14551: user can grant more permissions on a survey than he has himself

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update
14551	Bug reports	Security	public	2019-02-19 14:40	2021-01-28 16:27

Reporter	bewi	Assigned To	DenisChenu
Priority	none	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.15.x
Fixed in Version	4.4.0-RC3

Summary	14551: user can grant more permissions on a survey than he has himself
Description	as superadmin create an admin user, who can create other admins and surveys (tester1) (image: "LimeSurvey permissions tester1.png") as tester1 create an admin user who is restricted in his permissions, but can create users and edit on surveys (no creation of surveys): tester2 (image: "LimeSurvey permissions tester2.png") as tester1 create a survey and grant permissions to tester2 except deletion and activation (image: "LimeSurvey survey permissions tester2.png") as tester2 create admin user, with the same rights than himself: tester3 (image: "LimeSurvey permissions tester3.png") as tester3 grant all permissions for tester1's survey to tester3: (image: "LimeSurvey survey permissions tester3.png") now, tester3 can activate the survey, although tester2 has no rights to activate the survey (image: "LimeSurvey survey activation tester3.png")
Tags	No tags attached.

Bug heat	256
Complete LimeSurvey version number (& build)	3.15.9
I will donate to the project if issue is resolved	No
Browser
Database & DB-Version	5.6.42-log
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.2

bewi 2019-02-19 14:40 reporter	LimeSurvey survey activation tester3.png (109,859 bytes) LimeSurvey survey permissions tester2.png (151,267 bytes) LimeSurvey survey permissions tester3.png (150,912 bytes) LimeSurvey permissions tester1.png (95,186 bytes) LimeSurvey permissions tester1.png (95,186 bytes) LimeSurvey permissions tester2.png (63,775 bytes) LimeSurvey permissions tester2.png (63,775 bytes) LimeSurvey permissions tester3.png (59,938 bytes) LimeSurvey permissions tester3.png (59,938 bytes)

DenisChenu 2019-02-20 11:08 developer ~50648	Not an issue Because tester2 have the right to update ANY survey : then the right to activate any survey. Permission come from Global Permission not from Survey Permission

DenisChenu 2019-02-20 11:09 developer ~50649	But need a "partially checked" box like we have in 2.6lts

bewi 2019-02-20 11:32 reporter ~50650	even if I remove the right for updating any survey for the users 'tester2' and 'tester3' the user 'tester' can grant activation rights to 'tester3'. maybe my thinking is wrong. what permissions settings are needed for this scenario: tester1 should be allowed to do everything except plugins and modifying themes (so he can not be a superadmin) he should create users like tester2, who is not allowed to create, delete or activate surveys. But this user should be able to edit surveys assigned to him (add,change, delete questiongroups and questions) tester2 also should be able to create further users (tester3) which can work the same on assigned surveys as tester2 (only tester1 should be able to activate any surveys)

DenisChenu 2019-02-20 11:53 developer ~50651	Right : issue still persist with deactivating update (all) surveys for user2

DenisChenu 2019-02-20 14:10 developer ~50655	For reminder for checkbox state with 2.6lts version : 1 state - checked : set in this survey - indeterminate: set by global (but not set here) - unchecked : no right Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes) Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes)

DenisChenu 2020-05-11 08:42 developer ~57649	Louis quit mantis

DenisChenu 2020-10-29 13:18 developer ~60448	I think there are way where user can remove Permission too. Need to be tested but : SuperAdmin give all rights on a Survey#1 to User#1 SuperAdmin give read response rights on a Survey#1 to User#2 + Set permission (for example to allow create some user to read response) Log in as User#1 : user#1 can remove (without wanting) rights to User#1. My opinion : he must be allowed to update ONLY read response rights.

