From f72ea052f1435ea4e3fa027f18e799a5c1a06d2c Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Mon, 22 Jan 2018 15:49:52 +0900
Subject: [PATCH] =?UTF-8?q?fix=20#2229=20=EC=9E=90=EB=8F=99=EC=A0=80?=
 =?UTF-8?q?=EC=9E=A5=20=EA=B8=B0=EB=8A=A5=EC=97=90=20IP=20=EB=8C=80?=
 =?UTF-8?q?=EC=8B=A0=20=EC=95=94=ED=98=B8=ED=82=A4=EB=A5=BC=20=EB=8C=80?=
 =?UTF-8?q?=EC=A1=B0=ED=95=98=EB=8F=84=EB=A1=9D=20=EB=B3=80=EA=B2=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/editor/editor.class.php             | 29 ++++++++---
 modules/editor/editor.controller.php        | 57 ++++++++++++---------
 modules/editor/editor.model.php             | 48 +++++++++++++----
 modules/editor/queries/deleteSavedDoc.xml   |  1 +
 modules/editor/queries/getSavedDocument.xml |  1 +
 modules/editor/queries/insertSavedDoc.xml   |  3 +-
 modules/editor/schemas/editor_autosave.xml  |  1 +
 7 files changed, 99 insertions(+), 41 deletions(-)

diff --git a/modules/editor/editor.class.php b/modules/editor/editor.class.php
index 4aff3dc22..6bd28688f 100644
--- a/modules/editor/editor.class.php
+++ b/modules/editor/editor.class.php
@@ -97,6 +97,10 @@ class editor extends ModuleObject
 		if(!$oDB->isColumnExists("editor_autosave","module_srl")) return true;
 		if(!$oDB->isIndexExists("editor_autosave","idx_module_srl")) return true;
 
+		// XEVE-17-030
+		if(!$oDB->isColumnExists('editor_autosave', 'certify_key')) return true;
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_certify_key')) return true;
+
 		// 2007. 10. 17 Add a trigger to delete automatically saved document whenever the document(insert or update) is modified
 		if(!$oModuleModel->getTrigger('document.insertDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) return true;
 		if(!$oModuleModel->getTrigger('document.updateDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) return true;
@@ -120,15 +124,28 @@ class editor extends ModuleObject
 	{
 		$oModuleModel = getModel('module');
 		$oModuleController = getController('module');
-
 		$oDB = &DB::getInstance();
+		
 		// Save module_srl when auto-saving 15/06/2009
-		if(!$oDB->isColumnExists("editor_autosave","module_srl")) 
-			$oDB->addColumn("editor_autosave","module_srl","number",11);
-
-		// create an index on module_srl
-		if(!$oDB->isIndexExists("editor_autosave","idx_module_srl")) $oDB->addIndex("editor_autosave","idx_module_srl", "module_srl");
+		if(!$oDB->isColumnExists('editor_autosave', 'module_srl'))
+		{
+			$oDB->addColumn('editor_autosave', 'module_srl', 'number');
+		}
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_module_srl'))
+		{
+			$oDB->addIndex('editor_autosave', 'idx_module_srl', 'module_srl');
+		}
 
+		// XEVE-17-030
+		if(!$oDB->isColumnExists('editor_autosave', 'certify_key'))
+		{
+			$oDB->addColumn('editor_autosave', 'certify_key', 'varchar', 32);
+		}
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_certify_key'))
+		{
+			$oDB->addIndex('editor_autosave', 'idx_certify_key', 'certify_key');
+		}
+		
 		// 2007. 10. 17 Add a trigger to delete automatically saved document whenever the document(insert or update) is modified
 		if(!$oModuleModel->getTrigger('document.insertDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) 
 			$oModuleController->insertTrigger('document.insertDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after');
diff --git a/modules/editor/editor.controller.php b/modules/editor/editor.controller.php
index e2bcb1ba3..6204d2429 100644
--- a/modules/editor/editor.controller.php
+++ b/modules/editor/editor.controller.php
@@ -292,6 +292,15 @@ class editorController extends editor
 	function doSaveDoc($args)
 	{
 		if(!$args->document_srl) $args->document_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
+
+		// Get the current module if module_srl doesn't exist
+		if(!$args->module_srl) $args->module_srl = Context::get('module_srl');
+		if(!$args->module_srl)
+		{
+			$current_module_info = Context::get('current_module_info');
+			$args->module_srl = $current_module_info->module_srl;
+		}
+
 		if(Context::get('is_logged'))
 		{
 			$logged_info = Context::get('logged_info');
@@ -299,20 +308,11 @@ class editorController extends editor
 		}
 		else
 		{
-			$args->ipaddress = $_SERVER['REMOTE_ADDR'];
+			$args->ipaddress = RX_CLIENT_IP;
+			$args->certify_key = Rhymix\Framework\Security::getRandom(32);
+			setcookie('autosave_certify_key_' . $args->module_srl, $args->certify_key, time() + 86400, null, null, RX_SSL, true);
 		}
 
