View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 4
IDProjectCategoryView StatusDate SubmittedLast Update
18653Bug reportsUser / Groups / Rolespublic2023-02-24 12:012023-06-20 17:49
Reporter2BITS_PL Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Summary18653: getSuperAdmin return simple user
Description

If I give a user super admin permissions, the app will add them to the permissions table. When I take away super admin privileges from it, in the table it stays listed as super admin but without privileges.

This is dangerous, for example, in the case of the getSuperAdmin method, which will retrieve this user for me, because it considers him to be a super administrator, but in fact he is not (because he has no permissions).

For example, if he uses the notification system as documented to send a notification to all super admins, that non-privileged user will also receive this notification.

Steps To Reproduce
  1. Make the user super administrator
  2. Deselect the super administrator permissions for the user from point 1
  3. The method User::model()->getSuperAdmins() returns the user from point 1 who does not have super administrator privileges.

Tested: v5.4.11, I have no way to check if this problem occurs in the latest version.

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)Version 5.4.11+221114
I will donate to the project if issue is resolvedNo
Browser
Database type & versionSQL Server 2019
Server OS (if known)
Webserver software & version (if known)
PHP Versionv8.0.27 NTS x64

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2023-02-25 17:38

developer   ~73953

Last edited: 2023-03-04 18:08

The method User::model()->getSuperAdmins() returns the user from point 1 who does not have super administrator privileges.

? How do you call this method ?

Else : you right : getSuperAdmins are bad here … must find read_p =1 :)
AND : add forcedSuperAdmins https://github.com/LimeSurvey/LimeSurvey/blob/201b12fe7e2f71545d9c7eedae183829de3a58f2/application/models/Permission.php#L634

2 issues :

  1. Delete permission if none is set (like 3.X)
  2. fix getSuperAdmins check

I'm not sure we need 1
DenisChenu

DenisChenu

2023-03-04 18:09

developer   ~74032

https://github.com/LimeSurvey/LimeSurvey/pull/2968
DenisChenu

DenisChenu

2023-03-04 18:10

developer   ~74033

I fix only broken function.

I don't think we need to delete all 0 permission. And if we must do : it's another issue.
DenisChenu

DenisChenu

2023-03-06 14:35

developer   ~74039

@2BITS_PL : can you test ? https://github.com/LimeSurvey/LimeSurvey/pull/2968
gabrieljenik

gabrieljenik

2023-03-21 14:38

manager   ~74215

Added Automatic Tests
DenisChenu

DenisChenu

2023-03-22 12:31

developer   ~74221

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=34386

Related Changesets

LimeSurvey: master 2ea8a2dc

2023-03-22 13:31

DenisChenu

Committer: GitHub


Details Diff		 Fixed issue 18653: getSuperAdmin return simple user (#2968)

Co-authored-by: Lapiu Dev <devgit@lapiu.biz>		 Affected Issues
18653
mod - application/models/User.php Diff File
mod - tests/unit/models/UserTest.php Diff File

Issue History

Date Modified Username Field Change
2023-02-24 12:01 2BITS_PL New Issue
2023-02-25 17:38 DenisChenu Note Added: 73953
2023-02-25 17:38 DenisChenu Bug heat 0 => 2
2023-02-25 17:38 DenisChenu Assigned To => DenisChenu
2023-02-25 17:38 DenisChenu Status new => assigned
2023-03-04 17:03 DenisChenu Summary Does not remove super admins from the permissions table => getSuperAdmin return simple user
2023-03-04 18:08 DenisChenu Note Edited: 73953
2023-03-04 18:09 DenisChenu Note Added: 74032
2023-03-04 18:10 DenisChenu Assigned To DenisChenu => gabrieljenik
2023-03-04 18:10 DenisChenu Status assigned => ready for code review
2023-03-04 18:10 DenisChenu Note Added: 74033
2023-03-06 13:47 gabrieljenik Assigned To gabrieljenik => DenisChenu
2023-03-06 13:47 gabrieljenik Status ready for code review => ready for testing
2023-03-06 14:35 DenisChenu Note Added: 74039
2023-03-21 14:38 gabrieljenik Note Added: 74215
2023-03-21 14:38 gabrieljenik Bug heat 2 => 4
2023-03-22 07:52 DenisChenu Assigned To DenisChenu => ollehar
2023-03-22 07:52 DenisChenu Status ready for testing => ready for merge
2023-03-22 12:31 DenisChenu Changeset attached => LimeSurvey master 2ea8a2dc
2023-03-22 12:31 DenisChenu Note Added: 74221
2023-03-22 12:31 DenisChenu Assigned To ollehar => DenisChenu
2023-03-22 12:31 DenisChenu Resolution open => fixed
2023-03-22 12:31 ollehar Status ready for merge => resolved
2023-06-20 17:49 c_schmitz Status resolved => closed