Dependency Graph

Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
16428Bug reportsSurvey editingpublic2020-10-30 09:25
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynormalSeverityminor 
Status closedResolutionreopened 
Product Version4.3.1 
Fixed in Version4.3.23 
Summary16428: Simple user reset Survey group to default one
DescriptionAn user with only some survey access reset the survey group
Steps To Reproduce1. Create an user `restricted` with 'create survey right'
2. Give him all rights on one survey
3. Set this survey to "TEST" group
4. Log out
5. Log in as `restricted` user
6. Edit survey global settings : survey is set to Default group

Additional InformationSee screencast

Surely here since Survey group creation

With user management : survey group management can not be done

Since in 4.X : survey group used for "Theme settings" : this can reset "Logo" for example …
TagsNo tags attached.
Complete LimeSurvey version number (& build)4.3.1 github
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 16440 testingcdorin Feature requests Survey group Permission : minimal system 
related to 15421 closedcdorin Feature requests Survey group Permission : minimal system 
related to 16766 closedDenisChenu Bug reports Simple user reset Survey group to default one 

Activities

DenisChenu

DenisChenu

2020-06-25 18:02

developer  

Peek 25-06-2020 17-59.gif (1,857,004 bytes)
DenisChenu

DenisChenu

2020-06-25 18:04

developer   ~58490

Last edited: 2020-06-25 18:04

View 2 revisions

For this one : we need same system than template.
Default Survey group list are :
- Survey group with this user access
- `+` current survey group.
cdorin

cdorin

2020-06-25 22:02

manager   ~58503

Last edited: 2020-06-29 01:51

In this scenario:

- superadministrator should be the only one that has the right to edit global survey settings.

For survey group settings:

- CRUD permissions at the global user management level: Create, View/Read, Update, Delete

Would that be alright or am is there any other possible scenario missing?
DenisChenu

DenisChenu

2020-06-26 08:39

developer   ~58509

Last edited: 2020-06-29 01:51

Not exactly , because in my opinion :

If an user can't read Group1 but a survey he can edit was in Group1 : Group1 must be in the list.

We don't need Permission here.

I check if theme have the same issue, if yes : it was already fixed before : but if an user don't have read right on a template (theme now) : we always add the template in the list.
Jmantysalo

Jmantysalo

2020-06-29 14:30

reporter   ~58541

Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.
DenisChenu

DenisChenu

2020-06-29 14:44

developer   ~58542

> Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.

? Can you explain ?
cdorin

cdorin

2020-06-29 14:53

manager   ~58543

User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.
cdorin

cdorin

2020-06-29 14:57

manager   ~58544

About 16428:58509, yes, I see your point.
Then we can think of:
- Create: create survey groups and edit your own survey groups
- Read/View: view all survey groups and their settings
- Update: update other survey group settings that are not yours
- Delete
DenisChenu

DenisChenu

2020-06-29 15:22

developer   ~58552

> User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.

It's false : User 1 can not see group : he need All survey access.

If user have only "create" rights : he can not see the group. Then he need "Update all survey" or "See all survey" ?
DenisChenu

DenisChenu

2020-06-29 15:23

developer   ~58553

> Then we can think of:
> - Create: create survey groups and edit your own survey groups
> - Read/View: view all survey groups and their settings
> - Update: update other survey group settings that are not yours
> - Delete

It's an easy step here, but still need Permission on group …
Jmantysalo

Jmantysalo

2020-06-30 10:14

reporter   ~58571

> It's false : User 1 can not see group : he need All survey access.

I just tested this on a fresh install... and you are right. But what has been changed, as I saw this problem earlier. What is exactly the permission needed to change for example "Send detailed admin notification email to:" -setting in the question group "Default"?
DenisChenu

DenisChenu

2020-06-30 10:16

developer   ~58572

@Jmantysalo : i didn't know. All Permission oin Survey group are unclear …

Maybe See all survey or Update all survey ?
ollehar

ollehar

2020-06-30 15:02

administrator   ~58580

> 5. Log in as restricted user

Which user is this?
DenisChenu

DenisChenu

2020-06-30 15:06

developer   ~58581

> Create an user with 'create survey right'
> Give him all rights on one survey
cdorin

cdorin

2020-10-20 13:03

manager   ~60299

The discussion about survey groups moved to 16440 . Is it ok if I close this ticket?
@Jmantysalo, I added you to the respective ticket as well.
Jmantysalo

Jmantysalo

2020-10-20 13:16

reporter   ~60301

> Is it ok if I close this ticket?

Yes, of course.
DenisChenu

DenisChenu

2020-10-20 14:26

developer   ~60304

@cdorin : it's not related to a feature about SurveyGroup rights here .

Else : it broke again.

If user can update Survey1 in SurveyGroup1 but don't have read access on SurveyGroup1 : it broke again, it's reset again.
cdorin

cdorin

2020-10-20 15:17

manager   ~60308

Ah, I see - thanks for the additional info, @DenisChenu
DenisChenu

DenisChenu

2020-10-20 15:28

developer   ~60311

I fix it quickly before working on real feature :)
DenisChenu

DenisChenu

2020-10-20 18:16

developer   ~60317

Clone for 3.X
DenisChenu

DenisChenu

2020-10-30 09:25

developer   ~60451

https://bugs.limesurvey.org/plugin.php?page=Source/view&id=30644

Related Changesets

LimeSurvey: master d4db1fe7

2020-10-22 09:35:42

DenisChenu

Details Diff
Fixed issue 16766: Simple user reset Survey group to default one
Dev: use same criteria for search and list
Dev: cherry-picked OK
Affected Issues
16428, 16766
mod - application/models/SurveysGroups.php Diff File

Issue History

Date Modified Username Field Change
2020-06-25 18:02 DenisChenu New Issue
2020-06-25 18:02 DenisChenu File Added: Peek 25-06-2020 17-59.gif
2020-06-25 18:02 DenisChenu Relationship added child of 15421
2020-06-25 18:04 DenisChenu Note Added: 58490
2020-06-25 18:04 DenisChenu Note Edited: 58490 View Revisions
2020-06-25 18:07 DenisChenu Assigned To => ollehar
2020-06-25 18:07 DenisChenu Status new => feedback
2020-06-25 22:02 cdorin Note Added: 58503
2020-06-26 08:39 DenisChenu Note Added: 58509
2020-06-26 08:39 DenisChenu Status feedback => assigned
2020-06-29 01:51 cdorin Zoho Sprints => |Yes|
2020-06-29 01:51 swendrich Zoho Sprints ID => 14469000000155001
2020-06-29 08:15 DenisChenu Summary Simple user reset Surevy group to default one => Simple user reset Survey group to default one
2020-06-29 14:30 Jmantysalo Note Added: 58541
2020-06-29 14:44 DenisChenu Note Added: 58542
2020-06-29 14:53 cdorin Note Added: 58543
2020-06-29 14:57 cdorin Note Added: 58544
2020-06-29 15:22 DenisChenu Note Added: 58552
2020-06-29 15:23 DenisChenu Note Added: 58553
2020-06-30 10:14 Jmantysalo Note Added: 58571
2020-06-30 10:16 DenisChenu Note Added: 58572
2020-06-30 15:02 ollehar Note Added: 58580
2020-06-30 15:06 DenisChenu Note Added: 58581
2020-06-30 15:08 DenisChenu Steps to Reproduce Updated View Revisions
2020-06-30 16:40 DenisChenu Relationship replaced related to 15421
2020-10-20 13:02 cdorin Relationship added related to 16440
2020-10-20 13:03 cdorin Note Added: 60299
2020-10-20 13:03 cdorin Assigned To ollehar =>
2020-10-20 13:03 cdorin Status assigned => feedback
2020-10-20 13:16 Jmantysalo Note Added: 60301
2020-10-20 14:26 DenisChenu Note Added: 60304
2020-10-20 14:26 DenisChenu Status feedback => new
2020-10-20 15:17 cdorin Note Added: 60308
2020-10-20 15:19 cdorin Priority none => normal
2020-10-20 15:19 cdorin Status new => confirmed
2020-10-20 15:19 cdorin Zoho Sprints Yes => |Yes|
2020-10-20 15:28 DenisChenu Note Added: 60311
2020-10-20 15:28 DenisChenu Assigned To => DenisChenu
2020-10-20 15:28 DenisChenu Status confirmed => assigned
2020-10-20 18:16 DenisChenu Status assigned => closed
2020-10-20 18:16 DenisChenu Resolution open => fixed
2020-10-20 18:16 DenisChenu Note Added: 60317
2020-10-20 18:17 DenisChenu Status closed => feedback
2020-10-20 18:17 DenisChenu Resolution fixed => reopened
2020-10-20 18:17 DenisChenu Issue cloned: 16766
2020-10-22 09:36 DenisChenu Relationship added related to 16766
2020-10-30 09:25 DenisChenu Changeset attached => LimeSurvey master d4db1fe7
2020-10-30 09:25 DenisChenu Status feedback => closed
2020-10-30 09:25 DenisChenu Fixed in Version => 4.3.23
2020-10-30 09:25 DenisChenu Note Added: 60451