[fix] gnuboard#625 게시글 수정시 작성자 검증 로직 수정

관리자
  - 비밀번호 없이 모든 글 수정 가능하도록 변경

Author: Junanjunan

api/v1/routers/board.py

@@ -243,7 +243,9 @@ async def api_update_post(
     service.validate_secret_board(wr_data.secret, wr_data.html, wr_data.mail)
     service.validate_post_content(wr_data.wr_subject)
     service.validate_post_content(wr_data.wr_content)
-    service.arrange_data(wr_data, wr_data.secret, wr_data.html, wr_data.mail)
+    service.arrange_data(
+        wr_data, wr_data.secret, wr_data.html, wr_data.mail, is_update=True
+    )
     service.save_write(write, wr_data)
     service.set_notice(write.wr_id, wr_data.notice)
     service.update_children_category(wr_data)

bbs/board.py

@@ -327,7 +327,14 @@ async def create_post(
     set_write_delay(service.request)
     service.delete_auto_save(uid)
     service.save_secret_session(write.wr_id, secret)
-    service.upload_files(file_service, write, files, file_content, file_dels)
+    service.upload_files(
+        file_service,
+        write,
+        files,
+        file_content,
+        file_dels,
+        password_verified=True
+    )
     service.delete_cache()
     redirect_url = service.get_redirect_url(write)
     db.commit()
@@ -356,12 +363,19 @@ async def update_post(
     service.validate_secret_board(secret, html, mail)
     service.validate_post_content(form_data.wr_subject)
     service.validate_post_content(form_data.wr_content)
-    service.arrange_data(form_data, secret, html, mail)
+    service.arrange_data(form_data, secret, html, mail, is_update=True)
     service.save_secret_session(wr_id, secret)
     service.save_write(write, form_data)
     service.set_notice(wr_id, notice)
     service.delete_auto_save(uid)
-    service.upload_files(file_service, write, files, file_content, file_dels)
+    service.upload_files(
+        file_service,
+        write,
+        files,
+        file_content,
+        file_dels,
+        password_verified=True
+    )
     service.update_children_category(form_data)
     service.delete_cache()
     redirect_url = service.get_redirect_url(write)

service/board/board.py

@@ -85,6 +85,9 @@ def validate_write_level(self):
 
     def validate_author(self, write: WriteBaseModel, wr_password: str = None):
         """작성자 확인"""
+        if self.member.admin_type:
+            return
+
         if not is_owner(write, self.member.mb_id) and not validate_password(wr_password, write.wr_password):
             self.raise_exception(detail="작성자만 수정/삭제 할 수 있습니다.", status_code=403)
 
@@ -188,7 +191,14 @@ def get_cleaned_data(self, content):
         """Stored XSS 방지용 데이터 정제"""
         return content_sanitizer.get_cleaned_data(content)
 
-    def arrange_data(self, data: Union[WriteForm, WriteModel], secret: str, html: str, mail: str):
+    def arrange_data(
+        self,
+        data: Union[WriteForm, WriteModel],
+        secret: str,
+        html: str,
+        mail: str,
+        is_update: bool =False
+    ):
         """
         form 또는 body 형태로 들어오는 데이터를 양식에 맞게 정리
           - 항목: ca_name, wr_password, wr_name, wr_email, wr_homepage, wr_option, wr_link1, wr_link2, wr_content
@@ -204,7 +214,8 @@ def arrange_data(self, data: Union[WriteForm, WriteModel], secret: str, html: st
             data.ca_name = ""
         self.validate_wr_password(data.wr_password)
         data.wr_password = create_hash(data.wr_password) if data.wr_password else ""
-        data.wr_name = self.set_wr_name(self.member, data.wr_name)
+        if not is_update:
+            data.wr_name = self.set_wr_name(self.member, data.wr_name)
         data.wr_email = getattr(self.member, "mb_email", data.wr_email)
         data.wr_homepage = getattr(self.member, "mb_homepage", data.wr_homepage)
 
@@ -249,7 +260,8 @@ def upload_files(
         write: WriteBaseModel,
         file_list: List[UploadFile],
         file_content: List[str] = None,
-        file_dels: list = None
+        file_dels: list = None,
+        password_verified: bool = False
     ):
         """파일 업로드"""
         # files = []
@@ -258,7 +270,9 @@ def upload_files(
         #     if getattr(file, "size", None):
         #         files.append(file)
 
-        if self.member.mb_id and self.member.mb_id != write.mb_id:
+        is_not_same_mb_id = self.member.mb_id and self.member.mb_id != write.mb_id
+
+        if not self.member.admin_type and is_not_same_mb_id and not password_verified:
             self.raise_exception(status_code=403, detail="자신의 글에만 파일을 업로드할 수 있습니다.")
 
