View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
12583Bug reportsData Entry (non public)public2017-08-09 12:442018-06-15 14:27
ReporterMazi Assigned Todominikvitt 
PriorityurgentSeveritypartial_block 
Status closedResolutionunable to reproduce 
Product Version2.67.x 
Summary12583: Users not allowed to edit data sets can edit data
Description

If I create a Limesurvey admin user who is only allowed to view and enter data sets for a certain survey (see attached screenshot for settings), there is still a way to edit a data set by viewing the data sets and clicking the "Edit this data set" button on the new screen.

Steps To Reproduce
  1. Create a Limesurvey user.
  2. For any test survey assign the user only the rights to view and enter data sets.
  3. Log in with the new user, go to the response overview and click the icon to view a certain data set.
  4. At the "View data set" screen there is a button on top "Edit this data set".
  5. When clicking that button you can change existing data and save even though you do not have the proper user rights.
TagsNo tags attached.
Attached Files
1_user_rights.png (47,262 bytes)   
1_user_rights.png (47,262 bytes)   
2_response_overview.png (62,745 bytes)   
2_response_overview.png (62,745 bytes)   
3_edit_data_set.png (33,344 bytes)   
3_edit_data_set.png (33,344 bytes)   
Bug heat6
Complete LimeSurvey version number (& build)Version 2.67.1+170626
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMySQL 5.5
Server OS (if known)Ubuntu 14 TLS
Webserver software & version (if known)Apache 2.0
PHP Version5.5.9

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2017-08-09 12:45

updater   ~44285

@LouisGac: I had already shown the issue to Carsten on Skype and he asked to create this ticket and assign it to you.
Let me know if you need any further details.
dominikvitt

dominikvitt

2018-06-06 16:22

developer   ~48010

Unable to reproduce it completely, probably it is fixed already.
I'm able to follow your steps and click on "Edit this entry", but it shows only the blank screen when clicked on.
So, the user really can't change any response.
dominikvitt

dominikvitt

2018-06-06 16:28

developer   ~48011

"Edit this entry" button is now hidden for users who don't have update response permission.
https://github.com/LimeSurvey/LimeSurvey/commit/091be5a938dc8cea23c96fcea1575c472e673045
c_schmitz

c_schmitz

2018-06-15 14:27

administrator   ~48129

New version released.

Issue History

Date Modified Username Field Change
2017-08-09 12:44 Mazi New Issue
2017-08-09 12:44 Mazi Status new => assigned
2017-08-09 12:44 Mazi Assigned To => LouisGac
2017-08-09 12:44 Mazi File Added: 1_user_rights.png
2017-08-09 12:44 Mazi File Added: 2_response_overview.png
2017-08-09 12:44 Mazi File Added: 3_edit_data_set.png
2017-08-09 12:45 Mazi Note Added: 44285
2018-05-23 13:16 LouisGac Priority none => urgent
2018-06-04 14:44 LouisGac Assigned To LouisGac => dominikvitt
2018-06-06 16:22 dominikvitt Status assigned => resolved
2018-06-06 16:22 dominikvitt Resolution open => unable to reproduce
2018-06-06 16:22 dominikvitt Note Added: 48010
2018-06-06 16:28 dominikvitt Note Added: 48011
2018-06-15 14:27 c_schmitz Note Added: 48129
2018-06-15 14:27 c_schmitz Status resolved => closed