DenisChenu 2021-01-12 13:41 developer ~61492	https://github.com/LimeSurvey/LimeSurvey/pull/1709

DenisChenu 2021-01-21 13:36 developer ~61623	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30904

lime_release_bot 2021-01-28 16:27 administrator ~61755	Fixed in Release 4.4.0+210129

LimeSurvey: master bd100a45 2021-01-12 12:10:26 DenisChenu Details Diff	Fixed issue 14551: user can grant more permissions on a survey than he has himself Dev: after create services + widget … use it for Survey	Affected Issues 14551
	mod - application/controllers/admin/surveypermission.php	Diff File
	mod - application/models/services/PermissionManager.php	Diff File

Date Modified	Username	Field	Change
2019-02-19 14:40	bewi	New Issue
2019-02-19 14:40	bewi	File Added: LimeSurvey survey activation tester3.png
2019-02-19 14:40	bewi	File Added: LimeSurvey survey permissions tester2.png
2019-02-19 14:40	bewi	File Added: LimeSurvey survey permissions tester3.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester1.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester2.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester3.png
2019-02-20 11:08	DenisChenu	Assigned To	=> DenisChenu
2019-02-20 11:08	DenisChenu	Status	new => closed
2019-02-20 11:08	DenisChenu	Resolution	open => no change required
2019-02-20 11:08	DenisChenu	Note Added: 50648
2019-02-20 11:09	DenisChenu	Assigned To	DenisChenu =>
2019-02-20 11:09	DenisChenu	Status	closed => feedback
2019-02-20 11:09	DenisChenu	Resolution	no change required => reopened
2019-02-20 11:09	DenisChenu	Note Added: 50649
2019-02-20 11:32	bewi	Note Added: 50650
2019-02-20 11:32	bewi	Status	feedback => new
2019-02-20 11:53	DenisChenu	Note Added: 50651
2019-02-20 14:10	DenisChenu	File Added: Capture d’écran du 2019-02-20 14-08-43.png
2019-02-20 14:10	DenisChenu	Note Added: 50655
2019-02-20 15:15	DenisChenu	Relationship added	related to 14558
2019-03-08 12:10	cdorin	Assigned To	=> markusfluer
2019-03-08 12:10	cdorin	Status	new => assigned
2019-04-11 11:57	~~LouisGac~~	Assigned To	markusfluer => LouisGac
2020-05-11 08:42	DenisChenu	Assigned To	LouisGac => cdorin
2020-05-11 08:42	DenisChenu	Status	assigned => new
2020-05-11 08:42	DenisChenu	Note Added: 57649
2020-10-29 13:18	DenisChenu	Note Added: 60448
2020-11-12 08:03	DenisChenu	Relationship added	related to 16440
2020-12-22 21:14	DenisChenu	Assigned To	cdorin => DenisChenu
2020-12-23 08:55	DenisChenu	Status	new => assigned
2021-01-12 13:41	DenisChenu	Note Added: 61492
2021-01-12 13:41	DenisChenu	Assigned To	DenisChenu => cdorin
2021-01-12 13:41	DenisChenu	Status	assigned => testing
2021-01-12 13:47	DenisChenu	Relationship added	related to 16967
2021-01-21 13:36	DenisChenu	Changeset attached	=> LimeSurvey master bd100a45
2021-01-21 13:36	DenisChenu	Note Added: 61623
2021-01-21 13:36	DenisChenu	Assigned To	cdorin => DenisChenu
2021-01-21 13:36	DenisChenu	Resolution	reopened => fixed
2021-01-22 08:33	DenisChenu	Status	testing => resolved
2021-01-22 08:33	DenisChenu	Fixed in Version	=> 4.4.0-RC3
2021-01-28 16:27	lime_release_bot	Note Added: 61755
2021-01-28 16:27	lime_release_bot	Status	resolved => closed
2021-07-12 13:56	c_schmitz	Bug heat	256 => 258
2021-07-12 13:57	guest	Bug heat	258 => 256
2021-07-12 18:54	c_schmitz	Bug heat	256 => 258
2021-07-12 18:58	guest	Bug heat	258 => 256

Relationship Graph

View Issue Details

Relationships

Activities

Related Changesets

Issue History

related to	14558	closed	DenisChenu	Bug reports	No difference shown for auto set Permsiion in survey
related to	16440	testing	cdorin	Feature requests	Survey group Permission : minimal system
related to	16967	new		Development	remove giveAllSurveyPermissions