fix #2229 자동저장 기능에 IP 대신 암호키를 대조하도록 변경

modules/editor/editor.class.php

@@ -97,6 +97,10 @@ class editor extends ModuleObject
 		if(!$oDB->isColumnExists("editor_autosave","module_srl")) return true;
 		if(!$oDB->isIndexExists("editor_autosave","idx_module_srl")) return true;
 
+		// XEVE-17-030
+		if(!$oDB->isColumnExists('editor_autosave', 'certify_key')) return true;
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_certify_key')) return true;
+
 		// 2007. 10. 17 Add a trigger to delete automatically saved document whenever the document(insert or update) is modified
 		if(!$oModuleModel->getTrigger('document.insertDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) return true;
 		if(!$oModuleModel->getTrigger('document.updateDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) return true;
@@ -120,14 +124,27 @@ class editor extends ModuleObject
 	{
 		$oModuleModel = getModel('module');
 		$oModuleController = getController('module');
-
 		$oDB = &DB::getInstance();
-		// Save module_srl when auto-saving 15/06/2009
-		if(!$oDB->isColumnExists("editor_autosave","module_srl")) 
-			$oDB->addColumn("editor_autosave","module_srl","number",11);
 		
-		// create an index on module_srl
-		if(!$oDB->isIndexExists("editor_autosave","idx_module_srl")) $oDB->addIndex("editor_autosave","idx_module_srl", "module_srl");
+		// Save module_srl when auto-saving 15/06/2009
+		if(!$oDB->isColumnExists('editor_autosave', 'module_srl'))
+		{
+			$oDB->addColumn('editor_autosave', 'module_srl', 'number');
+		}
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_module_srl'))
+		{
+			$oDB->addIndex('editor_autosave', 'idx_module_srl', 'module_srl');
+		}
+
+		// XEVE-17-030
+		if(!$oDB->isColumnExists('editor_autosave', 'certify_key'))
+		{
+			$oDB->addColumn('editor_autosave', 'certify_key', 'varchar', 32);
+		}
+		if(!$oDB->isIndexExists('editor_autosave', 'idx_certify_key'))
+		{
+			$oDB->addIndex('editor_autosave', 'idx_certify_key', 'certify_key');
+		}
 		
 		// 2007. 10. 17 Add a trigger to delete automatically saved document whenever the document(insert or update) is modified
 		if(!$oModuleModel->getTrigger('document.insertDocument', 'editor', 'controller', 'triggerDeleteSavedDoc', 'after')) 

modules/editor/editor.controller.php

@@ -292,6 +292,15 @@ class editorController extends editor
 	function doSaveDoc($args)
 	{
 		if(!$args->document_srl) $args->document_srl = $_SESSION['upload_info'][$editor_sequence]->upload_target_srl;
+
+		// Get the current module if module_srl doesn't exist
+		if(!$args->module_srl) $args->module_srl = Context::get('module_srl');
+		if(!$args->module_srl)
+		{
+			$current_module_info = Context::get('current_module_info');
+			$args->module_srl = $current_module_info->module_srl;
+		}
+
 		if(Context::get('is_logged'))
 		{
 			$logged_info = Context::get('logged_info');
@@ -299,20 +308,11 @@ class editorController extends editor
 		}
 		else
 		{
-			$args->ipaddress = $_SERVER['REMOTE_ADDR'];
+			$args->ipaddress = RX_CLIENT_IP;
+			$args->certify_key = Rhymix\Framework\Security::getRandom(32);
+			setcookie('autosave_certify_key_' . $args->module_srl, $args->certify_key, time() + 86400, null, null, RX_SSL, true);
 		}
 
-		// Get the current module if module_srl doesn't exist
-		if(!$args->module_srl)
-		{
-			$args->module_srl = Context::get('module_srl');
-		}
-		if(!$args->module_srl)
-		{
-			$current_module_info = Context::get('current_module_info');
-			$args->module_srl = $current_module_info->module_srl;
-		}
-		// Save
 		return executeQuery('editor.insertSavedDoc', $args);
 	}
 
@@ -352,26 +352,36 @@ class editorController extends editor
 	function deleteSavedDoc($mode = false)
 	{
 		$args = new stdClass();
-		if(Context::get('is_logged'))
-		{
-			$logged_info = Context::get('logged_info');
-			$args->member_srl = $logged_info->member_srl;
-		}
-		else
-		{
-			$args->ipaddress = $_SERVER['REMOTE_ADDR'];
-		}
 		$args->module_srl = Context::get('module_srl');
+
 		// Get the current module if module_srl doesn't exist
 		if(!$args->module_srl)
 		{
 			$current_module_info = Context::get('current_module_info');
 			$args->module_srl = $current_module_info->module_srl;
 		}
+		if(Context::get('is_logged'))
+		{
+			$logged_info = Context::get('logged_info');
+			$args->member_srl = $logged_info->member_srl;
+		}
+		elseif($_COOKIE['autosave_certify_key_' . $args->module_srl])
+		{
+			$args->certify_key = $_COOKIE['autosave_certify_key_' . $args->module_srl];
+		}
+		else
+		{
+			$args->ipaddress = RX_CLIENT_IP;
+		}
+
 		// Check if the auto-saved document already exists
 		$output = executeQuery('editor.getSavedDocument', $args);
 		$saved_doc = $output->data;
 		if(!$saved_doc) return;
+		if($saved_doc->certify_key && !isset($args->certify_key))
+		{
+			return;
+		}
 
