<action>에 퍼미션 속성 추가

승인 권한 (grant)도 퍼미션 체크를 할 수 있도록 추가
2026-04-02 01:52:10 +09:00 · 2017-04-07 14:55:33 +09:00 · 2017-04-07 14:55:33 +09:00 · f224a4aea0
commit f224a4aea0
parent 9713e99144
3 changed files with 69 additions and 30 deletions
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@ -556,13 +556,14 @@ class ModuleHandler extends Handler
 			}

 			$forward = NULL;
+			
 			// 1. Look for the module with action name
 			if(preg_match('/^([a-z]+)([A-Z])([a-z0-9\_]+)(.*)$/', $this->act, $matches))
 			{
 				$module = strtolower($matches[2] . $matches[3]);
 				$xml_info = $oModuleModel->getModuleActionXml($module);

-				if($xml_info->action->{$this->act} && ((stripos($this->act, 'admin') !== FALSE) || $xml_info->action->{$this->act}->standalone != 'false'))
+				if($xml_info->action->{$this->act} && ($this->module == 'admin' || $xml_info->action->{$this->act}->standalone != 'false'))
 				{
 					$forward = new stdClass();
 					$forward->module = $module;
@ -581,12 +582,12 @@ class ModuleHandler extends Handler
 					return $oMessageObject;
 				}
 			}
-
+			
 			if(!$forward)
 			{
 				$forward = $oModuleModel->getActionForward($this->act);
 			}
-
+			
 			if($forward->module && $forward->type && $forward->act && $forward->act == $this->act)
 			{
 				$kind = stripos($forward->act, 'admin') !== FALSE ? 'admin' : '';
@ -594,9 +595,24 @@ class ModuleHandler extends Handler
 				$ruleset = $forward->ruleset;
 				$tpl_path = $oModule->getTemplatePath();
 				$orig_module = $oModule;
-
+				
 				$xml_info = $oModuleModel->getModuleActionXml($forward->module);
-
+				
+				// Protect admin action
+				if(($this->module == 'admin' || $kind == 'admin') && !$oModuleModel->getGrant($forward, $logged_info)->root)
+				{
+					if($this->module == 'admin' || empty($xml_info->permission->{$this->act}))
+					{
+						self::_setInputErrorToContext();
+						$this->error = 'admin.msg_is_not_administrator';
+						$oMessageObject = self::getModuleInstance('message', $display_mode);
+						$oMessageObject->setError(-1);
+						$oMessageObject->setMessage($this->error);
+						$oMessageObject->dispMessage();
+						return $oMessageObject;
+					}
+				}
+				
 				// SECISSUE also check foward act method
 				// check REQUEST_METHOD in controller
 				if($type == 'controller')
@ -670,21 +686,6 @@ class ModuleHandler extends Handler
 					return $oMessageObject;
 				}
 				
-				// Protect admin action
-				if(($this->module == 'admin' || $kind == 'admin') && !$oModuleModel->getGrant($forward, $logged_info)->root)
-				{
-					if($this->module == 'admin' || strpos($xml_info->permission->{$this->act}, 'manager') === false)
-					{
-						self::_setInputErrorToContext();
-						$this->error = 'admin.msg_is_not_administrator';
-						$oMessageObject = self::getModuleInstance('message', $display_mode);
-						$oMessageObject->setError(-1);
-						$oMessageObject->setMessage($this->error);
-						$oMessageObject->dispMessage();
-						return $oMessageObject;
-					}
-				}
-				
 				// Admin page layout
 				if($this->module == 'admin' && $type == 'view' && $this->act != 'dispLayoutAdminLayoutModify')
 				{
--- a/classes/module/ModuleObject.class.php
+++ b/classes/module/ModuleObject.class.php
@ -223,6 +223,7 @@ class ModuleObject extends Object
 					// Check permission
 					if($this->checkPermission($grant, false) !== true)
 					{
+						$this->stop('msg_not_permitted_act');
 						return false;
 					}
 				}
@ -238,6 +239,7 @@ class ModuleObject extends Object
 			// Check permission
 			if($this->checkPermission($grant) !== true)
 			{
+				$this->stop('msg_not_permitted_act');
 				return false;
 			}
 		}
@ -279,8 +281,14 @@ class ModuleObject extends Object
 		// Get permission types(guest, member, manager, root) of the currently requested action
 		$permission = $this->xml_info->permission->{$this->act};
 		
