Merge branch 'hotfix/1.8.39'

config/config.inc.php

@@ -29,7 +29,7 @@
 /**
  * Display XE's full version.
  */
-define('__XE_VERSION__', '1.8.38');
+define('__XE_VERSION__', '1.8.39');
 define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
 define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
 define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));

modules/file/file.model.php

@@ -218,16 +218,36 @@ function getFile($file_srl, $columnList = array())
 	 */
 	function getFiles($upload_target_srl, $columnList = array(), $sortIndex = 'file_srl', $ckValid = false)
 	{
+		$oModuleModel = getModel('module');
 		$oDocumentModel = getModel('document');
-		$oCommentModel = getModel('document');
-		$targetItem = $oDocumentModel->getDocument($upload_target_srl);
-		if(!$targetItem->isExists())
+		$oCommentModel = getModel('comment');
+		$logged_info = Context::get('logged_info');
+
+		$oDocument = $oDocumentModel->getDocument($upload_target_srl);
+
+		// comment 권한 확인
+		if(!$oDocument->isExists())
 		{
-			$targetItem = $oCommentModel->getDocument($upload_target_srl);
+			$oComment = $oCommentModel->getComment($upload_target_srl);
+			if($oComment->isExists() && $oComment->isSecret() && !$oComment->isGranted())
+			{
+				return $this->stop('msg_not_permitted');
+			}
+
+			$oDocument = $oDocumentModel->getDocument($oComment->get('document_srl'));
 		}
-		if($targetItem->isExists() && $targetItem->isSecret() && !$targetItem->isGranted())
+
+		// document 권한 확인
+		if($oDocument->isExists() && $oDocument->isSecret() && !$oDocument->isGranted())
+		{
+			return $this->stop('msg_not_permitted');
+		}
+
+		// 모듈 권한 확인
+		$grant = $oModuleModel->getGrant($oModuleModel->getModuleInfoByModuleSrl($oDocument->get('module_srl')), $logged_info);
+		if(!$grant->access)
 		{
-			return $this->stop('msg_invalid_request');
+			return $this->stop('msg_not_permitted');
 		}
 
 		$args = new stdClass();