View Issue Details

This bug affects 1 person(s).
 2
IDProjectCategoryView StatusLast Update
10608Bug reportsCentral participant databasepublic2016-03-07 11:45
Reporterjohnnyfoster Assigned Toc_schmitz  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.50.x 
Fixed in Version2.50.x 
Summary10608: Users can see each others contacts in the participant database
Description

I have installed version 2.5. I have created a couple of users who have minimal permissions (Create survey and create participants panel) and are not Superadministrator.

I have encountered the following problems:

It is not possible to navigate to the Central participant database/panel menu without having superadministrator permissions however navigating directly to the URL I can access the panel correctly.

When I am logged into a user account with Participant panel (create) permissions only, I can see other users contacts.

Steps To Reproduce

Create multiple user accounts with (Create) Central participant database and not superadministrator.

  • When you login you will not be able to navigate to the centeral participants database at there is no such menu.

Navigate manually and create some contacts.
Login as another user.

  • Navigate to the the Central participant database and you will be able to see and modify other users contacts.
TagsNo tags attached.
Bug heat2
Complete LimeSurvey version number (& build)160222
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMySQL 5.5.44
Server OS (if known)Centos
Webserver software & version (if known)Apache 2.4
PHP VersionPHP 5.4.45

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2016-02-29 13:21

administrator   ~35775

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=17679

c_schmitz

c_schmitz

2016-02-29 13:25

administrator   ~35776

I could not reproduce all issues - some of them may have been already fixed.
I fixed the permission for the menu entries in general.

However only giving 'create' permission for the CPDB does not make sense.
The basic permission to give first is always a 'read' permission - for non-superadmin users it implies that they only see their own participants.

Please check after the next build was released. If you still have issues then please create a new bug report.

c_schmitz

c_schmitz

2016-03-07 11:45

administrator   ~36026

Version 2.60 Build 150307 released

Related Changesets

LimeSurvey: master 3ddcaffb

2016-02-29 12:21:03

c_schmitz

Details Diff
Fixed issue 10608: Users can see each others contacts in the participant database Affected Issues
10608
mod - application/controllers/admin/participantsaction.php Diff File
mod - application/extensions/Menu/MenuWidget.php Diff File
mod - application/views/admin/participants/participantsPanel_view.php Diff File
mod - application/views/admin/super/_configuration_menu.php Diff File

Issue History

Date Modified Username Field Change
2016-02-26 20:23 johnnyfoster New Issue
2016-02-28 21:48 c_schmitz Assigned To => c_schmitz
2016-02-28 21:48 c_schmitz Status new => assigned
2016-02-29 13:21 c_schmitz Changeset attached => LimeSurvey master 3ddcaffb
2016-02-29 13:21 c_schmitz Note Added: 35775
2016-02-29 13:21 c_schmitz Resolution open => fixed
2016-02-29 13:25 c_schmitz Note Added: 35776
2016-02-29 13:25 c_schmitz Status assigned => resolved
2016-02-29 13:25 c_schmitz Fixed in Version => 2.5
2016-03-07 11:45 c_schmitz Note Added: 36026
2016-03-07 11:45 c_schmitz Status resolved => closed