Dependency Graph

View IssueRelationship GraphVerticalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 8
IDProjectCategoryView StatusDate SubmittedLast Update
16509Bug reportsQuestion editorpublic2020-07-21 02:042020-08-03 11:23
Reportergabrieljenik Assigned To 
PrioritynoneSeverityblock 
Status closedResolutionfixed 
Product Version4.3.4 
Summary16509: Permissions are weakly checked on conditions designer
Description

While reviewing 16127 got to see that permission checking wasn't checked properly

TagsNo tags attached.
Bug heat8
Complete LimeSurvey version number (& build)4.3.4
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMysql
Server OS (if known)
Webserver software & version (if known)
PHP Version7

Relationships

Relationship GraphDependency Graph
related to 16127 closedJHoeck Copy condition and other buttons missing in top panel 

Activities

gabrieljenik

gabrieljenik

2020-07-21 02:23

manager   ~59010

Addedit in the same PR as in the screen reorg
https://github.com/LimeSurvey/LimeSurvey/pull/1494

user225042

2020-07-24 14:36

  ~59074

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details

16509_Permissions.png (184,035 bytes)
gabrieljenik

gabrieljenik

2020-07-24 15:08

manager   ~59075

I forsee the following testing scenarios:

0) Grab the url for the conditions manager for a given question. Ex:
http://<lspath>/index.php/admin/conditions/sa/index/subaction/editconditionsform/surveyid/279323/gid/27/qid/577

1) Create a user with no read permissions over a survey.
a) Make sure the user can't see the conditions for a question, even using the direct url.

2) Create a user with read permissions over a survey.
a) Make sure the user can see the conditions for a question
b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url.

3) Create a user with update permissions over a survey (but not owner neither superadmin).
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

Thanks
gabrieljenik

gabrieljenik

2020-07-24 15:09

manager   ~59076

Last edited: 2020-07-24 15:11

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access.

Ok, so test case #2 is not being tested successfully, right?

user225042

2020-07-24 15:21

  ~59079

Ok I will test this scenario's and get back to you
gabrieljenik

gabrieljenik

2020-07-24 19:47

manager   ~59086

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details

That screen doesn't look like the one redesigned.
This is the one for a redonly user.

image.png (94,109 bytes)   
image.png (94,109 bytes)   

user225042

2020-07-27 17:36

  ~59104

Tested the issue after pulling the PR, below are my findings. Please refer the attachment for more details

0) Grab the url for the conditions manager for a given question. Ex:
http://master.local/index.php?r=admin/conditions/sa/index/subaction/editconditionsform&surveyid=112615&gid=29&qid=1396

1) Create a user with no read permissions over a survey --Getting a forbidden message
a) Make sure the user can't see the conditions for a question, even using the direct url.

2) Create a user with read permissions over a survey. ---Working as expected
a) Make sure the user can see the conditions for a question
b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url.

3) Create a user with update permissions over a survey (but not owner neither superadmin). --Getting a forbidden message
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

4) Create a user with view & update permissions over a survey
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

16509_Tim_ReadAccess.png (171,415 bytes)
16509_Tim_NoReadAccess.png (141,687 bytes)
16509_Tim_UpdateAccess.png (148,068 bytes)
16509_Tim_View&UpdateAccess.png (179,253 bytes)
gabrieljenik

gabrieljenik

2020-07-27 18:01

manager   ~59106

Understand #1 and #3 are working as expected, right?

user225042

2020-07-28 17:36

  ~59117

  1. When the user as read only permissions the user can't see the conditions for a question, even using the direct url. ---Working as expected
  2. When the user with update permissions over a survey user can't see the conditions for a question-- Update works with view been checked ---Working as expected
  3. When the user with view & update permissions over a survey user can add, update or delete conditions---Working as expected

user234287

2020-08-03 10:20

  ~59249

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30337
lime_release_bot

lime_release_bot

2020-08-03 11:23

administrator   ~59254

Fixed in Release 4.3.8+200803

Related Changesets

LimeSurvey: master f8156841

2020-07-21 02:19:01

gabrieljenik


Committer: user234287 Details Diff 		Fixed issue 16509: Permissions are weakly checked on conditions designer

Added permissions checking for update actions		 Affected Issues
16509
mod - application/controllers/admin/conditionsaction.php Diff File
mod - application/views/admin/conditions/conditionshead_view.php Diff File
mod - application/views/admin/conditions/conditionslist_view.php Diff File

LimeSurvey: master 4333ad23

2020-07-27 16:49:56

gabrieljenik


Committer: user234287 Details Diff 		Fixed issue 16509: Permissions are weakly checked on conditions designer

Added permissions checking for update actions		 Affected Issues
16509
mod - application/views/admin/conditions/includes/conditionslist_footer_view.php Diff File

Issue History

Date Modified Username Field Change
2020-07-21 02:04 gabrieljenik New Issue
2020-07-21 02:23 gabrieljenik Relationship added related to 16127
2020-07-21 02:23 gabrieljenik Note Added: 59010
2020-07-24 14:36 user225042 Note Added: 59074
2020-07-24 14:36 user225042 File Added: 16509_Permissions.png
2020-07-24 15:08 gabrieljenik Note Added: 59075
2020-07-24 15:09 gabrieljenik Note Added: 59076
2020-07-24 15:11 gabrieljenik Note Edited: 59076
2020-07-24 15:21 user225042 Note Added: 59079
2020-07-24 16:05 user225042 File Deleted: 16509_RedDot.png
2020-07-24 19:47 gabrieljenik Note Added: 59086
2020-07-24 19:47 gabrieljenik File Added: image.png
2020-07-27 17:36 user225042 Note Added: 59104
2020-07-27 17:36 user225042 File Added: 16509_Tim_ReadAccess.png
2020-07-27 17:36 user225042 File Added: 16509_Tim_NoReadAccess.png
2020-07-27 17:36 user225042 File Added: 16509_Tim_UpdateAccess.png
2020-07-27 17:36 user225042 File Added: 16509_Tim_View&UpdateAccess.png
2020-07-27 18:01 gabrieljenik Note Added: 59106
2020-07-28 17:36 user225042 Note Added: 59117
2020-08-03 10:20 user234287 Changeset attached => LimeSurvey master 4333ad23
2020-08-03 10:20 user234287 Changeset attached => LimeSurvey master f8156841
2020-08-03 10:20 user234287 Note Added: 59249
2020-08-03 11:23 lime_release_bot Note Added: 59254
2020-08-03 11:23 lime_release_bot Status new => closed
2020-08-03 11:23 lime_release_bot Resolution open => fixed