-		// Get the current module if module_srl doesn't exist
-		if(!$args->module_srl)
-		{
-			$args->module_srl = Context::get('module_srl');
-		}
-		if(!$args->module_srl)
-		{
-			$current_module_info = Context::get('current_module_info');
-			$args->module_srl = $current_module_info->module_srl;
-		}
-		// Save
 		return executeQuery('editor.insertSavedDoc', $args);
 	}
 
@@ -352,26 +352,36 @@ class editorController extends editor
 	function deleteSavedDoc($mode = false)
 	{
 		$args = new stdClass();
-		if(Context::get('is_logged'))
-		{
-			$logged_info = Context::get('logged_info');
-			$args->member_srl = $logged_info->member_srl;
-		}
-		else
-		{
-			$args->ipaddress = $_SERVER['REMOTE_ADDR'];
-		}
 		$args->module_srl = Context::get('module_srl');
+
 		// Get the current module if module_srl doesn't exist
 		if(!$args->module_srl)
 		{
 			$current_module_info = Context::get('current_module_info');
 			$args->module_srl = $current_module_info->module_srl;
 		}
+		if(Context::get('is_logged'))
+		{
+			$logged_info = Context::get('logged_info');
+			$args->member_srl = $logged_info->member_srl;
+		}
+		elseif($_COOKIE['autosave_certify_key_' . $args->module_srl])
+		{
+			$args->certify_key = $_COOKIE['autosave_certify_key_' . $args->module_srl];
+		}
+		else
+		{
+			$args->ipaddress = RX_CLIENT_IP;
+		}
+
 		// Check if the auto-saved document already exists
 		$output = executeQuery('editor.getSavedDocument', $args);
 		$saved_doc = $output->data;
 		if(!$saved_doc) return;
+		if($saved_doc->certify_key && !isset($args->certify_key))
+		{
+			return;
+		}
 
 		$oDocumentModel = getModel('document');
 		$oSaved = $oDocumentModel->getDocument($saved_doc->document_srl);
@@ -383,8 +393,9 @@ class editorController extends editor
 				$output = ModuleHandler::triggerCall('editor.deleteSavedDoc', 'after', $saved_doc);
 			}
 		}
-		// Delete the saved document
-		return executeQuery('editor.deleteSavedDoc', $args);
+
+		$output = executeQuery('editor.deleteSavedDoc', $args);
+		return $output;
 	}
 
