Relationship Graph

View IssueDependency GraphShow Summary
Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 258
IDProjectCategoryView StatusDate SubmittedLast Update
14551Bug reportsSecuritypublic2019-02-19 14:402021-01-28 16:27
Reporterbewi Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.15.x 
Fixed in Version4.4.0-RC3 
Summary14551: user can grant more permissions on a survey than he has himself
Description

as superadmin create an admin user, who can create other admins and surveys (tester1) (image: "LimeSurvey permissions tester1.png")

as tester1 create an admin user who is restricted in his permissions, but can create users and edit on surveys (no creation of surveys): tester2 (image: "LimeSurvey permissions tester2.png")
as tester1 create a survey and grant permissions to tester2 except deletion and activation (image: "LimeSurvey survey permissions tester2.png")

as tester2 create admin user, with the same rights than himself: tester3 (image: "LimeSurvey permissions tester3.png")
as tester3 grant all permissions for tester1's survey to tester3: (image: "LimeSurvey survey permissions tester3.png")

now, tester3 can activate the survey, although tester2 has no rights to activate the survey (image: "LimeSurvey survey activation tester3.png")

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)3.15.9
I will donate to the project if issue is resolvedNo
Browser
Database type & version5.6.42-log
Server OS (if known)
Webserver software & version (if known)
PHP Version7.2

Relationships

Relationship GraphDependency Graph
related to 14558 confirmedgalads Bug reports No difference shown for auto set Permsiion in survey 
related to 16440 ready for testingcdorin Feature requests Survey group Permission : minimal system 

Activities

bewi

bewi

2019-02-19 14:40

reporter  

LimeSurvey survey activation tester3.png (109,859 bytes)
LimeSurvey survey permissions tester2.png (151,267 bytes)
LimeSurvey survey permissions tester3.png (150,912 bytes)
LimeSurvey permissions tester1.png (95,186 bytes)   
LimeSurvey permissions tester1.png (95,186 bytes)   
LimeSurvey permissions tester2.png (63,775 bytes)   
LimeSurvey permissions tester2.png (63,775 bytes)   
LimeSurvey permissions tester3.png (59,938 bytes)   
LimeSurvey permissions tester3.png (59,938 bytes)   
DenisChenu

DenisChenu

2019-02-20 11:08

developer   ~50648

Not an issue

Because tester2 have the right to update ANY survey : then the right to activate any survey.

Permission come from Global Permission not from Survey Permission
DenisChenu

DenisChenu

2019-02-20 11:09

developer   ~50649

But need a "partially checked" box like we have in 2.6lts
bewi

bewi

2019-02-20 11:32

reporter   ~50650

even if I remove the right for updating any survey for the users 'tester2' and 'tester3' the user 'tester' can grant activation rights to 'tester3'.

maybe my thinking is wrong.
what permissions settings are needed for this scenario:
tester1 should be allowed to do everything except plugins and modifying themes (so he can not be a superadmin)
he should create users like tester2, who is not allowed to create, delete or activate surveys. But this user should be able to edit surveys assigned to him (add,change, delete questiongroups and questions)
tester2 also should be able to create further users (tester3) which can work the same on assigned surveys as tester2
(only tester1 should be able to activate any surveys)
DenisChenu

DenisChenu

2019-02-20 11:53

developer   ~50651

Right : issue still persist with deactivating update (all) surveys for user2
DenisChenu

DenisChenu

2019-02-20 14:10

developer   ~50655

For reminder for checkbox state with 2.6lts version :
1 state

  • checked : set in this survey
  • indeterminate: set by global (but not set here)
  • unchecked : no right
Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes)   
Capture d’écran du 2019-02-20 14-08-43.png (35,006 bytes)   
DenisChenu

DenisChenu

2020-05-11 08:42

developer   ~57649

Louis quit mantis
DenisChenu

DenisChenu

2020-10-29 13:18

developer   ~60448

I think there are way where user can remove Permission too.