 		$oDocumentModel = getModel('document');
 		$oSaved = $oDocumentModel->getDocument($saved_doc->document_srl);
@@ -383,8 +393,9 @@ class editorController extends editor
 				$output = ModuleHandler::triggerCall('editor.deleteSavedDoc', 'after', $saved_doc);
 			}
 		}
-		// Delete the saved document
-		return executeQuery('editor.deleteSavedDoc', $args);
+
+		$output = executeQuery('editor.deleteSavedDoc', $args);
+		return $output;
 	}
 
 	/**

modules/editor/editor.model.php

@@ -409,32 +409,48 @@ class editorModel extends editor
 	function getSavedDoc($upload_target_srl)
 	{
 		$auto_save_args = new stdClass();
-		// Find a document by using member_srl for logged-in user and ipaddress for non-logged user
-		if(Context::get('is_logged'))
-		{
-			$logged_info = Context::get('logged_info');
-			$auto_save_args->member_srl = $logged_info->member_srl;
-		}
-		else
-		{
-			$auto_save_args->ipaddress = $_SERVER['REMOTE_ADDR'];
-		}
 		$auto_save_args->module_srl = Context::get('module_srl');
+
 		// Get the current module if module_srl doesn't exist
 		if(!$auto_save_args->module_srl)
 		{
 			$current_module_info = Context::get('current_module_info');
 			$auto_save_args->module_srl = $current_module_info->module_srl;
 		}
+
+		// Find a document by using member_srl for logged-in user and ipaddress for non-logged user
+		if(Context::get('is_logged'))
+		{
+			$logged_info = Context::get('logged_info');
+			$auto_save_args->member_srl = $logged_info->member_srl;
+		}
+		elseif($_COOKIE['autosave_certify_key_' . $auto_save_args->module_srl])
+		{
+			$auto_save_args->certify_key = $_COOKIE['autosave_certify_key_' . $auto_save_args->module_srl];
+		}
+		else
+		{
+			$auto_save_args->ipaddress = RX_CLIENT_IP;
+		}
+
 		// Extract auto-saved data from the DB
 		$output = executeQuery('editor.getSavedDocument', $auto_save_args);
 		$saved_doc = $output->data;
+
 		// Return null if no result is auto-saved
 		if(!$saved_doc) return;
+		
+		// Return null if certify key does not match
+		if($saved_doc->certify_key && !isset($auto_save_args->certify_key))
+		{
+			return;
+		}
+
 		// Check if the auto-saved document already exists
 		$oDocumentModel = getModel('document');
 		$oSaved = $oDocumentModel->getDocument($saved_doc->document_srl);
 		if($oSaved->isExists()) return;
+
 		// Move all the files if the auto-saved data contains document_srl and file
 		// Then set document_srl to editor_sequence
 		if($saved_doc->document_srl && $upload_target_srl && !Context::get('document_srl'))
@@ -443,8 +459,18 @@ class editorModel extends editor
 			$oFileController = getController('file');
 			$oFileController->moveFile($saved_doc->document_srl, $saved_doc->module_srl, $upload_target_srl);
 		}
-		else if($upload_target_srl) $saved_doc->document_srl = $upload_target_srl;
+		elseif($upload_target_srl)
+		{
+			$saved_doc->document_srl = $upload_target_srl;
+		}
+
 		// Change auto-saved data
+		$saved_doc->certify_key = $auto_save_args->certify_key;
+		if(!$saved_doc->certify_key)
+		{
+			$saved_doc->certify_key = Rhymix\Framework\Security::getRandom(32);
+			setcookie('autosave_certify_key_' . $saved_doc->module_srl, $saved_doc->certify_key, time() + 86400, null, null, RX_SSL, true);
+		}
 		$oEditorController = getController('editor');
 		$oEditorController->deleteSavedDoc(false);
 		$oEditorController->doSaveDoc($saved_doc);

modules/editor/queries/deleteSavedDoc.xml

@@ -7,5 +7,6 @@
         <condition operation="equal" column="module_srl" var="module_srl" />
         <condition operation="equal" column="member_srl" var="member_srl" pipe="and" />
         <condition operation="equal" column="ipaddress" var="ipaddress" pipe="and" />
+        <condition operation="equal" column="certify_key" var="certify_key" pipe="and" />
     </conditions>
 </query>

modules/editor/queries/getSavedDocument.xml

@@ -7,5 +7,6 @@
         <condition operation="equal" column="module_srl" var="module_srl" />
         <condition operation="equal" column="member_srl" var="member_srl" pipe="and" />
         <condition operation="equal" column="ipaddress" var="ipaddress" pipe="and" />
+        <condition operation="equal" column="certify_key" var="certify_key" pipe="and" />
     </conditions>
 </query>

modules/editor/queries/insertSavedDoc.xml

@@ -9,6 +9,7 @@
         <column name="document_srl" var="document_srl" default="0" />
         <column name="title" var="title" />
         <column name="content" var="content" />
+        <column name="certify_key" var="certify_key" />
         <column name="regdate" var="regdate" default="curdate()" />
     </columns>
 </query>

modules/editor/schemas/editor_autosave.xml

@@ -5,5 +5,6 @@
     <column name="document_srl" type="number" size="11" default="0" notnull="notnull" />
     <column name="title" type="varchar" size="250" />
     <column name="content" type="bigtext" notnull="notnull" />
+    <column name="certify_key" type="varchar" size="32" index="idx_certify_key" />
     <column name="regdate" type="date" index="idx_regdate" />
 </table>