diff --git a/modules/board/board.controller.php b/modules/board/board.controller.php index faadbb446..ee92721e8 100644 --- a/modules/board/board.controller.php +++ b/modules/board/board.controller.php @@ -31,6 +31,7 @@ class BoardController extends Board $obj = Context::getRequestVars(); $obj->module_srl = $this->module_srl; $obj->commentStatus = $obj->comment_status; + unset($obj->extra_vars); // Remove disallowed Unicode symbols. if ($this->module_info->filter_specialchars !== 'N') @@ -145,6 +146,11 @@ class BoardController extends Board $obj->notify_message = 'N'; $obj->email_address = $obj->homepage = $obj->user_id = ''; $obj->user_name = $obj->nick_name = $anonymous_name; + $obj->member_srl = $logged_info->member_srl * -1; + if ($oDocument->isExists()) + { + $oDocument->add('member_srl', $obj->member_srl); + } } // Update if the document already exists. @@ -168,13 +174,6 @@ class BoardController extends Board // if document status is temp if($oDocument->get('status') == DocumentModel::getConfigStatus('temp')) { - // if use anonymous, set the member_srl to a negative number - if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y')) - { - $obj->member_srl = abs($oDocument->get('member_srl')) * -1; - $oDocument->add('member_srl', $obj->member_srl); - } - // Update list order, date $obj->last_update = $obj->regdate = date('YmdHis'); $obj->update_order = $obj->list_order = (getNextSequence() * -1); @@ -229,12 +228,6 @@ class BoardController extends Board // Insert a new document. else { - // if use anonymous, set the member_srl to a negative number - if($this->module_info->use_anonymous == 'Y' && (!$this->grant->manager || ($this->module_info->anonymous_except_admin ?? 'N') !== 'Y')) - { - $obj->member_srl = $logged_info->member_srl * -1; - } - // Update list order if document_srl is already assigned if ($obj->document_srl) { diff --git a/modules/comment/comment.controller.php b/modules/comment/comment.controller.php index 4885fb5b8..3157a56df 100644 --- a/modules/comment/comment.controller.php +++ b/modules/comment/comment.controller.php @@ -559,15 +559,37 @@ class CommentController extends Comment } $obj->__isupdate = FALSE; - // Remove manual member info to prevent forgery. This variable can be set by triggers only. - unset($obj->manual_member_info); - // Sanitize variables $obj->comment_srl = intval($obj->comment_srl); $obj->module_srl = intval($obj->module_srl); $obj->document_srl = intval($obj->document_srl); $obj->parent_srl = intval($obj->parent_srl); + // Only managers can customize dates. + $grant = Context::get('grant'); + if(!$grant->manager) + { + unset($obj->regdate); + unset($obj->last_update); + } + + // Add the current user's info, unless it is a guest post. + $logged_info = Context::get('logged_info'); + if($logged_info->member_srl && !$manual_inserted) + { + $obj->member_srl = $logged_info->member_srl; + $obj->user_id = htmlspecialchars_decode($logged_info->user_id); + $obj->user_name = htmlspecialchars_decode($logged_info->user_name); + $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); + $obj->email_address = $logged_info->email_address; + $obj->homepage = $logged_info->homepage; + } + if(!$logged_info->member_srl && !$manual_inserted) + { + unset($obj->member_srl); + unset($obj->user_id); + } + $obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl); // call a trigger (before) @@ -594,7 +616,6 @@ class CommentController extends Comment if(!$manual_inserted) { $oDocument = DocumentModel::getDocument($document_srl); - if($document_srl != $oDocument->document_srl) { return new BaseObject(-1, 'msg_invalid_document'); @@ -603,29 +624,6 @@ class CommentController extends Comment { return new BaseObject(-1, 'msg_invalid_request'); } - - if($obj->homepage) - { - $obj->homepage = escape($obj->homepage); - if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage)) - { - $obj->homepage = 'http://'.$obj->homepage; - } - } - - // input the member's information if logged-in - $logged_info = Context::get('logged_info'); - if(Context::get('is_logged') && !$obj->manual_member_info) - { - $obj->member_srl = $logged_info->member_srl; - - // user_id, user_name and nick_name already encoded - $obj->user_id = htmlspecialchars_decode($logged_info->user_id); - $obj->user_name = htmlspecialchars_decode($logged_info->user_name); - $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); - $obj->email_address = $logged_info->email_address; - $obj->homepage = $logged_info->homepage; - } } // error display if neither of log-in info and user name exist. @@ -634,6 +632,16 @@ class CommentController extends Comment return new BaseObject(-1, 'msg_invalid_request'); } + // Clean up the homepage link, if any + if($obj->homepage) + { + $obj->homepage = escape($obj->homepage); + if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage)) + { + $obj->homepage = 'http://'.