-		// If admin action, default permission
-		if(!$permission && stripos($this->act, 'admin') !== false)
+		// If permission is 'guest', Pass
+		if($permission == 'guest')
+		{
+			return true;
+		}
+		
+		// If admin action, set default permission
+		if(empty($permission) && stripos($this->act, 'admin') !== false)
 		{
 			$permission = 'root';
 		}
@ -291,7 +299,6 @@ class ModuleObject extends Object
 			// If permission is 'member', check logged-in
 			if($permission == 'member' && !Context::get('is_logged'))
 			{
-				$this->stop('msg_not_permitted_act');
 				return false;
 			}
 			// If permission is 'manager', check 'is user have manager privilege(granted)'
@ -317,16 +324,27 @@ class ModuleObject extends Object
 					}
 				}
 				
-				$this->stop('admin.msg_is_not_administrator');
 				return false;
 			}
 			// If permission is 'root', Error!
 			// Because an administrator who have root privilege(granted) was passed already
 			else if($permission == 'root')
 			{
-				$this->stop('admin.msg_is_not_administrator');
 				return false;
 			}
+			// If grant name, check the privilege(granted) of the user
+			else if($grant_names = explode('|', $permission))
+			{
+				$privilege_list = array_keys((array) $this->xml_info->grant);
+				
+				foreach($grant_names as $name)
+				{
+					if(!in_array($name, $privilege_list) || !$grant->$name)
+					{
+						return false;
+					}
+				}
+			}
 		}
 		
 		return true;
--- a/modules/module/module.model.php
+++ b/modules/module/module.model.php
@ -839,13 +839,13 @@ class moduleModel extends module
 				else $permission_list[] = $permissions;

 				$buff[] = '$info->permission = new stdClass;';
-
 				$info->permission = new stdClass();
+				
 				foreach($permission_list as $permission)
 				{
 					$action = $permission->attrs->action;
 					$target = $permission->attrs->target;
-
+					
 					$info->permission->{$action} = $target;
 					$info->permission_check->{$action}->key = $permission->attrs->check_var ?: '';
 					$info->permission_check->{$action}->type = $permission->attrs->check_type ?: '';
@ -863,6 +863,7 @@ class moduleModel extends module

 				$buff[] = '$info->menu = new stdClass;';
 				$info->menu = new stdClass();
+				
 				foreach($menu_list as $menu)
 				{
 					$menu_name = $menu->attrs->name;
@ -885,20 +886,39 @@ class moduleModel extends module
 			{
 				if(is_array($actions)) $action_list = $actions;
 				else $action_list[] = $actions;
-
+				
+				if(!isset($info->permission))
+				{
+					$buff[] = '$info->permission = new stdClass;';
+					$info->permission = new stdClass();
+				}
+				
 				$buff[] = '$info->action = new stdClass;';
 				$info->action = new stdClass();
+				
 				foreach($action_list as $action)
 				{
 					$name = $action->attrs->name;
-
+					
+					// <action permission="...">
+					if($action->attrs->permission)
+					{
+						$info->permission->$name = $action->attrs->permission;
+						$info->permission_check->$name->key = $action->attrs->check_var ?: '';
+						$info->permission_check->$name->type = $action->attrs->check_type ?: '';
+						
+						$buff[] = sprintf('$info->permission->%s = \'%s\';', $name, $info->permission->$name);
+						$buff[] = sprintf('$info->permission_check->%s->key = \'%s\';', $name, $info->permission_check->$name->key);
+						$buff[] = sprintf('$info->permission_check->%s->type = \'%s\';', $name, $info->permission_check->$name->type);
+					}
+					
 					$type = $action->attrs->type;
 					$grant = $action->attrs->grant?$action->attrs->grant:'guest';
 					$standalone = $action->attrs->standalone=='false'?'false':'true';
 					$ruleset = $action->attrs->ruleset?$action->attrs->ruleset:'';
 					$method = $action->attrs->method?$action->attrs->method:'';
 					$check_csrf = $action->attrs->check_csrf=='false'?'false':'true';
-
+					
 					$index = $action->attrs->index;
 					$admin_index = $action->attrs->admin_index;
 					$setup_index = $action->attrs->setup_index;