Relationship Graph

Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
16428Bug reportsSurvey editingpublic2020-06-30 16:40
ReporterDenisChenu Assigned Toollehar  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version4.3.1 
Summary16428: Simple user reset Survey group to default one
Description

An user with only some survey access reset the survey group

Steps To Reproduce
  1. Create an user restricted with 'create survey right'
  2. Give him all rights on one survey
  3. Set this survey to "TEST" group
  4. Log out
  5. Log in as restricted user
  6. Edit survey global settings : survey is set to Default group
Additional Information

See screencast

Surely here since Survey group creation

With user management : survey group management can not be done

Since in 4.X : survey group used for "Theme settings" : this can reset "Logo" for example …

TagsNo tags attached.
Complete LimeSurvey version number (& build)4.3.1 github
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 15421 closedcdorin Feature requests Survey group Permission : minimal system 

Activities

DenisChenu

DenisChenu

2020-06-25 18:02

developer  

Peek 25-06-2020 17-59.gif (1,857,004 bytes)
DenisChenu

DenisChenu

2020-06-25 18:04

developer   ~58490

Last edited: 2020-06-25 18:04

View 2 revisions

For this one : we need same system than template.
Default Survey group list are :

  • Survey group with this user access
  • + current survey group.
cdorin

cdorin

2020-06-25 22:02

manager   ~58503

Last edited: 2020-06-29 01:51

In this scenario:

  • superadministrator should be the only one that has the right to edit global survey settings.

For survey group settings:

  • CRUD permissions at the global user management level: Create, View/Read, Update, Delete

Would that be alright or am is there any other possible scenario missing?

DenisChenu

DenisChenu

2020-06-26 08:39

developer   ~58509

Last edited: 2020-06-29 01:51

Not exactly , because in my opinion :

If an user can't read Group1 but a survey he can edit was in Group1 : Group1 must be in the list.

We don't need Permission here.

I check if theme have the same issue, if yes : it was already fixed before : but if an user don't have read right on a template (theme now) : we always add the template in the list.

Jmantysalo

Jmantysalo

2020-06-29 14:30

reporter   ~58541

Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.

DenisChenu

DenisChenu

2020-06-29 14:44

developer   ~58542

Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.

? Can you explain ?

cdorin

cdorin

2020-06-29 14:53

manager   ~58543

User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.

cdorin

cdorin

2020-06-29 14:57

manager   ~58544

About 16428:58509, yes, I see your point.
Then we can think of:

  • Create: create survey groups and edit your own survey groups
  • Read/View: view all survey groups and their settings
  • Update: update other survey group settings that are not yours
  • Delete
DenisChenu

DenisChenu

2020-06-29 15:22

developer   ~58552

User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.

It's false : User 1 can not see group : he need All survey access.

If user have only "create" rights : he can not see the group. Then he need "Update all survey" or "See all survey" ?

DenisChenu

DenisChenu

2020-06-29 15:23

developer   ~58553

Then we can think of:

  • Create: create survey groups and edit your own survey groups
  • Read/View: view all survey groups and their settings
  • Update: update other survey group settings that are not yours
  • Delete

It's an easy step here, but still need Permission on group …

Jmantysalo

Jmantysalo

2020-06-30 10:14

reporter   ~58571

It's false : User 1 can not see group : he need All survey access.

I just tested this on a fresh install... and you are right. But what has been changed, as I saw this problem earlier. What is exactly the permission needed to change for example "Send detailed admin notification email to:" -setting in the question group "Default"?

DenisChenu

DenisChenu

2020-06-30 10:16

developer   ~58572

@Jmantysalo : i didn't know. All Permission oin Survey group are unclear …

Maybe See all survey or Update all survey ?

ollehar

ollehar

2020-06-30 15:02

administrator   ~58580

  1. Log in as restricted user

Which user is this?

DenisChenu

DenisChenu

2020-06-30 15:06

developer   ~58581

Create an user with 'create survey right'
Give him all rights on one survey

Issue History

Date Modified Username Field Change
2020-06-25 18:02 DenisChenu New Issue
2020-06-25 18:02 DenisChenu File Added: Peek 25-06-2020 17-59.gif
2020-06-25 18:02 DenisChenu Relationship added child of 15421
2020-06-25 18:04 DenisChenu Note Added: 58490
2020-06-25 18:04 DenisChenu Note Edited: 58490 View Revisions
2020-06-25 18:07 DenisChenu Assigned To => ollehar
2020-06-25 18:07 DenisChenu Status new => feedback
2020-06-25 22:02 cdorin Note Added: 58503
2020-06-26 08:39 DenisChenu Note Added: 58509
2020-06-26 08:39 DenisChenu Status feedback => assigned
2020-06-29 08:15 DenisChenu Summary Simple user reset Surevy group to default one => Simple user reset Survey group to default one
2020-06-29 14:30 Jmantysalo Note Added: 58541
2020-06-29 14:44 DenisChenu Note Added: 58542
2020-06-29 14:53 cdorin Note Added: 58543
2020-06-29 14:57 cdorin Note Added: 58544
2020-06-29 15:22 DenisChenu Note Added: 58552
2020-06-29 15:23 DenisChenu Note Added: 58553
2020-06-30 10:14 Jmantysalo Note Added: 58571
2020-06-30 10:16 DenisChenu Note Added: 58572
2020-06-30 15:02 ollehar Note Added: 58580
2020-06-30 15:06 DenisChenu Note Added: 58581
2020-06-30 15:08 DenisChenu Steps to Reproduce Updated View Revisions
2020-06-30 16:40 DenisChenu Relationship replaced related to 15421