View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 12
IDProjectCategoryView StatusDate SubmittedLast Update
11655Bug reportsUser / Groups / Rolespublic2016-09-15 14:062016-11-15 19:21
Reporteragrupp Assigned ToLouisGac 
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.51.x 
Summary11655: User can see surveys that do not belong him
Description

I created a user and gave him just the right to create surveys. In the survey list the user can see none of the already existing surveys - thats the correct behaviour. The list is empty, great.

But just after login, on the very first page, the user sees the last opened survey of another user, by name and id. This is a data protection issue, unfortunately very relevant in my state of Germany :-(

Steps To Reproduce

Create a user, give just the right to create surveys. On the first login the users sees the last edited survey of another user

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)2.51.4+160908
I will donate to the project if issue is resolvedNo
BrowserFirefox
Database type & versionMySQL
Server OS (if known)Linux CentOS
Webserver software & version (if known)Apache
PHP Version5.6

Users monitoring this issue

aesteban, DenisChenu

Activities

c_schmitz

c_schmitz

2016-09-15 15:18

administrator   ~40788

This will be resolved with user settings.
jelo

jelo

2016-09-15 16:53

partner   ~40791

@c_schmitz: So, no bug just a misconfiguration?
You mean user permissions when writing user settings, right?

@agrupp:
https://manual.limesurvey.org/Manage_users#Setting_global_permissions_for_a_user
Did the user has only the right create checked? (which inclused seeing his own created surveys? Or is view/read checked too?
c_schmitz

c_schmitz

2016-09-15 16:56

administrator   ~40792

@jelo There will be a new table user_settings in one of the next versions which lets us save user-related settings and so fix this issue.
agrupp

agrupp

2016-09-15 17:04

reporter   ~40793

@jelo: Yes, the user had only the permission to create surveys. So he is able to see his own surveys, what is intended an of course necessary. But as reported on the login page he could see the survey of an other user, together with the title of the survey. This is information is not good regarding data protection.
LouisGac

LouisGac

2016-11-14 16:44

developer   ~41910

I can't reproduce the bug. I bet it has been resolved when fixing another bug.
Please, try again and tell us if you can reproduce.
LouisGac

LouisGac

2016-11-15 19:21

developer   ~41971

Visibility of surveys has been changed a lot those last months.
We can't reproduce the bug, so it probably has been fixed in another commit.

Issue History

Date Modified Username Field Change
2016-09-15 14:06 agrupp New Issue
2016-09-15 15:18 c_schmitz Note Added: 40788
2016-09-15 16:53 jelo Note Added: 40791
2016-09-15 16:56 c_schmitz Note Added: 40792
2016-09-15 17:04 agrupp Note Added: 40793
2016-09-17 13:34 aesteban Issue Monitored: aesteban
2016-10-17 12:31 ollehar Assigned To => ollehar
2016-10-17 12:31 ollehar Status new => assigned
2016-10-17 13:00 ollehar Assigned To ollehar =>
2016-10-17 13:00 ollehar Status assigned => new
2016-10-23 19:28 DenisChenu Issue Monitored: DenisChenu
2016-11-14 16:44 LouisGac Note Added: 41910
2016-11-14 16:44 LouisGac Assigned To => LouisGac
2016-11-14 16:44 LouisGac Status new => feedback
2016-11-15 19:21 LouisGac Status feedback => closed
2016-11-15 19:21 LouisGac Resolution open => fixed
2016-11-15 19:21 LouisGac Note Added: 41971
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles