View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
05477 | Bug reports | Security | public | 2011-09-26 15:23 | 2011-10-08 22:18 |
Reporter | sheddington | Assigned To | lemeur | ||
Priority | normal | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Product Version | 1.91+ | ||||
Fixed in Version | 1.91+ | ||||
Summary | 05477: Users with all rights unticked still see everyone in the system | ||||
Description | "usercontrolSameGroupPolicy : set to true by default. By default non admin users defined in the LimeSurvey management interface will only be able to see other users if they belong to at least one group this user belongs to." ...however, after checking this is true in both config file and in global settings, it still is allowing the 'no-privileges' user to see a list of all other users in the system (I have created a user group just for this user, so this should, by the above description, mean they can't see everyone outside the group). We are on the latest version ( Version 1.91+ Build 11026 ). | ||||
Steps To Reproduce | See screenshots attached for a rough walkthrough. I've blurred out some usernames etc but you can see clearly the issue here.
| ||||
Additional Information | This matters if you have an install which is being used by more than one client and you don't want the users to have access to a list of all other users. The best way, I think, is for the owner column not to be displayed at all for users who don't have full admin permissions. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 256 | ||||
Complete LimeSurvey version number (& build) | 11026 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | IE & Firefox on PC, Firefox on Mac | ||||
Database type & version | MySQL client version: 5.1.48 | ||||
Server OS (if known) | Redhat Linux | ||||
Webserver software & version (if known) | Apache/2 (I think) | ||||
PHP Version | 5.2 | ||||
Thibault, can you have a look? If that is not your business, please assign the ticket to Carsten. |
|
I see at one of your screenshots that the "demo" user also seems to be able to edit other user accounts, at least there is an edit icon shown for each user listed. |
|
The user can select one of the names on the drop-down but then clicking the 'update' button doesn't change whoever is listed as owner originally |
|
fixed in build 11054 |
|
Hi, sorry to be thick but is build 11054 a future release? Just wondered if this was available somewhere now. |
|
Next stable plus release (later this week) will have a buildnumber > 11054 and thus will integrate this fix. |
|
Usually there are weekly bugfix releases. As an alternative you can try to replace your surveylist.php file with this one: http://limesurvey.svn.sourceforge.net/viewvc/limesurvey?view=revision&revision=11054 |
|
That works fine now, thank you. 'No rights' users now see just themselves and the admin user name in the owner lists. |
|
Take care when replacing a core file of LS: this will break automatic update. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-09-26 15:23 | sheddington | New Issue | |
2011-09-26 15:23 | sheddington | File Added: lime survey issue screenshots.zip | |
2011-09-26 17:45 | Mazi | Note Added: 16327 | |
2011-09-26 17:45 | Mazi | Assigned To | => lemeur |
2011-09-26 17:45 | Mazi | Status | new => assigned |
2011-09-26 17:47 | Mazi | Note Added: 16328 | |
2011-09-26 17:47 | Mazi | Status | assigned => feedback |
2011-09-26 17:58 | sheddington | Note Added: 16329 | |
2011-09-26 17:58 | sheddington | Status | feedback => assigned |
2011-09-27 23:46 | lemeur | Note Added: 16341 | |
2011-09-27 23:46 | lemeur | Status | assigned => resolved |
2011-09-27 23:46 | lemeur | Fixed in Version | => 1.91+ |
2011-09-27 23:46 | lemeur | Resolution | open => fixed |
2011-09-28 12:33 | sheddington | Note Added: 16346 | |
2011-09-28 13:04 | lemeur | Note Added: 16347 | |
2011-09-28 15:27 | Mazi | Note Added: 16348 | |
2011-09-28 16:07 | sheddington | Note Added: 16349 | |
2011-09-29 00:09 | lemeur | Note Added: 16350 | |
2011-10-08 22:18 | c_schmitz | Status | resolved => closed |