Merge branch 'security/rve-2026-4'

classes/module/ModuleObject.class.php

@@ -921,7 +921,7 @@ class ModuleObject extends BaseObject
 		// execute api methods of the module if view action is and result is XMLRPC or JSON
 		if(isset($this->module_info->module_type) && in_array($this->module_info->module_type, ['view', 'mobile']))
 		{
-			if(Context::getResponseMethod() == 'XMLRPC' || Context::getResponseMethod() == 'JSON')
+			if ($this->getHttpStatusCode() < 400 && in_array(Context::getResponseMethod(), ['JSON', 'XMLRPC']))
 			{
 				$oAPI = getAPI($this->module_info->module);
 				if($oAPI instanceof ModuleObject && method_exists($oAPI, $this->act))

modules/board/board.api.php

@@ -56,12 +56,19 @@ class BoardAPI extends Board
 	public function dispBoardContentView($oModule)
 	{
 		$oDocument = Context::get('oDocument');
-		if($oDocument->isGranted())
+		if ($oDocument->isExists() && $oDocument->isAccessible())
 		{
-			$extra_vars = $oDocument->getExtraVars() ?: [];
-			$oDocument->add('extra_vars', $this->_arrangeExtraVars($extra_vars));
+			if ($oDocument->isGranted())
+			{
+				$extra_vars = $oDocument->getExtraVars() ?: [];
+				$oDocument->add('extra_vars', $this->_arrangeExtraVars($extra_vars));
+			}
+			$oModule->add('oDocument', $this->_arrangeContent($oDocument, $oModule->grant));
+		}
+		else
+		{
+			$oModule->add('oDocument', null);
 		}
-		$oModule->add('oDocument', $this->_arrangeContent($oDocument, $oModule->grant));
 	}
 
 	/**
@@ -70,13 +77,13 @@ class BoardAPI extends Board
 	public function dispBoardContentFileList($oModule)
 	{
 		$oDocument = Context::get('oDocument');
-		if($oDocument->isAccessible())
+		if ($oDocument->isExists() && $oDocument->isAccessible())
 		{
 			$oModule->add('file_list', $this->_arrangeFiles(Context::get('file_list') ?: []));
 		}
 		else
 		{
-			$oModule->add('file_list', array());
+			$oModule->add('file_list', []);
 		}
 	}
 
@@ -93,12 +100,20 @@ class BoardAPI extends Board
 	 **/
 	public function dispBoardContentCommentList($oModule)
 	{
-		$comment_list = Context::get('comment_list');
-		if (!is_array($comment_list))
+		$oDocument = Context::get('oDocument');
+		if ($oDocument->isExists() && $oDocument->isAccessible())
 		{
-			$comment_list = [];
+			$comment_list = Context::get('comment_list');
+			if (!is_array($comment_list))
+			{
+				$comment_list = [];
+			}
+			$oModule->add('comment_list', $this->_arrangeComments($comment_list));
+		}
+		else
+		{
+			$oModule->add('comment_list', []);
 		}
-		$oModule->add('comment_list', $this->_arrangeComments($comment_list));
 	}
 
 	/**

modules/board/board.view.php

@@ -318,6 +318,8 @@ class BoardView extends Board
 				{
 					if (abs($oDocument->get('member_srl')) != $this->user->member_srl)
 					{
+						$oDocument = DocumentModel::getDocument(0);
+						$oDocument->add('module_srl', $this->module_srl);
 						Context::set('document_srl', null, true);
 						$this->dispBoardMessage('msg_not_founded', 404);
 					}
@@ -326,6 +328,8 @@ class BoardView extends Board
 				// if the document is TEMP saved, pretend that it doesn't exist.
 				if($oDocument->getStatus() == 'TEMP')
 				{
+					$oDocument = DocumentModel::getDocument(0);
+					$oDocument->add('module_srl', $this->module_srl);
 					Context::set('document_srl', null, true);
 					$this->dispBoardMessage('msg_not_founded', 404);
 				}
@@ -355,6 +359,7 @@ class BoardView extends Board
 			if(!$this->grant->view && !$oDocument->isGranted())
 			{
 				$oDocument = DocumentModel::getDocument(0);
+				$oDocument->add('module_srl', $this->module_srl);
 				Context::set('document_srl', null, true);
 				$this->dispBoardMessage($this->user->isMember() ? 'msg_not_permitted' : 'msg_not_logged');
 			}