View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
07994Bug reportsSecuritypublic2013-07-10 22:322013-08-04 21:54
Reporterhhug Assigned ToDenisChenu  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Fixed in Version2.00+ 
Summary07994: A ls administration user with restricted rights for handling qoutas (view only) view button to delete
Description

A limesurvey administration user with restricted rights for handling qoutas (view only) can delete quota answers. This is caused by a missing ckecking for rights in file '<basis>/application/views/admin/super/viewquotasrowsub_view.php' analogous to the file '<basis>/application/views/admin/super/viewquotasrow_view.php'.

Additional Information

If you would change the following code in file '<basis>/application/views/admin/super/viewquotasrowsub_view.php':

&lt;td style=&quot;padding: 3px;&quot; align=&quot;center&quot;>
    &lt;?php echo CHtml::form(array(&quot;admin/quotas/sa/delans/surveyid/{$iSurveyId}&quot;), 'post'); ?>
        &lt;input name=&quot;submit&quot; type=&quot;submit&quot; class=&quot;submit&quot; value=&quot;&lt;?php $clang->eT(&quot;Remove&quot;);?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;sid&quot; value=&quot;&lt;?php echo $iSurveyId;?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;action&quot; value=&quot;quotas&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_member_id&quot; value=&quot;&lt;?php echo $quota_questions['id'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_qid&quot; value=&quot;&lt;?php echo $quota_questions['qid'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_anscode&quot; value=&quot;&lt;?php echo $quota_questions['code'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;subaction&quot; value=&quot;quota_delans&quot; />
    &lt;/form>
&lt;/td>

analogous to the file '<basis>/application/views/admin/super/viewquotasrow_view.php' into:

&lt;td style=&quot;padding: 3px;&quot; align=&quot;center&quot;>
    &lt;?php if (hasSurveyPermission($iSurveyId, 'quotas','update')) { ?>
      &lt;?php echo CHtml::form(array(&quot;admin/quotas/sa/delans/surveyid/{$iSurveyId}&quot;), 'post'); ?>
        &lt;input name=&quot;submit&quot; type=&quot;submit&quot; class=&quot;submit&quot; value=&quot;&lt;?php $clang->eT(&quot;Remove&quot;);?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;sid&quot; value=&quot;&lt;?php echo $iSurveyId;?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;action&quot; value=&quot;quotas&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_member_id&quot; value=&quot;&lt;?php echo $quota_questions['id'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_qid&quot; value=&quot;&lt;?php echo $quota_questions['qid'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;quota_anscode&quot; value=&quot;&lt;?php echo $quota_questions['code'];?>&quot; />
        &lt;input type=&quot;hidden&quot; name=&quot;subaction&quot; value=&quot;quota_delans&quot; />
    &lt;/form>
        &lt;?php } ?>
&lt;/td>

everything will be fine!

Kind regards
Ulrich

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)
I will donate to the project if issue is resolved
Browser
Database type & version
Server OS (if known)
Webserver software & version (if known)
PHP Version

Users monitoring this issue

There are no users monitoring this issue.

Activities

hhug

hhug

2013-07-10 22:50

reporter   ~25754

I forgot: Tested with Version 2.00+ Build 130708
DenisChenu

DenisChenu

2013-07-13 12:51

developer   ~25784

It's the controller to test in last resort : view just show the possibility.

Thank you :)
DenisChenu

DenisChenu

2013-07-24 15:19

developer   ~25864

Can not delete quota: just button shown not needed.
DenisChenu

DenisChenu

2013-07-24 15:34

developer   ~25865

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=12772
DenisChenu

DenisChenu

2013-07-24 15:43

developer   ~25866

Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=12773
c_schmitz

c_schmitz

2013-08-04 21:54

administrator   ~25919

2.00+ Build 130802 released

Related Changesets

LimeSurvey: master 14f347dd

2013-07-24 13:30:19

DenisChenu

Details Diff 		Fixed issue 07994: Admin without update quota right view delete button
Fixed issue : access to quota don't test read right		 Affected Issues
07994
mod - application/controllers/admin/quotas.php Diff File
mod - application/views/admin/quotas/viewquotasrow_view.php Diff File
mod - application/views/admin/quotas/viewquotasrowsub_view.php Diff File

LimeSurvey: 2.05 a137eb92

2013-07-24 13:38:38

DenisChenu

Details Diff 		Fixed issue 07994: Admin without update quota right view delete button
Fixed issue : access to quota don't test read right		 Affected Issues
07994
mod - application/controllers/admin/quotas.php Diff File
mod - application/views/admin/quotas/viewquotasrow_view.php Diff File
mod - application/views/admin/quotas/viewquotasrowsub_view.php Diff File

Issue History

Date Modified Username Field Change
2013-07-10 22:32 hhug New Issue
2013-07-10 22:50 hhug Note Added: 25754
2013-07-12 10:41 DenisChenu Project Feature requests => Bug reports
2013-07-13 12:51 DenisChenu Note Added: 25784
2013-07-13 12:51 DenisChenu Assigned To => DenisChenu
2013-07-13 12:51 DenisChenu Status new => assigned
2013-07-24 15:19 DenisChenu Note Added: 25864
2013-07-24 15:19 DenisChenu Summary A ls administration user with restricted rights for handling qoutas (view only) can delete quota answers => A ls administration user with restricted rights for handling qoutas (view only) view button to delete
2013-07-24 15:34 DenisChenu Changeset attached => LimeSurvey master 14f347dd
2013-07-24 15:34 DenisChenu Note Added: 25865
2013-07-24 15:34 DenisChenu Resolution open => fixed
2013-07-24 15:43 DenisChenu Changeset attached => LimeSurvey 2.05 a137eb92
2013-07-24 15:43 DenisChenu Note Added: 25866
2013-07-24 15:43 DenisChenu Status assigned => resolved
2013-07-24 15:43 DenisChenu Fixed in Version => 2.00+
2013-08-04 21:54 c_schmitz Note Added: 25919
2013-08-04 21:54 c_schmitz Status resolved => closed