10608: Users can see each others contacts in the participant database

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

10608	Bug reports	Central participant database	public	2016-02-26 20:23	2016-03-07 11:45

Reporter	johnnyfoster	Assigned To	c_schmitz
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	2.50.x
Fixed in Version	2.50.x

Summary	10608: Users can see each others contacts in the participant database
Description	I have installed version 2.5. I have created a couple of users who have minimal permissions (Create survey and create participants panel) and are not Superadministrator. I have encountered the following problems: It is not possible to navigate to the Central participant database/panel menu without having superadministrator permissions however navigating directly to the URL I can access the panel correctly. When I am logged into a user account with Participant panel (create) permissions only, I can see other users contacts.
Steps To Reproduce	Create multiple user accounts with (Create) Central participant database and not superadministrator. When you login you will not be able to navigate to the centeral participants database at there is no such menu. Navigate manually and create some contacts. Login as another user. Navigate to the the Central participant database and you will be able to see and modify other users contacts.
Tags	No tags attached.

Bug heat	2
Complete LimeSurvey version number (& build)	160222
I will donate to the project if issue is resolved	No
Browser	Chrome
Database type & version	MySQL 5.5.44
Server OS (if known)	Centos
Webserver software & version (if known)	Apache 2.4
PHP Version	PHP 5.4.45

User List	There are no users monitoring this issue.

c_schmitz 2016-02-29 13:21 administrator ~35775	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=17679

c_schmitz 2016-02-29 13:25 administrator ~35776	I could not reproduce all issues - some of them may have been already fixed. I fixed the permission for the menu entries in general. However only giving 'create' permission for the CPDB does not make sense. The basic permission to give first is always a 'read' permission - for non-superadmin users it implies that they only see their own participants. Please check after the next build was released. If you still have issues then please create a new bug report.

c_schmitz 2016-03-07 11:45 administrator ~36026	Version 2.60 Build 150307 released

LimeSurvey: master 3ddcaffb 2016-02-29 13:21 c_schmitz Details Diff	Fixed issue 10608: Users can see each others contacts in the participant database	Affected Issues 10608
	mod - application/controllers/admin/participantsaction.php	Diff File
	mod - application/extensions/Menu/MenuWidget.php	Diff File
	mod - application/views/admin/participants/participantsPanel_view.php	Diff File
	mod - application/views/admin/super/_configuration_menu.php	Diff File

Date Modified	Username	Field	Change
2016-02-26 20:23	johnnyfoster	New Issue
2016-02-28 21:48	c_schmitz	Assigned To	=> c_schmitz
2016-02-28 21:48	c_schmitz	Status	new => assigned
2016-02-29 13:21	c_schmitz	Changeset attached	=> LimeSurvey master 3ddcaffb
2016-02-29 13:21	c_schmitz	Note Added: 35775
2016-02-29 13:21	c_schmitz	Resolution	open => fixed
2016-02-29 13:25	c_schmitz	Note Added: 35776
2016-02-29 13:25	c_schmitz	Status	assigned => resolved
2016-02-29 13:25	c_schmitz	Fixed in Version	=> 2.5
2016-03-07 11:45	c_schmitz	Note Added: 36026
2016-03-07 11:45	c_schmitz	Status	resolved => closed

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History