From 133abddadc83d90f2bdf4a48a7e0e06bccf8238e Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 1 Sep 2020 18:08:07 +0900
Subject: [PATCH] =?UTF-8?q?=EC=98=81=EC=B9=B4=ED=8A=B8=20=EC=83=81?=
 =?UTF-8?q?=ED=92=88=EA=B4=80=EB=A6=AC=EC=9E=90=EC=9D=98=20=EC=83=81?=
 =?UTF-8?q?=ED=92=88=EC=88=98=EC=A0=95=20=EA=B6=8C=ED=95=9C=20=EC=B2=B4?=
 =?UTF-8?q?=ED=81=AC=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/itemformupdate.php |  9 +++++++++
 adm/shop_admin/itemlistupdate.php | 14 ++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/adm/shop_admin/itemformupdate.php b/adm/shop_admin/itemformupdate.php
index dd8ba58a4..0cd784a29 100644
--- a/adm/shop_admin/itemformupdate.php
+++ b/adm/shop_admin/itemformupdate.php
@@ -22,6 +22,15 @@ $ca_id = isset($ca_id) ? preg_replace('/[^0-9a-z]/i', '', $ca_id) : '';
 $ca_id2 = isset($ca_id2) ? preg_replace('/[^0-9a-z]/i', '', $ca_id2) : '';
 $ca_id3 = isset($ca_id3) ? preg_replace('/[^0-9a-z]/i', '', $ca_id3) : '';
 
+if ($is_admin != 'super') {     // 최고관리자가 아니면 체크
+    $sql = "select b.ca_mb_id from {$g5['g5_shop_item_table']} a , {$g5['g5_shop_category_table']} b where (a.ca_id = b.ca_id) and a.it_id = '$it_id'";
+    $checks = sql_fetch($sql);
+
+    if( ! $checks['ca_mb_id'] || $checks['ca_mb_id'] !== $member['mb_id'] ){
+        alert("해당 분류의 관리회원이 아닙니다.");
+    }
+}
+
 // 파일정보
 if($w == "u") {
     $sql = " select it_img1, it_img2, it_img3, it_img4, it_img5, it_img6, it_img7, it_img8, it_img9, it_img10
diff --git a/adm/shop_admin/itemlistupdate.php b/adm/shop_admin/itemlistupdate.php
index 83a6fc6f4..303e3a899 100644
--- a/adm/shop_admin/itemlistupdate.php
+++ b/adm/shop_admin/itemlistupdate.php
@@ -35,6 +35,16 @@ if ($_POST['act_button'] == "선택수정") {
         $p_it_use = is_array($_POST['it_use']) ? strip_tags($_POST['it_use'][$k]) : '';
         $p_it_soldout = is_array($_POST['it_soldout']) ? strip_tags($_POST['it_soldout'][$k]) : '';
         $p_it_order = is_array($_POST['it_order']) ? strip_tags($_POST['it_order'][$k]) : '';
+        $p_it_id = preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k]);
+
+        if ($is_admin != 'super') {     // 최고관리자가 아니면 체크
+            $sql = "select a.it_id, b.ca_mb_id from {$g5['g5_shop_item_table']} a , {$g5['g5_shop_category_table']} b where (a.ca_id = b.ca_id) and a.it_id = '$p_it_id'";
+            $checks = sql_fetch($sql);
+
+            if( ! $checks['ca_mb_id'] || $checks['ca_mb_id'] !== $member['mb_id'] ){
+                continue;
+            }
+        }
 
         $sql = "update {$g5['g5_shop_item_table']}
                    set ca_id          = '".sql_real_escape_string($p_ca_id)."',
@@ -50,11 +60,11 @@ if ($_POST['act_button'] == "선택수정") {
                        it_soldout     = '".sql_real_escape_string($p_it_soldout)."',
                        it_order       = '".sql_real_escape_string($p_it_order)."',
                        it_update_time = '".G5_TIME_YMDHIS."'
-                 where it_id   = '".preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k])."' ";
+                 where it_id   = '".$p_it_id."' ";
 
         sql_query($sql);
 
-		if( function_exists('shop_seo_title_update') ) shop_seo_title_update(preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k]), true);
+		if( function_exists('shop_seo_title_update') ) shop_seo_title_update($p_it_id, true);
     }
 } else if ($_POST['act_button'] == "선택삭제") {