 	/**
diff --git a/modules/editor/editor.model.php b/modules/editor/editor.model.php
index 4d7874781..bf9082de9 100644
--- a/modules/editor/editor.model.php
+++ b/modules/editor/editor.model.php
@@ -409,32 +409,48 @@ class editorModel extends editor
 	function getSavedDoc($upload_target_srl)
 	{
 		$auto_save_args = new stdClass();
-		// Find a document by using member_srl for logged-in user and ipaddress for non-logged user
-		if(Context::get('is_logged'))
-		{
-			$logged_info = Context::get('logged_info');
-			$auto_save_args->member_srl = $logged_info->member_srl;
-		}
-		else
-		{
-			$auto_save_args->ipaddress = $_SERVER['REMOTE_ADDR'];
-		}
 		$auto_save_args->module_srl = Context::get('module_srl');
+
 		// Get the current module if module_srl doesn't exist
 		if(!$auto_save_args->module_srl)
 		{
 			$current_module_info = Context::get('current_module_info');
 			$auto_save_args->module_srl = $current_module_info->module_srl;
 		}
+
+		// Find a document by using member_srl for logged-in user and ipaddress for non-logged user
+		if(Context::get('is_logged'))
+		{
+			$logged_info = Context::get('logged_info');
+			$auto_save_args->member_srl = $logged_info->member_srl;
+		}
+		elseif($_COOKIE['autosave_certify_key_' . $auto_save_args->module_srl])
+		{
+			$auto_save_args->certify_key = $_COOKIE['autosave_certify_key_' . $auto_save_args->module_srl];
+		}
+		else
+		{
+			$auto_save_args->ipaddress = RX_CLIENT_IP;
+		}
+
 		// Extract auto-saved data from the DB
 		$output = executeQuery('editor.getSavedDocument', $auto_save_args);
 		$saved_doc = $output->data;
+
 		// Return null if no result is auto-saved
 		if(!$saved_doc) return;
+		
+		// Return null if certify key does not match
+		if($saved_doc->certify_key && !isset($auto_save_args->certify_key))
+		{
+			return;
+		}
+
 		// Check if the auto-saved document already exists
 		$oDocumentModel = getModel('document');
 		$oSaved = $oDocumentModel->getDocument($saved_doc->document_srl);
 		if($oSaved->isExists()) return;
+
 		// Move all the files if the auto-saved data contains document_srl and file
 		// Then set document_srl to editor_sequence
 		if($saved_doc->document_srl && $upload_target_srl && !Context::get('document_srl'))
@@ -443,8 +459,18 @@ class editorModel extends editor
 			$oFileController = getController('file');
 			$oFileController->moveFile($saved_doc->document_srl, $saved_doc->module_srl, $upload_target_srl);
 		}
-		else if($upload_target_srl) $saved_doc->document_srl = $upload_target_srl;
+		elseif($upload_target_srl)
+		{
+			$saved_doc->document_srl = $upload_target_srl;
+		}
+
 		// Change auto-saved data
+		$saved_doc->certify_key = $auto_save_args->certify_key;
+		if(!$saved_doc->certify_key)
+		{
+			$saved_doc->certify_key = Rhymix\Framework\Security::getRandom(32);
+			setcookie('autosave_certify_key_' . $saved_doc->module_srl, $saved_doc->certify_key, time() + 86400, null, null, RX_SSL, true);
+		}
 		$oEditorController = getController('editor');
 		$oEditorController->deleteSavedDoc(false);
 		$oEditorController->doSaveDoc($saved_doc);
diff --git a/modules/editor/queries/deleteSavedDoc.xml b/modules/editor/queries/deleteSavedDoc.xml
index e6189f731..7a3c5e386 100644
--- a/modules/editor/queries/deleteSavedDoc.xml
+++ b/modules/editor/queries/deleteSavedDoc.xml
@@ -7,5 +7,6 @@
         <condition operation="equal" column="module_srl" var="module_srl" />
         <condition operation="equal" column="member_srl" var="member_srl" pipe="and" />
         <condition operation="equal" column="ipaddress" var="ipaddress" pipe="and" />
+        <condition operation="equal" column="certify_key" var="certify_key" pipe="and" />
     </conditions>
 </query>
diff --git a/modules/editor/queries/getSavedDocument.xml b/modules/editor/queries/getSavedDocument.xml
index 50c194fe2..995351ea9 100644
--- a/modules/editor/queries/getSavedDocument.xml
+++ b/modules/editor/queries/getSavedDocument.xml
@@ -7,5 +7,6 @@
         <condition operation="equal" column="module_srl" var="module_srl" />
         <condition operation="equal" column="member_srl" var="member_srl" pipe="and" />
         <condition operation="equal" column="ipaddress" var="ipaddress" pipe="and" />
+        <condition operation="equal" column="certify_key" var="certify_key" pipe="and" />
     </conditions>
 </query>
diff --git a/modules/editor/queries/insertSavedDoc.xml b/modules/editor/queries/insertSavedDoc.xml
index 9515659a9..ef9f30693 100644
--- a/modules/editor/queries/insertSavedDoc.xml
+++ b/modules/editor/queries/insertSavedDoc.xml
@@ -5,10 +5,11 @@
     <columns>
         <column name="module_srl" var="module_srl" />
         <column name="member_srl" var="member_srl" />
-        <column name="ipaddress" var="ipaddress" />
+		<column name="ipaddress" var="ipaddress" />
         <column name="document_srl" var="document_srl" default="0" />
         <column name="title" var="title" />
         <column name="content" var="content" />
+        <column name="certify_key" var="certify_key" />
         <column name="regdate" var="regdate" default="curdate()" />
     </columns>
 </query>
diff --git a/modules/editor/schemas/editor_autosave.xml b/modules/editor/schemas/editor_autosave.xml
index 94ae49f50..267455e87 100644
--- a/modules/editor/schemas/editor_autosave.xml
+++ b/modules/editor/schemas/editor_autosave.xml
@@ -5,5 +5,6 @@
     <column name="document_srl" type="number" size="11" default="0" notnull="notnull" />
     <column name="title" type="varchar" size="250" />
     <column name="content" type="bigtext" notnull="notnull" />
+    <column name="certify_key" type="varchar" size="32" index="idx_certify_key" />
     <column name="regdate" type="date" index="idx_regdate" />
 </table>