View Issue Details

This bug affects 1 person(s).
 10
IDProjectCategoryView StatusLast Update
05520Bug reportsSurvey editingpublic2013-11-12 04:41
ReporterTMSWhite Assigned Tomagiclko 
PriorityhighSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.00a1 
Fixed in Version2.00a2 
Summary05520: can't preview group
Description

Get message "We are sorry but you don't have permissions to do this." when try to preview group of surveys - for both active an inactive surveys.

Additional Information

Function _canUserPreviewSurvey() in survey.php always returns false because $_SESSION is an empty array when it is called.

TagsNo tags attached.
Bug heat10
Complete LimeSurvey version number (& build)11199
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMysql 5.3
Server OS (if known)Windows XP
Webserver software & version (if known)Apache 2
PHP Version5.2

Users monitoring this issue

huuthotp

Activities

TMSWhite

TMSWhite

2011-10-19 03:35

reporter   ~16467

_surveyCantBeViewedWithCurrentPreviewAccess() in survey.php also calls _canUserPreviewSurvey(), and $_SESSION still does not contain 'loginID' or 'USER_RIGHT_SUPERADMIN'.

_surveyCantBeViewedWithCurrentPreviewAccess() returns false, but preview is allowed due to a kludge in _userHasPreviewAccessSession()which returns true even though $_SESSION['USER_RIGHT_PREVIEW'] does not exist.

c_schmitz

c_schmitz

2011-10-19 13:14

administrator   ~16471

Also a survey can still be previewed without being admin.

mot

mot

2011-10-23 18:15

reporter   ~16496

Previewing a group is now possible if you come from admin and you haven't done a survey preview earlier.

Actually previewing a group does not really work anyway because it will preview the whole survey.

Related to access rights I now extended the session setup routine that get's called at the top of the survey controller action action so that it imports the `loginID' and another variable from the admin session in case the survey runtime session does not exists and there is actually an admin session to import from.

I suggest that the preview functionality is refactored out of the survey controller action action into a preview action. On top of the preview action we could import sessions as it's done now, then only rely to loginID and pull authentication data from the database based on the loginID to ensure only valid users can call it.

Additionally for the session management it's important that when a survey preview has been done, the session get's destroyed.

For the general survey preview I smell a flaw that this functionality is not properly checking pre-conditions and continues brutally so therefore manages to destroy the survey runtime session and then destroys any further preview functionality due to not set loginID.

mot

mot

2011-10-23 21:28

reporter   ~16499

Last edited: 2011-10-24 20:34

The survey preview is not using any user-related data, not importing admin sessions therefore. Routes in question:

survey: index.php/survey/sid/95917/newtest/Y/lang/en

group: index.php/survey/action/previewgroup/sid/95917/gid/1

As the group uses the same session id, it's not possible to import data from admin any longer (or this must be enforced, which might be another option). So far for the status quo.

TMSWhite

TMSWhite

2012-01-20 15:42

reporter   ~16850

Fixed this in _Yii version

magiclko

magiclko

2012-01-26 19:57

reporter   ~16997

TMSWhite : When i try to reproduce the issue, i see errors like "Column not found: 1054 Unknown column 'datestamp' in 'field list'.". When i looked into it, there are few lines in em_manager_helper.php(ln no 3104) which assumes existence of certain columns but the fact is that these columns are created in a specific survey table based on certain options, which user might/might not opt for. e.g. if Datestamp is set to "Yes" than only columns 'datestamp' and 'startdate' will be created in prefixsurvey<sid>,else not. So, how do you want me to fix it? Check if those columns exist and then proceed or what? Further, in the $sdata array, two indexes with same name 'datestamp'?

TMSWhite

TMSWhite

2012-01-26 20:03

reporter   ~16998

Does removing the first $datestamp entry fix the problem - the second entry checks whether datestamp is supposed to be set.

Yes, please fix it there (by only including in $sdata the columns that exist - it should be possible to find that out from the survey settings rather than having to query the table metadata).

BTW, this doesn't throw an error in _dev because ADOdb doesn't balk if it gets passed invalid fields. However, once you've figure out a fix, I can clean up _dev

magiclko

magiclko

2012-01-26 22:46

reporter   ~17003

Removing first 'datestamp' doesn't fix it. Checking for columns did. Also, added a precaution message at frontend_helper in case createFieldMap() is called with $style="short" so that Yii don't show undefined index errors.

If the fix doesn't work, clear the session!

Fixed in rev 12221.

c_schmitz

c_schmitz

2012-03-11 16:32

administrator   ~17862

2.00alpha 2 Build 120212 released

Issue History

Date Modified Username Field Change
2011-10-19 03:26 TMSWhite New Issue
2011-10-19 03:35 TMSWhite Note Added: 16467
2011-10-19 13:14 c_schmitz Assigned To => mot
2011-10-19 13:14 c_schmitz Status new => assigned
2011-10-19 13:14 c_schmitz Note Added: 16471
2011-10-23 18:15 mot Note Added: 16496
2011-10-23 21:28 mot Note Added: 16499
2011-10-24 20:34 mot Note Edited: 16499
2012-01-20 15:42 TMSWhite Note Added: 16850
2012-01-20 15:42 TMSWhite Status assigned => resolved
2012-01-20 15:42 TMSWhite Resolution open => fixed
2012-01-24 21:31 c_schmitz Assigned To mot => magiclko
2012-01-24 21:31 c_schmitz Status resolved => feedback
2012-01-24 21:31 c_schmitz Resolution fixed => reopened
2012-01-24 21:32 c_schmitz Status feedback => assigned
2012-01-26 19:57 magiclko Note Added: 16997
2012-01-26 20:03 TMSWhite Note Added: 16998
2012-01-26 22:46 magiclko Note Added: 17003
2012-01-26 22:47 magiclko Status assigned => resolved
2012-01-26 22:47 magiclko Resolution reopened => fixed
2012-01-30 18:44 c_schmitz Fixed in Version => 2.00a2
2012-03-11 16:32 c_schmitz Note Added: 17862
2012-03-11 16:32 c_schmitz Status resolved => closed
2013-11-12 04:41 huuthotp Issue Monitored: huuthotp
2019-11-01 17:25 c_schmitz Category Survey design => Survey editing
2021-08-04 10:05 guest Bug heat 8 => 10