$obj->homepage; + } + } + if(!$obj->comment_srl) { $obj->comment_srl = getNextSequence(); @@ -661,11 +669,6 @@ class CommentController extends Comment $obj->content = getModel('editor')->converter($obj, 'comment'); } - if(!$obj->regdate) - { - $obj->regdate = date("YmdHis"); - } - // remove iframe and script if not a top administrator on the session. if($logged_info->is_admin != 'Y') { @@ -673,12 +676,12 @@ class CommentController extends Comment } $obj->content = utf8_mbencode($obj->content); - if(!$obj->notify_message) + if (isset($obj->notify_message) && $obj->notify_message !== 'Y') { $obj->notify_message = 'N'; } - if(!$obj->is_secret) + if (isset($obj->is_secret) && $obj->is_secret !== 'Y') { $obj->is_secret = 'N'; } @@ -935,15 +938,29 @@ class CommentController extends Comment $obj->__isupdate = TRUE; - // Remove manual member info to prevent forgery. This variable can be set by triggers only. - unset($obj->manual_member_info); - // Sanitize variables $obj->comment_srl = intval($obj->comment_srl); $obj->module_srl = intval($obj->module_srl); $obj->document_srl = intval($obj->document_srl); $obj->parent_srl = intval($obj->parent_srl); + // Preserve original author info. + $source_obj = CommentModel::getComment($obj->comment_srl); + if ($source_obj->get('member_srl')) + { + $obj->member_srl = $source_obj->get('member_srl'); + $obj->user_id = $source_obj->get('user_id'); + $obj->user_name = $source_obj->get('user_name'); + $obj->nick_name = $source_obj->get('nick_name'); + $obj->email_address = $source_obj->get('email_address'); + $obj->homepage = $source_obj->get('homepage'); + } + else + { + unset($obj->member_srl); + unset($obj->user_id); + } + $obj->uploaded_count = FileModel::getFilesCount($obj->comment_srl); // call a trigger (before) @@ -953,17 +970,6 @@ class CommentController extends Comment return $output; } - // get the original data - $source_obj = CommentModel::getComment($obj->comment_srl); - if(!$source_obj->getMemberSrl()) - { - $obj->member_srl = $source_obj->get('member_srl'); - $obj->user_name = $source_obj->get('user_name'); - $obj->nick_name = $source_obj->get('nick_name'); - $obj->email_address = $source_obj->get('email_address'); - $obj->homepage = $source_obj->get('homepage'); - } - // check if permission is granted if(!$is_admin && !$source_obj->isGranted()) { @@ -984,30 +990,6 @@ class CommentController extends Comment } } - // set modifier's information if logged-in and posting author and modifier are matched. - $logged_info = Context::get('logged_info'); - if(Context::get('is_logged') && !$obj->manual_member_info) - { - if($source_obj->member_srl == $logged_info->member_srl) - { - $obj->member_srl = $logged_info->member_srl; - $obj->user_name = $logged_info->user_name; - $obj->nick_name = $logged_info->nick_name; - $obj->email_address = $logged_info->email_address; - $obj->homepage = $logged_info->homepage; - } - } - - // if nick_name of the logged-in author doesn't exist - if($source_obj->get('member_srl') && !$obj->nick_name && !$obj->manual_member_info) - { - $obj->member_srl = $source_obj->get('member_srl'); - $obj->user_name = $source_obj->get('user_name'); - $obj->nick_name = $source_obj->get('nick_name'); - $obj->email_address = $source_obj->get('email_address'); - $obj->homepage = $source_obj->get('homepage'); - } - if(!$obj->content) { $obj->content = $source_obj->get('content'); @@ -1028,6 +1010,7 @@ class CommentController extends Comment } // remove iframe and script if not a top administrator on the session + $logged_info = Context::get('logged_info'); if($logged_info->is_admin != 'Y') { $obj->content = removeHackTag($obj->content); diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php index 22f701567..a1ef8da7a 100644 --- a/modules/document/document.controller.php +++ b/modules/document/document.controller.php @@ -646,6 +646,8 @@ class DocumentController extends Document if(!