->get('member_srl')); if($oDocument->get('module_srl') == $oDocument->get('member_srl')) $savedDoc = TRUE; $oDocument->add('module_srl', $this->module_srl); @@ -801,13 +780,12 @@ class boardView extends board } } } - if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') + if($member_info->is_admin == 'Y' && $this->user->is_admin != 'Y') { throw new Rhymix\Framework\Exception('msg_admin_document_no_modify'); } // if the document is not granted, then back to the password input form - $oModuleModel = getModel('module'); if($oDocument->isExists() && !$oDocument->isGranted()) { return $this->setTemplateFile('input_password_form'); @@ -815,7 +793,7 @@ class boardView extends board if(!$oDocument->isExists()) { - $point_config = $oModuleModel->getModulePartConfig('point',$this->module_srl); + $point_config = ModuleModel::getModulePartConfig('point',$this->module_srl); if ($point_config) { $pointForInsert = is_object($point_config) ? $point_config->insert_document : $point_config["insert_document"]; @@ -824,23 +802,22 @@ class boardView extends board { $pointForInsert = 0; } - $logged_info = Context::get('logged_info'); if($pointForInsert < 0) { - if(!Context::get('is_logged')) + if(!$this->user->isMember()) { return $this->dispBoardMessage('msg_not_permitted'); } - else if((getModel('point')->getPoint($logged_info->member_srl) + $pointForInsert) < 0) + else if((getModel('point')->getPoint($this->user->member_srl) + $pointForInsert) < 0) { return $this->dispBoardMessage('msg_not_enough_point'); } } } - if(!$oDocument->get('status')) $oDocument->add('status', $oDocumentModel->getDefaultStatus()); + if(!$oDocument->get('status')) $oDocument->add('status', DocumentModel::getDefaultStatus()); - $statusList = $this->_getStatusNameList($oDocumentModel); + $statusList = $this->_getStatusNameList(); if(count($statusList) > 0) Context::set('status_list', $statusList); // get Document status config value @@ -872,12 +849,12 @@ class boardView extends board $this->setTemplateFile('write_form'); } - function _getStatusNameList(&$oDocumentModel) + function _getStatusNameList() { $resultList = array(); if(!empty($this->module_info->use_status)) { - $statusNameList = $oDocumentModel->getStatusNameList(); + $statusNameList = DocumentModel::getStatusNameList(); $statusList = explode('|@|', $this->module_info->use_status); if(is_array($statusList)) @@ -908,8 +885,7 @@ class boardView extends board // if document exists, get the document information if($document_srl) { - $oDocumentModel = getModel('document'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); } // if the document is not existed, then back to the board content page @@ -966,8 +942,7 @@ class boardView extends board } // get the document information - $oDocumentModel = getModel('document'); - $oDocument = $oDocumentModel->getDocument($document_srl); + $oDocument = DocumentModel::getDocument($document_srl); if(!$oDocument->isExists()) { return $this->dispBoardMessage('msg_not_founded'); @@ -980,8 +955,7 @@ class boardView extends board } // obtain the comment (create an empty comment document for comment_form usage) - $oCommentModel = getModel('comment'); - $oSourceComment = $oComment = $oCommentModel->getComment(0); + $oSourceComment = $oComment = CommentModel::getComment(0); $oComment->add('document_srl', $document_srl); $oComment->add('module_srl', $this->module_srl); @@ -1019,8 +993,7 @@ class boardView extends board } // get the comment - $oCommentModel = getModel('comment'); - $oSourceComment = $oCommentModel->getComment($parent_srl, $this->grant->manager); + $oSourceComment = CommentModel::getComment($parent_srl, $this->grant->manager); // if the comment is not existed, opoup an error message if(!$oSourceComment->isExists()) @@ -1033,15 +1006,14 @@ class boardView extends board } // Check allow comment - $oDocumentModel = getModel('document'); - $oDocument = $oDocumentModel->getDocument($oSourceComment->get('document_srl')); + $oDocument = DocumentModel::getDocument($oSourceComment->get('document_srl')); if(!