Need to be tested but :
SuperAdmin give all rights on a Survey#1 to User#1
SuperAdmin give read response rights on a Survey#1 to User#2 + Set permission (for example to allow create some user to read response)

Log in as User#1 : user#1 can remove (without wanting) rights to User#1. My opinion : he must be allowed to update ONLY read response rights.
DenisChenu

DenisChenu

2021-01-12 13:41

developer   ~61492

https://github.com/LimeSurvey/LimeSurvey/pull/1709
DenisChenu

DenisChenu

2021-01-21 13:36

developer   ~61623

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30904
lime_release_bot

lime_release_bot

2021-01-28 16:27

administrator   ~61755

Fixed in Release 4.4.0+210129

Related Changesets

LimeSurvey: master bd100a45

2021-01-12 12:10:26

DenisChenu

Details Diff 		Fixed issue 14551: user can grant more permissions on a survey than he has himself
Dev: after create services + widget … use it for Survey		 Affected Issues
14551
mod - application/controllers/admin/surveypermission.php Diff File
mod - application/models/services/PermissionManager.php Diff File

Issue History

Date Modified Username Field Change
2019-02-19 14:40 bewi New Issue
2019-02-19 14:40 bewi File Added: LimeSurvey survey activation tester3.png
2019-02-19 14:40 bewi File Added: LimeSurvey survey permissions tester2.png
2019-02-19 14:40 bewi File Added: LimeSurvey survey permissions tester3.png
2019-02-19 14:40 bewi File Added: LimeSurvey permissions tester1.png
2019-02-19 14:40 bewi File Added: LimeSurvey permissions tester2.png
2019-02-19 14:40 bewi File Added: LimeSurvey permissions tester3.png
2019-02-20 09:39 Mazi Issue Monitored: Mazi
2019-02-20 11:08 DenisChenu Assigned To => DenisChenu
2019-02-20 11:08 DenisChenu Status new => closed
2019-02-20 11:08 DenisChenu Resolution open => no change required
2019-02-20 11:08 DenisChenu Note Added: 50648
2019-02-20 11:09 DenisChenu Assigned To DenisChenu =>
2019-02-20 11:09 DenisChenu Status closed => feedback
2019-02-20 11:09 DenisChenu Resolution no change required => reopened
2019-02-20 11:09 DenisChenu Note Added: 50649
2019-02-20 11:32 bewi Note Added: 50650
2019-02-20 11:32 bewi Status feedback => new
2019-02-20 11:53 DenisChenu Note Added: 50651
2019-02-20 14:10 DenisChenu File Added: Capture d’écran du 2019-02-20 14-08-43.png
2019-02-20 14:10 DenisChenu Note Added: 50655
2019-02-20 15:15 DenisChenu Relationship added related to 14558
2019-03-08 12:10 cdorin Assigned To => markusfluer
2019-03-08 12:10 cdorin Status new => assigned
2019-04-11 11:57 LouisGac Assigned To markusfluer => LouisGac
2020-05-11 08:42 DenisChenu Assigned To LouisGac => cdorin
2020-05-11 08:42 DenisChenu Status assigned => new
2020-05-11 08:42 DenisChenu Note Added: 57649
2020-10-29 13:18 DenisChenu Note Added: 60448
2020-11-12 08:03 DenisChenu Relationship added related to 16440
2020-12-22 21:14 DenisChenu Assigned To cdorin => DenisChenu
2020-12-23 08:55 DenisChenu Status new => assigned
2021-01-12 13:41 DenisChenu Note Added: 61492
2021-01-12 13:41 DenisChenu Assigned To DenisChenu => cdorin
2021-01-12 13:41 DenisChenu Status assigned => ready for testing
2021-01-21 13:36 DenisChenu Changeset attached => LimeSurvey master bd100a45
2021-01-21 13:36 DenisChenu Note Added: 61623
2021-01-21 13:36 DenisChenu Assigned To cdorin => DenisChenu
2021-01-21 13:36 DenisChenu Resolution reopened => fixed
2021-01-22 08:33 DenisChenu Status ready for testing => resolved
2021-01-22 08:33 DenisChenu Fixed in Version => 4.4.0-RC3
2021-01-28 16:27 lime_release_bot Note Added: 61755
2021-01-28 16:27 lime_release_bot Status resolved => closed
2021-08-02 16:19 guest Bug heat 256 => 258