View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
04633 | Bug reports | Security | public | 2010-09-28 20:21 | 2010-10-13 16:22 |
Reporter | dvickers79 | Assigned To | c_schmitz | ||
Priority | urgent | Severity | partial_block | ||
Status | closed | Resolution | fixed | ||
Product Version | 1.90+ | ||||
Fixed in Version | 1.90+ | ||||
Summary | 04633: Users Can Delete Survey Responses Without Permissions | ||||
Description | I found (through experiencing the issue) that user accounts and permissions are unforgivably broken (possibly by design). When setting up per-survey access rights to users, one of the options is "Browse Responses." This should be fairly straight-forward, other than the fact that even with users having ONLY this right, a user also inherits the ability to use the following options: 1)Display All Responses When displaying all responses, or the last 50, the user who should have read-only access (hence the browse responses) has the ability to edit or delete entire responses from a survey. Is this intended? I would think that someone with view access, shouldn't be able to delete responses. Am I missing something? I can't have my lower-level reps having this power. Is there anything I can do "now" to take these options away completely for my reps? UPDATE Upon further review, the user does NOT have the ability to edit an existing survey; however, they DO have the ability to delete responses completely using the method illustrated above. | ||||
Steps To Reproduce | Create a normal user in the system, give them access to a single survey that is active and has responses. Only give the user "Browse Responses" access. Give the user no global permissions. Login as the new user, and browse responses on the survey that you have granted "Browse Responses" permissions to. Click "Browse Last 50 Responses." Notice the options to the left of the responses to edit or delete response. Edit will NOT work, but the user CAN DELETE the response using this method. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 254 | ||||
Complete LimeSurvey version number (& build) | 1.90 | ||||
I will donate to the project if issue is resolved | |||||
Browser | Mozilla Firefox | ||||
Database type & version | MySQL 5.0.51a | ||||
Server OS (if known) | Windows Server 2003 | ||||
Webserver software & version (if known) | Intel Core 2 Quad 4 GB Ram | ||||
PHP Version | 5.2.5 | ||||
Carsten, can you check if this is intended behavior, a missing feature or a serious bug?! |
|
Fixed in rev 9182. |
|
Released in latest Plus version |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2010-09-28 20:21 | dvickers79 | New Issue | |
2010-09-29 15:35 | Mazi | Assigned To | => c_schmitz |
2010-09-29 15:35 | Mazi | Status | new => assigned |
2010-09-29 15:35 | Mazi | Note Added: 12924 | |
2010-10-07 21:02 | c_schmitz | Note Added: 13031 | |
2010-10-07 21:02 | c_schmitz | Status | assigned => resolved |
2010-10-07 21:02 | c_schmitz | Fixed in Version | => 1.90+ |
2010-10-07 21:02 | c_schmitz | Resolution | open => fixed |
2010-10-07 21:02 | c_schmitz | File Added: browse.php | |
2010-10-13 16:22 | c_schmitz | Note Added: 13133 | |
2010-10-13 16:22 | c_schmitz | Status | resolved => closed |