View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
05477Bug reportsSecuritypublic2011-09-26 15:232011-10-08 22:18
Reportersheddington Assigned Tolemeur  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version1.91+ 
Fixed in Version1.91+ 
Summary05477: Users with all rights unticked still see everyone in the system
Description

"usercontrolSameGroupPolicy : set to true by default. By default non admin users defined in the LimeSurvey management interface will only be able to see other users if they belong to at least one group this user belongs to."

...however, after checking this is true in both config file and in global settings, it still is allowing the 'no-privileges' user to see a list of all other users in the system (I have created a user group just for this user, so this should, by the above description, mean they can't see everyone outside the group).

We are on the latest version ( Version 1.91+ Build 11026 ).

Steps To Reproduce

See screenshots attached for a rough walkthrough. I've blurred out some usernames etc but you can see clearly the issue here.

  1. shows the demo user in the users list
  2. shows the demo user has all rights unticked
  3. we set up a test survey and put only the demo user (with access to the result stats only ticked)
  4. logging in as the demo user, you can get a list of all users on the system using the dropdown
  5. shows the global setting is set correctly
    6 & 7. show the usercontrolsamegrouppolicy is set to true in the 2 config files
Additional Information

This matters if you have an install which is being used by more than one client and you don't want the users to have access to a list of all other users. The best way, I think, is for the owner column not to be displayed at all for users who don't have full admin permissions.

TagsNo tags attached.
Attached Files
lime survey issue screenshots.zip (613,092 bytes)
Bug heat256
Complete LimeSurvey version number (& build)11026
I will donate to the project if issue is resolvedNo
BrowserIE & Firefox on PC, Firefox on Mac
Database type & versionMySQL client version: 5.1.48
Server OS (if known)Redhat Linux
Webserver software & version (if known)Apache/2 (I think)
PHP Version5.2

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2011-09-26 17:45

updater   ~16327

Thibault, can you have a look? If that is not your business, please assign the ticket to Carsten.
Mazi

Mazi

2011-09-26 17:47

updater   ~16328

I see at one of your screenshots that the "demo" user also seems to be able to edit other user accounts, at least there is an edit icon shown for each user listed.
Can you check if "demo" can edit this data!?
sheddington

sheddington

2011-09-26 17:58

reporter   ~16329

The user can select one of the names on the drop-down but then clicking the 'update' button doesn't change whoever is listed as owner originally
lemeur

lemeur

2011-09-27 23:46

developer   ~16341

fixed in build 11054
sheddington

sheddington

2011-09-28 12:33

reporter   ~16346

Hi, sorry to be thick but is build 11054 a future release? Just wondered if this was available somewhere now.
Thanks for looking at this so quickly BTW.
lemeur

lemeur

2011-09-28 13:04

developer   ~16347

Next stable plus release (later this week) will have a buildnumber > 11054 and thus will integrate this fix.
Mazi

Mazi

2011-09-28 15:27

updater   ~16348

Usually there are weekly bugfix releases.

As an alternative you can try to replace your surveylist.php file with this one: http://limesurvey.svn.sourceforge.net/viewvc/limesurvey?view=revision&revision=11054
sheddington

sheddington

2011-09-28 16:07

reporter   ~16349

That works fine now, thank you. 'No rights' users now see just themselves and the admin user name in the owner lists.
As long as the admin user password is suitably complex, this deals with the security aspect.
lemeur

lemeur

2011-09-29 00:09

developer   ~16350

Take care when replacing a core file of LS: this will break automatic update.

Issue History

Date Modified Username Field Change
2011-09-26 15:23 sheddington New Issue
2011-09-26 15:23 sheddington File Added: lime survey issue screenshots.zip
2011-09-26 17:45 Mazi Note Added: 16327
2011-09-26 17:45 Mazi Assigned To => lemeur
2011-09-26 17:45 Mazi Status new => assigned
2011-09-26 17:47 Mazi Note Added: 16328
2011-09-26 17:47 Mazi Status assigned => feedback
2011-09-26 17:58 sheddington Note Added: 16329
2011-09-26 17:58 sheddington Status feedback => assigned
2011-09-27 23:46 lemeur Note Added: 16341
2011-09-27 23:46 lemeur Status assigned => resolved
2011-09-27 23:46 lemeur Fixed in Version => 1.91+
2011-09-27 23:46 lemeur Resolution open => fixed
2011-09-28 12:33 sheddington Note Added: 16346
2011-09-28 13:04 lemeur Note Added: 16347
2011-09-28 15:27 Mazi Note Added: 16348
2011-09-28 16:07 sheddington Note Added: 16349
2011-09-29 00:09 lemeur Note Added: 16350
2011-10-08 22:18 c_schmitz Status resolved => closed