 |
I didn't chek update, but think there are solution |
|
|
In 3.X … send a 200 white page … (with debug or not) |
 |
OK, thanks for testing, Denis. |
|
|
I'm working on it now! |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30260 |
|
|
Another solution could be to never send both qid AND sid together. |
|
|
Think it's the best solution, i already report this issue before 2.6lts |
|
|
question need onlky qid |
 |
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30262 |
|
|
|
|
|
Erg sorry … issue is worst i think : there are NO control even in surevyid in url … |
|
|
Really worst : http://limesurvey.local/master/questionEditor/GetAdvancedOptions?surveyid=713583&gid=296&qid=4917 : no control is done Maybe other … |
|
|
Then : Issues
We really need a better fix then the current quick fix |
|
|
Can you link to github instead of your local repo? xD |
|
|
No : it's sample url :) I can not really link to github , vbecause create a pull request is more quick than link to ght hub …
Maybe best to create a checked on LSBaseController , i do it after fixing TypeHint |
|
|
401? That's not default behaviour of LS? |
|
|
Not a 401, a 403 : https://github.com/LimeSurvey/LimeSurvey/blob/9fd5e78aa6a67b1078a05746c29bceb9f8fab7c0/application/core/Survey_Common_Action.php#L193 401 mean : you're not connected , you need to be conneceted to access this link |
|
|
403 doesn't happy anywhere else in the software. Why change the behaviour here? |
|
|
403 for all no Permission on survey … Else : show me current way : You mean leave the redirect (302) ? That broke external tool and XHR ? And because : it's always a good idea to respect standard. |
|
|
Redirect is already done EVERYWHERE in the software, Denis! It should be consistent. |
|
|
grep -r 'Permission::model' application/controllers/ -A2 | grep redirect | wc 86 redirects after permission check. |
|
|
Wait, you're talking about the ajax calls? |
|
|
It's not because old code are broken we need to add old code again and again … I don't care about ajax or not : just send good http header |
|
|
Well, I care about the software behaving consistently towards the user. :) If you want to change it to 403, make a separate dev issue or feature request. This ticket is about access bugs. |
|
|
|
|
|
With invalid survey : it's already a 403 in 3.LTS, |
 |
Fixed in Release 4.3.4+200713 |
|
|
GetAdvancedOptions still not protected Strange issue with updating sid (and not gid) : create a question without group ? See screencast |
|
|
|
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30352 |
|
|
Fixed in Release 4.3.9+200806 |
- Anonymous
