From c122946e211af11cb5a86af042547ddeb17b05d8 Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Tue, 30 May 2017 12:48:31 +0900
Subject: [PATCH 1/2] =?UTF-8?q?#2092=20=EC=9D=B4=EC=8A=88=EC=97=90?=
 =?UTF-8?q?=EC=84=9C=20=EB=8B=A4=EB=A5=B8=20=EC=9E=98=EB=AA=BB=EB=90=9C=20?=
 =?UTF-8?q?=EC=BD=94=EB=93=9C=20=EC=88=98=EC=A0=95=20=EB=B0=8F=20=EB=B3=B4?=
 =?UTF-8?q?=EC=99=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/file/file.model.php | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/modules/file/file.model.php b/modules/file/file.model.php
index dd3b5a9588..f73a43430e 100644
--- a/modules/file/file.model.php
+++ b/modules/file/file.model.php
@@ -218,16 +218,36 @@ function getFile($file_srl, $columnList = array())
 	 */
 	function getFiles($upload_target_srl, $columnList = array(), $sortIndex = 'file_srl', $ckValid = false)
 	{
+		$oModuleModel = getModel('module');
 		$oDocumentModel = getModel('document');
-		$oCommentModel = getModel('document');
-		$targetItem = $oDocumentModel->getDocument($upload_target_srl);
-		if(!$targetItem->isExists())
+		$oCommentModel = getModel('comment');
+		$logged_info = Context::get('logged_info');
+
+		$oDocument = $oDocumentModel->getDocument($upload_target_srl);
+
+		// comment 권한 확인
+		if(!$oDocument->isExists())
 		{
-			$targetItem = $oCommentModel->getDocument($upload_target_srl);
+			$oComment = $oCommentModel->getComment($upload_target_srl);
+			if($oComment->isExists() && $oComment->isSecret() && !$oComment->isGranted())
+			{
+				return $this->stop('msg_not_permitted');
+			}
+
+			$oDocument = $oDocumentModel->getDocument($oComment->get('document_srl'));
 		}
-		if($targetItem->isExists() && $targetItem->isSecret() && !$targetItem->isGranted())
+
+		// document 권한 확인
+		if($oDocument->isExists() && $oDocument->isSecret() && !$oDocument->isGranted())
+		{
+			return $this->stop('msg_not_permitted');
+		}
+
+		// 모듈 권한 확인
+		$grant = $oModuleModel->getGrant($oModuleModel->getModuleInfoByModuleSrl($oDocument->get('module_srl')), $logged_info);
+		if(!$grant->access)
 		{
-			return $this->stop('msg_invalid_request');
+			return $this->stop('msg_not_permitted');
 		}
 
 		$args = new stdClass();

From 0e416bbe1a8f3de8eed21b67662ab3a0852441bb Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Tue, 30 May 2017 14:14:49 +0900
Subject: [PATCH 2/2] version 1.8.39

---
 config/config.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/config.inc.php b/config/config.inc.php
index f39ac81e77..0df2e81338 100644
--- a/config/config.inc.php
+++ b/config/config.inc.php
@@ -29,7 +29,7 @@
 /**
  * Display XE's full version.
  */
-define('__XE_VERSION__', '1.8.38');
+define('__XE_VERSION__', '1.8.39');
 define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
 define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
 define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));