$oDocument->allowComment()) { return $this->dispBoardMessage('msg_not_allow_comment'); } // get the comment information - $oComment = $oCommentModel->getComment(); + $oComment = CommentModel::getComment(); $oComment->add('parent_srl', $parent_srl); $oComment->add('document_srl', $oSourceComment->get('document_srl')); @@ -1081,11 +1053,9 @@ class boardView extends board } // get comment information - $oCommentModel = getModel('comment'); - $oComment = $oCommentModel->getComment($comment_srl, $this->grant->manager); + $oComment = CommentModel::getComment($comment_srl, $this->grant->manager); - $oMemberModel = getModel('member'); - $member_info = $oMemberModel->getMemberInfoByMemberSrl($oComment->member_srl); + $member_info = MemberModel::getMemberInfo($oComment->member_srl); if($this->module_info->protect_comment_regdate > 0 && $this->grant->manager == false) { if($oComment->get('regdate') < date('YmdHis', strtotime('-'.$this->module_info->protect_document_regdate.' day'))) @@ -1097,7 +1067,7 @@ class boardView extends board } if($this->module_info->protect_update_comment === 'Y' && $this->grant->manager == false) { - $childs = $oCommentModel->getChildComments($comment_srl); + $childs = CommentModel::getChildComments($comment_srl); if(count($childs) > 0) { throw new Rhymix\Framework\Exception('msg_board_update_protect_comment'); @@ -1122,7 +1092,7 @@ class boardView extends board } // setup the comment variables on context - Context::set('oSourceComment', $oCommentModel->getComment()); + Context::set('oSourceComment', CommentModel::getComment()); Context::set('oComment', $oComment); /** @@ -1150,8 +1120,7 @@ class boardView extends board // if the comment exists, then get the comment information if($comment_srl) { - $oCommentModel = getModel('comment'); - $oComment = $oCommentModel->getComment($comment_srl, $this->grant->manager); + $oComment = CommentModel::getComment($comment_srl, $this->grant->manager); } if($this->module_info->protect_comment_regdate > 0 && $this->grant->manager == false) @@ -1166,8 +1135,7 @@ class boardView extends board if($this->module_info->protect_delete_comment === 'Y' && $this->grant->manager == false) { - $oCommentModel = getModel('comment'); - $childs = $oCommentModel->getChildComments($comment_srl); + $childs = CommentModel::getChildComments($comment_srl); if(count($childs) > 0) { throw new Rhymix\Framework\Exception('msg_board_delete_protect_comment'); @@ -1202,7 +1170,6 @@ class boardView extends board function dispBoardDeleteTrackback() { $oTrackbackModel = getModel('trackback'); - if(!$oTrackbackModel) { return; @@ -1245,15 +1212,13 @@ class boardView extends board function dispBoardUpdateLog() { - $oDocumentModel = getModel('document'); - $document_srl = Context::get('document_srl'); - if($this->grant->update_view !== true) { throw new Rhymix\Framework\Exceptions\NotPermitted; } - $updatelog = $oDocumentModel->getDocumentUpdateLog($document_srl); + $document_srl = Context::get('document_srl'); + $updatelog = DocumentModel::getDocumentUpdateLog($document_srl); Context::set('total_count', $updatelog->page_navigation->total_count); Context::set('total_page', $updatelog->page_navigation->total_page); Context::set('page', $updatelog->page); @@ -1265,16 +1230,14 @@ class boardView extends board function dispBoardUpdateLogView() { - $oDocumentModel = getModel('document'); - $update_id = Context::get('update_id'); - if($this->grant->update_view !== true) { throw new Rhymix\Framework\Exceptions\NotPermitted; } - $update_log = $oDocumentModel->getUpdateLog($update_id); - $oDocument = $oDocumentModel->getDocument($update_log->document_srl); + $update_id = Context::get('update_id'); + $update_log = DocumentModel::getUpdateLog($update_id); + $oDocument = DocumentModel::getDocument($update_log->document_srl); $extra_vars = unserialize($update_log->extra_vars); @@ -1309,8 +1272,6 @@ class boardView extends board throw new Rhymix\Framework\Exceptions\NotPermitted; } - $oMemberModel = getModel('member'); - $target = Context::get('target'); $target_srl = Context::get('target_srl'); @@ -1348,7 +1309,7 @@ class boardView extends board { continue; } - $vote_member_infos[$log->member_srl] = $oMemberModel->getMemberInfoByMemberSrl($log->member_srl); + $vote_member_infos[$log->member_srl] = MemberModel::getMemberInfo($log->member_srl); } else { @@ -1356,7 +1317,7 @@ class boardView extends board { continue; } - $blame_member_infos[$log->member_srl] = $oMemberModel->getMemberInfoByMemberSrl($log->member_srl); + $blame_member_infos[$log->member_srl] = MemberModel::getMemberInfo($log->member_srl); } } } diff --git a/modules/comment/comment.controller.php b/modules/comment/comment.controller.php index cd40c1757..5b1618a0b 100644 --- a/modules/comment/comment.controller.php +++ b/modules/comment/comment.controller.php @@ -883,9 +883,16 @@ class commentController extends comment return $output; } - // begin transaction - $oDB = DB::getInstance(); - $oDB->begin(); + // check if comment exists and permission is granted + $comment = CommentModel::getComment($obj->comment_srl); + if(!$comment->isExists()) + { + return new BaseObject(-1, 'msg_not_founded'); + } + if(!$is_admin && !$comment->isGranted()) + { + return new BaseObject(-1, 'msg_not_permitted'); + } // If the case manager to delete comments, it indicated that the administrator deleted. $logged_info = Context::get('logged_info'); @@ -899,6 +906,12 @@ class commentController extends comment $obj->content = lang('msg_deleted_comment'); $obj->status = RX_STATUS_DELETED; } + + // Begin transaction + $oDB = DB::getInstance(); + $oDB->begin(); + + // Update $obj->member_srl = 0; unset($obj->last_update); $output = executeQuery('comment.updateCommentByDelete', $obj); @@ -931,7 +944,6 @@ class commentController extends comment $oDB->commit(); $output->add('document_srl', $obj->document_srl); - return $output; } @@ -992,13 +1004,16 @@ class commentController extends comment // check if comment already exists $comment = CommentModel::getComment($comment_srl); - if($comment->comment_srl != $comment_srl) + if(!$comment->isExists()) { - return new BaseObject(-1, 'msg_invalid_request'); + return new BaseObject(-1, 'msg_not_founded'); + } + if(!$is_admin && !$comment->isGranted()) + { + return new BaseObject(-1, 'msg_not_permitted'); } - $member_info = MemberModel::getMemberInfoByMemberSrl($comment->member_srl); - + $member_info = MemberModel::getMemberInfo($comment->member_srl); $document_srl = $comment->document_srl; // call a trigger (before) @@ -1009,14 +1024,8 @@ class commentController extends comment return $output; } - // check if permission is granted - if(!$is_admin && !$comment->isGranted()) - { - return new BaseObject(-1, 'msg_not_permitted'); - } - // check if child comment exists on the comment - if(!$childs) + if($childs === null) { $childs = CommentModel::getChildComments($comment_srl); } @@ -1144,7 +1153,7 @@ class commentController extends comment */ function moveCommentToTrash($obj, $updateComment = false) { - $logged_info = Context::get('logged_info'); + // Initialize trash arguments $trash_args = new stdClass(); if(!$obj->trash_srl) { @@ -1155,14 +1164,25 @@ class commentController extends comment $trash_args->trash_srl = $obj->trash_srl; } + // check if comment exists and permission is granted $oComment = CommentModel::getComment($obj->comment_srl); - - $member_info = MemberModel::getMemberInfoByMemberSrl($oComment->get('member_srl')); - if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') + if(!$oComment->isExists()) { - return new BaseObject(-1, 'msg_admin_comment_no_move_to_trash'); + return new BaseObject(-1, 'msg_not_founded'); } - + if(!$oComment->isGranted()) + { + return new BaseObject(-1, 'msg_not_permitted'); + } + if($this->user->is_admin !== 'Y') + { + $member_info = MemberModel::getMemberInfo($oComment->get('member_srl')); + if($member_info->is_admin === 'Y') + { + return new BaseObject(-1, 'msg_admin_comment_no_move_to_trash'); + } + } + $obj->module_srl = $oComment->get('module_srl'); $trash_args->module_srl = $obj->module_srl; if($trash_args->module_srl === 0) @@ -1172,13 +1192,12 @@ class commentController extends comment $trash_args->document_srl = $obj->document_srl; $trash_args->comment_srl = $obj->comment_srl; $trash_args->description = $obj->description; - - if(!Context::get('is_logged')) + if($this->user->isMember()) { - $trash_args->member_Srl = $logged_info->member_srl; - $trash_args->user_id = htmlspecialchars_decode($logged_info->user_id); - $trash_args->user_name = htmlspecialchars_decode($logged_info->user_name); - $trash_args->nick_name = htmlspecialchars_decode($logged_info->nick_name); + $trash_args->member_srl = $this->user->member_srl; + $trash_args->user_id = htmlspecialchars_decode($this->user->user_id); + $trash_args->user_name = htmlspecialchars_decode($this->user->user_name); + $trash_args->nick_name = htmlspecialchars_decode($this->user->nick_name); } $oDB = &DB::getInstance(); diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php index b72a2ad46..8f8223783 100644 --- a/modules/document/document.controller.php +++ b/modules/document/document.controller.php @@ -1024,26 +1024,31 @@ class documentController extends document $oDB = &DB::getInstance(); $oDB->begin(); + // Check if the document exists if(!$isEmptyTrash) { - // Check if the documnet exists $oDocument = DocumentModel::getDocument($document_srl, $is_admin); } - else if($isEmptyTrash && $oDocument == null) return new BaseObject(-1, 'document is not exists'); + else if($isEmptyTrash && $oDocument == null) + { + return new BaseObject(-1, 'msg_not_founded'); + } - $member_info = MemberModel::getMemberInfoByMemberSrl($oDocument->get('member_srl')); - $logged_info = Context::get('logged_info'); - - if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') + // Check permission + if(!$oDocument->isExists()) + { + return new BaseObject(-1, 'msg_invalid_document'); + } + if(!$oDocument->isGranted()) + { + return new BaseObject(-1, 'msg_not_permitted'); + } + $member_info = MemberModel::getMemberInfo($oDocument->get('member_srl')); + if($member_info->is_admin === 'Y' && $this->user->is_admin !== 'Y') { return new BaseObject(-1, 'msg_document_is_admin_not_permitted'); } - - if(!$oDocument->isExists() || $oDocument->document_srl != $document_srl) return new BaseObject(-1, 'msg_invalid_document'); - // Check if a permossion is granted - if(!$oDocument->isGranted()) return new BaseObject(-1, 'msg_not_permitted'); - //if empty trash, document already deleted, therefore document not delete $args = new stdClass(); $args->document_srl = $document_srl; @@ -1136,18 +1141,27 @@ class documentController extends document */ function moveDocumentToTrash($obj) { - $logged_info = Context::get('logged_info'); $trash_args = new stdClass(); // Get trash_srl if a given trash_srl doesn't exist if(!$obj->trash_srl) $trash_args->trash_srl = getNextSequence(); else $trash_args->trash_srl = $obj->trash_srl; // Get its module_srl which the document belongs to $oDocument = DocumentModel::getDocument($obj->document_srl); - - $member_info = MemberModel::getMemberInfoByMemberSrl($oDocument->get('member_srl')); - if($member_info->is_admin == 'Y' && $logged_info->is_admin != 'Y') + if(!$oDocument->isExists()) { - return new BaseObject(-1, 'msg_admin_document_no_move_to_trash'); + return new BaseObject(-1, 'msg_not_founded'); + } + if(!$oDocument->isGranted()) + { + return new BaseObject(-1, 'msg_not_permitted'); + } + if($this->user->is_admin !== 'Y') + { + $member_info = MemberModel::getMemberInfo($oDocument->get('member_srl')); + if($member_info->is_admin === 'Y') + { + return new BaseObject(-1, 'msg_admin_document_no_move_to_trash'); + } } $trash_args->module_srl = $oDocument->get('module_srl'); @@ -1161,15 +1175,12 @@ class documentController extends document $trash_args->document_srl = $obj->document_srl; $trash_args->description = $obj->description; // Insert member's information only if the member is logged-in and not manually registered. - if(Context::get('is_logged')) + if($this->user->isMember()) { - $logged_info = Context::get('logged_info'); - $trash_args->member_srl = $logged_info->member_srl; - - // user_id, user_name and nick_name already encoded - $trash_args->user_id = htmlspecialchars_decode($logged_info->user_id); - $trash_args->user_name = htmlspecialchars_decode($logged_info->user_name); - $trash_args->nick_name = htmlspecialchars_decode($logged_info->nick_name); + $trash_args->member_srl = $this->user->member_srl; + $trash_args->user_id = htmlspecialchars_decode($this->user->user_id); + $trash_args->user_name = htmlspecialchars_decode($this->user->user_name); + $trash_args->nick_name = htmlspecialchars_decode($this->user->nick_name); } // Date setting for updating documents $document_args = new stdClass;