14551: user can grant more permissions on a survey than he has himself

Relationship Graph

ID	Project	Category	View Status	Date Submitted	Last Update
14551	Bug reports	[All Projects] Security	public	2019-02-19 14:40	2019-04-11 11:57

Reporter	bewi	Assigned To	LouisGac
Priority	none	Severity	major
Status	assigned	Resolution	reopened
Product Version	3.15.x
Target Version		Fixed in Version

Summary	14551: user can grant more permissions on a survey than he has himself
Description	as superadmin create an admin user, who can create other admins and surveys (tester1) (image: "LimeSurvey permissions tester1.png") as tester1 create an admin user who is restricted in his permissions, but can create users and edit on surveys (no creation of surveys): tester2 (image: "LimeSurvey permissions tester2.png") as tester1 create a survey and grant permissions to tester2 except deletion and activation (image: "LimeSurvey survey permissions tester2.png") as tester2 create admin user, with the same rights than himself: tester3 (image: "LimeSurvey permissions tester3.png") as tester3 grant all permissions for tester1's survey to tester3: (image: "LimeSurvey survey permissions tester3.png") now, tester3 can activate the survey, although tester2 has no rights to activate the survey (image: "LimeSurvey survey activation tester3.png")
Tags	No tags attached.

Complete LimeSurvey version number (& build)	3.15.9
I will donate to the project if issue is resolved	No
Browser
Database & DB-Version	5.6.42-log
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.2

bewi 2019-02-19 14:40 reporter	LimeSurvey survey activation tester3.png (109,859 bytes) LimeSurvey survey permissions tester2.png (151,267 bytes) LimeSurvey survey permissions tester3.png (150,912 bytes) LimeSurvey permissions tester1.png (95,186 bytes) LimeSurvey permissions tester1.png (95,186 bytes) LimeSurvey permissions tester2.png (63,775 bytes) LimeSurvey permissions tester2.png (63,775 bytes) LimeSurvey permissions tester3.png (59,938 bytes) LimeSurvey permissions tester3.png (59,938 bytes)

DenisChenu 2019-02-20 11:08 developer ~50648	Not an issue Because tester2 have the right to update ANY survey : then the right to activate any survey. Permission come from Global Permission not from Survey Permission

DenisChenu 2019-02-20 11:09 developer ~50649	But need a "partially checked" box like we have in 2.6lts

bewi 2019-02-20 11:32 reporter ~50650	even if I remove the right for updating any survey for the users 'tester2' and 'tester3' the user 'tester' can grant activation rights to 'tester3'. maybe my thinking is wrong. what permissions settings are needed for this scenario: tester1 should be allowed to do everything except plugins and modifying themes (so he can not be a superadmin) he should create users like tester2, who is not allowed to create, delete or activate surveys. But this user should be able to edit surveys assigned to him (add,change, delete questiongroups and questions) tester2 also should be able to create further users (tester3) which can work the same on assigned surveys as tester2 (only tester1 should be able to activate any surveys)

DenisChenu 2019-02-20 11:53 developer ~50651	Right : issue still persist with deactivating update (all) surveys for user2

DenisChenu 2019-02-20 14:10 developer ~50655	For reminder for checkbox state with 2.6lts version : 1 state checked : set in this survey indeterminate: set by global (but not set here) unchecked : no right Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes) Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes)

Date Modified	Username	Field	Change
2019-02-19 14:40	bewi	New Issue
2019-02-19 14:40	bewi	File Added: LimeSurvey survey activation tester3.png
2019-02-19 14:40	bewi	File Added: LimeSurvey survey permissions tester2.png
2019-02-19 14:40	bewi	File Added: LimeSurvey survey permissions tester3.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester1.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester2.png
2019-02-19 14:40	bewi	File Added: LimeSurvey permissions tester3.png
2019-02-20 11:08	DenisChenu	Assigned To	=> DenisChenu
2019-02-20 11:08	DenisChenu	Status	new => closed
2019-02-20 11:08	DenisChenu	Resolution	open => no change required
2019-02-20 11:08	DenisChenu	Note Added: 50648
2019-02-20 11:09	DenisChenu	Assigned To	DenisChenu =>
2019-02-20 11:09	DenisChenu	Status	closed => feedback
2019-02-20 11:09	DenisChenu	Resolution	no change required => reopened
2019-02-20 11:09	DenisChenu	Note Added: 50649
2019-02-20 11:32	bewi	Note Added: 50650
2019-02-20 11:32	bewi	Status	feedback => new
2019-02-20 11:53	DenisChenu	Note Added: 50651
2019-02-20 14:10	DenisChenu	File Added: Capture d’écran du 2019-02-20 14-08-43.png
2019-02-20 14:10	DenisChenu	Note Added: 50655
2019-02-20 15:15	DenisChenu	Relationship added	related to 14558
2019-03-08 12:10	cdorin	Assigned To	=> markusfluer
2019-03-08 12:10	cdorin	Status	new => assigned
2019-04-11 11:57	LouisGac	Assigned To	markusfluer => LouisGac

View Issue Details

Activities

Issue History