View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
04633Bug reportsSecuritypublic2010-10-13 16:22
Reporterdvickers79 Assigned Toc_schmitz  
PriorityurgentSeveritypartial_block 
Status closedResolutionfixed 
Product Version1.90+ 
Fixed in Version1.90+ 
Summary04633: Users Can Delete Survey Responses Without Permissions
Description

I found (through experiencing the issue) that user accounts and permissions are unforgivably broken (possibly by design).

When setting up per-survey access rights to users, one of the options is "Browse Responses." This should be fairly straight-forward, other than the fact that even with users having ONLY this right, a user also inherits the ability to use the following options:

1)Display All Responses
2)Display Last 50 Responses
3)DataEntry Screen for Survey

When displaying all responses, or the last 50, the user who should have read-only access (hence the browse responses) has the ability to edit or delete entire responses from a survey.

Is this intended? I would think that someone with view access, shouldn't be able to delete responses.

Am I missing something? I can't have my lower-level reps having this power. Is there anything I can do "now" to take these options away completely for my reps?

UPDATE

Upon further review, the user does NOT have the ability to edit an existing survey; however, they DO have the ability to delete responses completely using the method illustrated above.

Steps To Reproduce

Create a normal user in the system, give them access to a single survey that is active and has responses. Only give the user "Browse Responses" access. Give the user no global permissions.

Login as the new user, and browse responses on the survey that you have granted "Browse Responses" permissions to. Click "Browse Last 50 Responses." Notice the options to the left of the responses to edit or delete response. Edit will NOT work, but the user CAN DELETE the response using this method.

TagsNo tags attached.
Attached Files
browse.php (27,882 bytes)
Bug heat254
Complete LimeSurvey version number (& build)1.90
I will donate to the project if issue is resolved
BrowserMozilla Firefox
Database type & versionMySQL 5.0.51a
Server OS (if known)Windows Server 2003
Webserver software & version (if known)Intel Core 2 Quad 4 GB Ram
PHP Version5.2.5

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2010-09-29 15:35

updater   ~12924

Carsten, can you check if this is intended behavior, a missing feature or a serious bug?!

c_schmitz

c_schmitz

2010-10-07 21:02

administrator   ~13031

Fixed in rev 9182.
Please use the attached file.

c_schmitz

c_schmitz

2010-10-13 16:22

administrator   ~13133

Released in latest Plus version

Issue History

Date Modified Username Field Change
2010-09-28 20:21 dvickers79 New Issue
2010-09-29 15:35 Mazi Assigned To => c_schmitz
2010-09-29 15:35 Mazi Status new => assigned
2010-09-29 15:35 Mazi Note Added: 12924
2010-10-07 21:02 c_schmitz Note Added: 13031
2010-10-07 21:02 c_schmitz Status assigned => resolved
2010-10-07 21:02 c_schmitz Fixed in Version => 1.90+
2010-10-07 21:02 c_schmitz Resolution open => fixed
2010-10-07 21:02 c_schmitz File Added: browse.php
2010-10-13 16:22 c_schmitz Note Added: 13133
2010-10-13 16:22 c_schmitz Status resolved => closed