View Issue Details

IDProjectCategoryView StatusLast Update
14566Bug reports[All Projects] Securitypublic2019-03-21 14:42
Reporternaguibihelek Assigned ToLouisGac  
PriorityhighSeveritymajor 
Status assignedResolutionopen 
Product Version3.15.x 
Target VersionFixed in Version 
Summary14566: Any user can edit "Survey Group" details
Description

Shouldn't there be a permission setting to disallow anyone other than owners of the said group or super admins from making changes or even viewing the groups.

Steps To Reproduce

When any user logs in and goes to survey list they can select survey groups and open and make chages to the group details.
Can be somewhat catastrophic if someone was being malicious, and there is no way to know who did that.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.15.9+190214
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionDon’t know where to find this
Server OS (if known)Centos
Webserver software & version (if known)CENTOS 7.6 virtuozzo [vps] v78.0.11
PHP Version7.1

Activities

cdorin

cdorin

2019-03-07 17:04

manager   ~50823

Hello @naguibihelek,

The issue is with the "default" theme. My "test" user does not have any rights but I can still access and change the survey group theme settings. The survey permissions will have to be improved soon. Will assign it to @markusfluer.

Thanks for reporting it.

jeremyp

jeremyp

2019-03-21 14:42

reporter   ~51089

Hello @all

Same problem for me report in the formum (https://www.limesurvey.org/fr/forum/can-i-do-this-with-limesurvey/117997-survey-groups-functionality). Wait for a solution :)

Thanks.

Issue History

Date Modified Username Field Change
2019-02-22 17:01 naguibihelek New Issue
2019-03-07 17:04 cdorin Assigned To => markusfluer
2019-03-07 17:04 cdorin Priority none => high
2019-03-07 17:04 cdorin Status new => assigned
2019-03-07 17:04 cdorin Note Added: 50823
2019-03-21 14:31 cdorin Assigned To markusfluer => LouisGac
2019-03-21 14:42 jeremyp Note Added: 51089