Hi,

3) grant View/read permissions on "Surveys"
Are you applying global read permission on surveys?
Or applying read on an individual survey?

{"method": "list_surveys", "params": ["TOKEN", "SOMEEXISTINGUSER"], "id": 1}
Are you using the remote control mehotd as expected?
Although finally, parameters are not named but they follow an order, seems the parameter name is not correct.
I would expect to be username but not TOKEN.
https://api.limesurvey.org/classes/remotecontrol_handle.html#method_list_surveys
Again, don't think this is the issue, but the permissions.

cannot follow you here...

I tried with global and without global permissions but anyhow: If a username is passed, i.e. not null, it should return users for that user only.

As for "Are you using the remote control mehotd as expected?" API doc says:

List the survey belonging to a user (RPC function)
list_surveys(string $sSessionKey,string|null $sUsername = null): array

"sSessionKey" === TOKEN in my example..

If you apply read permissions on the global level, the user will be able to read all surveys.
Then the scenario that you should test it removing Global read permission and and allowing individual permissions on a specific survey.

{"method": "list_surveys", "params": ["TOKEN", "SOMEEXISTINGUSER"], "id": 1}
If token is the sessionKey, how are you sending the value for filtering username?

"If a username is passed, i.e. not null, it should return users for that user only."

correct: "If a username is passed, i.e. not null, it should return SURVEYS for that user only."

Get session key:

{ "method": "get_session_key", "params": ["someapiuser", "supersecret"], "id": 1 }
=> {"id":1,"result":"abf5BiVjqajsHJ4NhL0iF0hWNHsecI11","error":null}

{"method": "list_surveys", "params": ["abf5BiVjqajsHJ4NhL0iF0hWNHsecI11", "someuser"], "id": 1}
=> ALL SURVEYS (no matter if someapiuser has global permissions or not)

As mentioned before:

Doc says: list_surveys(string $sSessionKey,string|null $sUsername = null): array
=> There is always a session key; how would that work otherwise?!

As for your permission "hint": IF $sUsername != null in list_surveys(string $sSessionKey,string|null $sUsername = null): array IT MUST return only the surveys for the user otherwise that option would be useless.

If you apply read permissions on the global level, the user will be able to read all surveys.
Then the scenario that you should test it removing Global read permission and and allowing individual permissions on a specific survey.

=> This doesn't make sense. If I give a user permissions on a specific survey I would not need to pass the username param to list_surveys as it would / should then only return the users surveys anyways..

{"method": "list_surveys", "params": ["TOKEN", "SOMEEXISTINGUSER"], "id": 1}
If token is the sessionKey, how are you sending the value for filtering username?

I am sorry, I confused the coma and read it like a full-colon.

If I give a user permissions on a specific survey I would not need to pass the username param to list_surveys as it would / should then only return the users surveys anyways..

Well, not always. I think you are assuming you are connecting with user A and want to get surveys for user A.
That's not always the case.

OK, let us review it and play around with it.

As to clarify:

• You connect using a user called API, right?
• If API user has global read permission and try to get surveys for a user with restricted access, you still get all surveys, right?.

• You connect using a user called API, right?
  => correct

• If API user has global read permission and try to get surveys for a user with restricted access, you still get all surveys, right?.
  => correct

As far as I remember it used to work (as expected) on 3.x LTS

As far as I remember it used to work (as expected) on 3.x LTS

Yep. Me too. And from what I see, there hasn't been much changes around that.

PR: https://github.com/LimeSurvey/LimeSurvey/pull/2346

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33455

Fixed in Release 5.3.12+220502