View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
11018Bug reportsSecuritypublic2016-04-22 16:232016-04-25 13:54
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version2.50.x 
Fixed in Version2.50.x 
Summary11018: [NOT security] user with only statistics access can see survey in list
Description

A user with only "survey statistics access" have no way to see it.

Steps To Reproduce

Create a user without any rights
Set "statistics" view right on a survey
Log out
Connect with this user
Search the survey link to see stat

Additional Information

In 2.05 and before : testing for list survey is done testing only if there are one SurveyPermission then statitic is OK (test only on survey object)
https://github.com/LimeSurvey/LimeSurvey/blob/2.06lts/application/controllers/admin/surveyadmin.php#L573

But actually : https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/Survey.php#L878 we test surveycontent rights

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)160422
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2016-04-22 16:24

developer   ~37717

PS : do a serach on "model" only allow plugin to use another minimal Permission on survey not managed by core Permission survey
DenisChenu

DenisChenu

2016-04-22 16:31

developer   ~37718

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=18697
DenisChenu

DenisChenu

2016-04-22 16:32

developer   ~37720

Controlled : need just a read access. @todo : test with only a export access too ?
But export => read

ANother rights to allow ? read seems the best
c_schmitz

c_schmitz

2016-04-25 13:54

administrator   ~37784

Version 2.50+ Build 160425 released

Related Changesets

LimeSurvey: master 58b23fcf

2016-04-22 16:30

DenisChenu


Details Diff		 Fixed issue 11018: User with only statistics access can see survey in list
Dev: test only model entitity + entity_id for listing
Dev: tested with nonly stat access : seems OK (no preview, can see some part : but can already see it in statistic)		 Affected Issues
11018
mod - application/models/Survey.php Diff File

Issue History

Date Modified Username Field Change
2016-04-22 16:23 DenisChenu New Issue
2016-04-22 16:24 DenisChenu Note Added: 37717
2016-04-22 16:31 DenisChenu Changeset attached => LimeSurvey master 58b23fcf
2016-04-22 16:31 DenisChenu Note Added: 37718
2016-04-22 16:31 DenisChenu Assigned To => DenisChenu
2016-04-22 16:31 DenisChenu Resolution open => fixed
2016-04-22 16:32 DenisChenu Note Added: 37720
2016-04-22 16:32 DenisChenu Status new => resolved
2016-04-22 16:32 DenisChenu Fixed in Version => 2.5
2016-04-25 13:54 c_schmitz Note Added: 37784
2016-04-25 13:54 c_schmitz Status resolved => closed