View Issue Details

IDProjectCategoryView StatusLast Update
13582Feature requestsUser / Groups / Rolespublic2021-03-19 14:00
Reportergabrieljenik Assigned To 
PrioritylowSeverityfeature 
Status newResolutionreopened 
Summary13582: Can't make a user to be able to only access his individal templates
DescriptionLooking forward to allow a user to only update a certain template.
As that:
1 - I give global permission on "templates" to "read", if not the template editor menu entry is not shown.
2 - Setup individual permissions on each template for that user.

When going to the template editor the dropdown list shows all templates available to be edited.
TagsNo tags attached.

Relationships

related to 17190 closedgabrieljenik Bug reports Update Theme Permission Language 

Activities

Mazi

Mazi

2018-04-09 18:07

partner   ~47373

Sounds like a rather serious security issue if anyone can see/edit any template!ß
DenisChenu

DenisChenu

2018-04-10 16:58

developer   ~47389

Last edited: 2018-04-10 17:03

View 4 revisions

For information in 2.6lts, tested only template editor. About template rights : only one checkbox for each templates
- User have right on 2 templates, no global rights on templates : can not see Template Editor menu (didn't test if access is out too)
- User have right on 2 templates, + read global rights on templates : can see all templates editor, can not save one (even the 2 checked in templates rights).

PS1 : Finally : template rights (single) is used only for "usage in survey" rights, not in template editor
PS2 : seem mùore a feature request : Single template is "READ(use)" rights, not CRUD rights

ollehar

ollehar

2021-03-10 16:50

administrator   ~63022

Hello gabrieljenik,
This should already be fixed in recent versions.
Can you please check if this issue still exists in the latest version of LimeSurvey and let us know?
Thank you!
DenisChenu

DenisChenu

2021-03-10 17:47

developer   ~63113

I'm sure not …
There are no Permission system for template.

It's a feature
gabrieljenik

gabrieljenik

2021-03-17 16:31

manager   ~63407

Issue persists.
---
Created a user with View/read and Update permissions on Templates.
Edited "Template permissions" for that user, granting access to only two themes.

Logged in with that user and entered the "Themes" page. All themes are shown and all can be edited. Changes are saved.
---

Changes suggested:
- The user should only be able to operate accoridng to the permissions given on the templates he has been given acecss to.
- When a user creates a new theme, he would be receiving access to it.
gabrieljenik

gabrieljenik

2021-03-17 16:51

manager   ~63409

Created 17190 to avoid missunderstandings about the language
DenisChenu

DenisChenu

2021-03-17 17:22

developer   ~63413

> Changes suggested:

Create a complete Theme Permission system.

No ?


Else
> - When a user creates a new theme, he would be receiving access to it.

Can create a owner_id for template ? https://github.com/LimeSurvey/LimeSurvey/blob/226d4e8ae8759dc46378f2d3ebe749bacebbab8b/application/models/Permission.php#L759

But need to fix template (as directory) against Template : Template::model against TemplateConfig::model : created when a template is «installed»
Mazi

Mazi

2021-03-17 19:42

partner   ~63418

@gabrieljenik, should this work similar to a survey:
If I create a new survey, I have all the rights -> same can be applied to a theme.
If a survey is assigned to me, certain rights are defined. -> If I am assigned the right to access a template, the global template rights (e.g. view only or edit or ...) are applied.

Do you envision it to work like this?

Will this be adjusted for LS3 as well or LS 4 only?
DenisChenu

DenisChenu

2021-03-18 08:59

developer   ~63421

> Will this be adjusted for LS3 as well or LS 4 only?

My opinion : LS4 using `LimeSurvey\Models\Services\PermissionManager` and `UserPermissionsWidget` to manage the HTML.
gabrieljenik

gabrieljenik

2021-03-19 14:00

manager   ~63478

> Do you envision it to work like this?

Hi originally registered this ticket thinking the theme "access" permission provided access to the theme editor.
I was wrong. It was only for using it on surveys.

Then the ticket turned into a feature request.
But that is a confusion. I don't have any specific request nor expectation nor design previewed. :)

If something needs to be done, I would just add a permission system, as for individual surveys, but for individual themes.
Still, not sure if it is worth it right now.

Issue History

Date Modified Username Field Change
2018-04-09 18:04 gabrieljenik New Issue
2018-04-09 18:05 gabrieljenik Description Updated View Revisions
2018-04-09 18:07 Mazi Note Added: 47373
2018-04-10 09:46 Mazi Assigned To => LouisGac
2018-04-10 09:46 Mazi Status new => assigned
2018-04-10 16:58 DenisChenu Note Added: 47389
2018-04-10 17:00 DenisChenu Note Edited: 47389 View Revisions
2018-04-10 17:03 DenisChenu Note Edited: 47389 View Revisions
2018-04-10 17:03 DenisChenu Note Edited: 47389 View Revisions
2018-05-23 13:09 LouisGac Priority none => low
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles
2021-03-10 16:50 ollehar Status assigned => closed
2021-03-10 16:50 ollehar Resolution open => fixed
2021-03-10 16:50 ollehar Note Added: 63022
2021-03-10 17:47 DenisChenu Note Added: 63113
2021-03-10 17:54 ollehar Project Bug reports => Feature requests
2021-03-10 17:54 ollehar Severity @60@ => feature
2021-03-10 17:54 ollehar Status closed => new
2021-03-10 17:54 ollehar Resolution fixed => reopened
2021-03-17 16:31 gabrieljenik Note Added: 63407
2021-03-17 16:51 gabrieljenik Issue cloned: 17190
2021-03-17 16:51 gabrieljenik Relationship added related to 17190
2021-03-17 16:51 gabrieljenik Note Added: 63409
2021-03-17 17:22 DenisChenu Note Added: 63413
2021-03-17 17:22 DenisChenu Assigned To LouisGac =>
2021-03-17 19:42 Mazi Note Added: 63418
2021-03-18 08:59 DenisChenu Note Added: 63421
2021-03-19 14:00 gabrieljenik Note Added: 63478