$grant->manager) { unset($obj->regdate); + unset($obj->last_update); + unset($obj->last_updater); } // Serialize the $extra_vars, check the extra_vars type, because duplicate serialized avoid @@ -664,8 +666,22 @@ class DocumentController extends Document unset($obj->_saved_doc_content); unset($obj->_saved_doc_message); - // Remove manual member info to prevent forgery. This variable can be set by triggers only. - unset($obj->manual_member_info); + // Add the current user's info, unless it is a guest post + $logged_info = Context::get('logged_info'); + if($logged_info->member_srl && !$manual_inserted && !$isRestore) + { + $obj->member_srl = $logged_info->member_srl; + $obj->user_id = htmlspecialchars_decode($logged_info->user_id); + $obj->user_name = htmlspecialchars_decode($logged_info->user_name); + $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); + $obj->email_address = $logged_info->email_address; + $obj->homepage = $logged_info->homepage; + } + if(!$logged_info->member_srl && !$manual_inserted && !$isRestore) + { + unset($obj->member_srl); + unset($obj->user_id); + } $obj->uploaded_count = FileModel::getFilesCount($obj->document_srl); @@ -717,20 +733,6 @@ class DocumentController extends Document $obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm()); } - // Insert member's information only if the member is logged-in and not manually registered. - $logged_info = Context::get('logged_info'); - if(Context::get('is_logged') && !$manual_inserted && !$isRestore && !$obj->manual_member_info) - { - $obj->member_srl = $logged_info->member_srl; - - // user_id, user_name and nick_name already encoded - $obj->user_id = htmlspecialchars_decode($logged_info->user_id); - $obj->user_name = htmlspecialchars_decode($logged_info->user_name); - $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); - $obj->email_address = $logged_info->email_address; - $obj->homepage = $logged_info->homepage; - } - // If the tile is empty, extract string from the contents. $obj->title = escape($obj->title, false); if($obj->title == '') @@ -900,8 +902,22 @@ class DocumentController extends Document $this->_checkDocumentStatusForOldVersion($obj); } - // Remove manual member info to prevent forgery. This variable can be set by triggers only. - unset($obj->manual_member_info); + // Preserve original author info. + if ($source_obj->get('member_srl')) + { + $obj->member_srl = $source_obj->get('member_srl'); + $obj->user_id = $source_obj->get('user_id'); + $obj->user_name = $source_obj->get('user_name'); + $obj->nick_name = $source_obj->get('nick_name'); + $obj->email_address = $source_obj->get('email_address'); + $obj->homepage = $source_obj->get('homepage'); + $obj->ipaddress = $source_obj->get('ipaddress'); + } + else + { + unset($obj->member_srl); + unset($obj->user_id); + } $obj->uploaded_count = FileModel::getFilesCount($obj->document_srl); @@ -947,6 +963,8 @@ class DocumentController extends Document if(!$grant->manager) { unset($obj->regdate); + unset($obj->last_update); + unset($obj->list_order); } // Serialize the $extra_vars @@ -990,29 +1008,6 @@ class DocumentController extends Document $obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm()); } - // If an author is identical to the modifier or history is used, use the logged-in user's information. - if(Context::get('is_logged') && !$manual_updated && !$obj->manual_member_info) - { - if($source_obj->get('member_srl')==$logged_info->member_srl) - { - $obj->member_srl = $logged_info->member_srl; - $obj->user_name = htmlspecialchars_decode($logged_info->user_name); - $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); - $obj->email_address = $logged_info->email_address; - $obj->homepage = $logged_info->homepage; - } - } - - // For the document written by logged-in user however no nick_name exists - if($source_obj->get('member_srl')&& !$obj->nick_name && !$obj->manual_member_info) - { - $obj->member_srl = $source_obj->get('member_srl'); - $obj->user_name = $source_obj->get('user_name'); - $obj->nick_name = $source_obj->get('nick_name'); - $obj->email_address = $source_obj->get('email_address'); - $obj->homepage = $source_obj->get('homepage'); - } - // If the tile is empty, extract string from the contents. $obj->title = escape($obj->title, false); if($obj->title == '') @@ -1068,10 +1063,6 @@ class DocumentController extends Document $args->ipaddress = $source_obj->get('ipaddress'); $output = executeQuery("document.insertHistory", $args); } - else - { - $obj->ipaddress = $source_obj->get('ipaddress'); - } // Set lang_code if the original document doesn't have it. if (!$source_obj->get('lang_code'))