         if not self.is_upload_level():

templates/basic/board/basic/write_form.html

@@ -48,12 +48,12 @@
         </div>
         {% endif %}
 
-        {% if not login_member or (is_admin and write and write.mb_id != login_member.mb_id) %}
+        {% if not login_member or (write and write.mb_id != login_member.mb_id) %}
         <div class="write_writer">
             <label for="wr_name" class="blind">이름<strong>필수</strong></label>
             <input type="text" name="wr_name" value="{{ write.wr_name if write else login_member.mb_name }}" id="wr_name" required class="frm_input required" maxlength="20" placeholder="이름">
             <label for="wr_password" class="blind">비밀번호<strong>필수</strong></label>
-            <input type="password" name="wr_password" id="wr_password" required class="frm_input required" maxlength="20" placeholder="비밀번호">
+            <input type="password" name="wr_password" id="wr_password" {% if not request.state.is_super_admin %}required{% endif %} class="frm_input {% if not request.state.is_super_admin %}required{% endif %}" maxlength="20" placeholder="비밀번호">
             <label for="wr_email" class="blind">이메일</label>
             <input type="email" name="wr_email" value="{{ write.wr_email if write else login_member.mb_email }}" id="wr_email" class="frm_input email" maxlength="100" placeholder="이메일">
             <label for="wr_homepage" class="blind">홈페이지</label>

templates/basic/board/gallery/write_form.html

@@ -48,12 +48,12 @@
         </div>
         {% endif %}
 
-        {% if not login_member or (is_admin and write and write.mb_id != login_member.mb_id) %}
+        {% if not login_member or (write and write.mb_id != login_member.mb_id) %}
         <div class="write_writer">
             <label for="wr_name" class="blind">이름<strong>필수</strong></label>
             <input type="text" name="wr_name" value="{{ write.wr_name if write else login_member.mb_name }}" id="wr_name" required class="frm_input required" maxlength="20" placeholder="이름">
             <label for="wr_password" class="blind">비밀번호<strong>필수</strong></label>
-            <input type="password" name="wr_password" id="wr_password" required class="frm_input required" maxlength="20" placeholder="비밀번호">
+            <input type="password" name="wr_password" id="wr_password" {% if not request.state.is_super_admin %}required{% endif %} class="frm_input {% if not request.state.is_super_admin %}required{% endif %}" maxlength="20" placeholder="비밀번호">
             <label for="wr_email" class="blind">이메일</label>
             <input type="email" name="wr_email" value="{{ write.wr_email if write else login_member.mb_email }}" id="wr_email" class="frm_input email" maxlength="100" placeholder="이메일">
             <label for="wr_homepage" class="blind">홈페이지</label>

templates/basic/mobile/board/basic/write_form.html

@@ -48,12 +48,12 @@
         </div>
         {% endif %}
 
-        {% if not login_member or (is_admin and write and write.mb_id != login_member.mb_id) %}
+        {% if not login_member or (write and write.mb_id != login_member.mb_id) %}
         <div class="write_writer">
             <label for="wr_name" class="blind">이름<strong>필수</strong></label>
             <input type="text" name="wr_name" value="{{ write.wr_name if write else login_member.mb_name }}" id="wr_name" required class="frm_input required" maxlength="20" placeholder="이름">
             <label for="wr_password" class="blind">비밀번호<strong>필수</strong></label>
-            <input type="password" name="wr_password" id="wr_password" required class="frm_input required" maxlength="20" placeholder="비밀번호">
+            <input type="password" name="wr_password" id="wr_password" {% if not request.state.is_super_admin %}required{% endif %} class="frm_input {% if not request.state.is_super_admin %}required{% endif %}" maxlength="20" placeholder="비밀번호">
             <label for="wr_email" class="blind">이메일</label>
             <input type="email" name="wr_email" value="{{ write.wr_email if write else login_member.mb_email }}" id="wr_email" class="frm_input email" maxlength="100" placeholder="이메일">
             <label for="wr_homepage" class="blind">홈페이지</label>

templates/basic/mobile/board/gallery/write_form.html

@@ -48,12 +48,12 @@
         </div>
         {% endif %}
 
-        {% if not login_member or (is_admin and write and write.mb_id != login_member.mb_id) %}
+        {% if not login_member or (write and write.mb_id != login_member.mb_id) %}
         <div class="write_writer">
             <label for="wr_name" class="blind">이름<strong>필수</strong></label>
             <input type="text" name="wr_name" value="{{ write.wr_name if write else login_member.mb_name }}" id="wr_name" required class="frm_input required" maxlength="20" placeholder="이름">
             <label for="wr_password" class="blind">비밀번호<strong>필수</strong></label>
-            <input type="password" name="wr_password" id="wr_password" required class="frm_input required" maxlength="20" placeholder="비밀번호">
+            <input type="password" name="wr_password" id="wr_password" {% if not request.state.is_super_admin %}required{% endif %} class="frm_input {% if not request.state.is_super_admin %}required{% endif %}" maxlength="20" placeholder="비밀번호">
             <label for="wr_email" class="blind">이메일</label>
             <input type="email" name="wr_email" value="{{ write.wr_email if write else login_member.mb_email }}" id="wr_email" class="frm_input email" maxlength="100" placeholder="이메일">
             <label for="wr_homepage" class="blind">홈페이지</label>