11018: [NOT security] user with only statistics access can see survey in list

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

11018	Bug reports	Security	public	2016-04-22 16:23	2016-04-25 13:54

Reporter	DenisChenu	Assigned To	DenisChenu
Priority	none	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.50.x
Fixed in Version	2.50.x

Summary	11018: [NOT security] user with only statistics access can see survey in list
Description	A user with only "survey statistics access" have no way to see it.
Steps To Reproduce	Create a user without any rights Set "statistics" view right on a survey Log out Connect with this user Search the survey link to see stat
Additional Information	In 2.05 and before : testing for list survey is done testing only if there are one SurveyPermission then statitic is OK (test only on survey object) https://github.com/LimeSurvey/LimeSurvey/blob/2.06lts/application/controllers/admin/surveyadmin.php#L573 But actually : https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/Survey.php#L878 we test surveycontent rights
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	160422
I will donate to the project if issue is resolved	No
Browser	not relevant
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	not relevant
PHP Version	not relevant

User List	There are no users monitoring this issue.

DenisChenu 2016-04-22 16:24 developer ~37717	PS : do a serach on "model" only allow plugin to use another minimal Permission on survey not managed by core Permission survey

DenisChenu 2016-04-22 16:31 developer ~37718	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=18697

DenisChenu 2016-04-22 16:32 developer ~37720	Controlled : need just a read access. @todo : test with only a export access too ? But export => read ANother rights to allow ? read seems the best

c_schmitz 2016-04-25 13:54 administrator ~37784	Version 2.50+ Build 160425 released

LimeSurvey: master 58b23fcf 2016-04-22 14:30:58 DenisChenu Details Diff	Fixed issue 11018: User with only statistics access can see survey in list Dev: test only model entitity + entity_id for listing Dev: tested with nonly stat access : seems OK (no preview, can see some part : but can already see it in statistic)		Affected Issues 11018
	mod - application/models/Survey.php		Diff File

Date Modified	Username	Field	Change
2016-04-22 16:23	DenisChenu	New Issue
2016-04-22 16:24	DenisChenu	Note Added: 37717
2016-04-22 16:31	DenisChenu	Changeset attached	=> LimeSurvey master 58b23fcf
2016-04-22 16:31	DenisChenu	Note Added: 37718
2016-04-22 16:31	DenisChenu	Assigned To	=> DenisChenu
2016-04-22 16:31	DenisChenu	Resolution	open => fixed
2016-04-22 16:32	DenisChenu	Note Added: 37720
2016-04-22 16:32	DenisChenu	Status	new => resolved
2016-04-22 16:32	DenisChenu	Fixed in Version	=> 2.5
2016-04-25 13:54	c_schmitz	Note Added: 37784
2016-04-25 13:54	c_schmitz	Status	resolved => closed