View Issue Details

IDProjectCategoryView StatusLast Update
14732Bug reportsUser / Groups / Rolespublic2021-03-08 19:35
Reportercarrasin Assigned Toc_schmitz  
PrioritylowSeverityblock 
Status closedResolutionfixed 
Product Version3.16.x 
Fixed in Version3.25.17 
Summary14732: Superadmin user cannot modify members of a group he don't belong
DescriptionSuperadmin users incluiding 'admin' can see all groups but cannot modify the groups properties or members.

As I undestand the security variable 'usercontrolSameGroupPolicy ' only applies for non-admin users.

Below the buttons "Edit current user group" and "Delete current user group" it shows :

PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 19, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 26, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 27, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 34, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 35, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
Steps To Reproduce1. As superAdmin user Go to Configuration -> Create/edit user groups
2. click on "view users", he/she get a new window to edit the group's members but cannot delete users from the group (no Action buttons)
3. In that window he/she cannot use buttons : "Edit current user group" or "Delete current user group". And below those buttons it shows PHP Notice messages of the descriptions
Additional InformationWe modified two files from the code that fix the problem
TagsNo tags attached.
Complete LimeSurvey version number (& build)LimeSurvey-3.15.9-190214
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionPostgresql 9.6
Server OS (if known)Debian GNU/Linux 9.8 (stretch)
Webserver software & version (if known)
PHP Version7.0

Activities

carrasin

carrasin

2019-04-03 16:52

reporter  

superadmin_groups.diff (2,308 bytes)   
Sólo en /srv/limesurvey/limesurvey-3.15-20190228-094129/application/config: config.php
diff -ru application/core/Survey_Common_Action.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php
--- application/core/Survey_Common_Action.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php	2019-03-28 11:27:28.554748919 -0300
@@ -1157,7 +1157,7 @@
             if (!empty($ugid)) {
                 $userGroup = UserGroup::model()->findByPk($ugid);
                 $uid = Yii::app()->session['loginID'];
-                if ($userGroup && $userGroup->hasUser($uid)) {
+                if (($userGroup && $userGroup->hasUser($uid)) || Permission::model()->hasGlobalPermission('superadmin') ) {
                     $data['userGroup'] = $userGroup;
                 } else {
                     $data['userGroup'] = null;
diff -ru application/views/admin/usergroup/viewUserGroup_view.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php
--- application/views/admin/usergroup/viewUserGroup_view.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php	2019-03-28 11:17:58.733479788 -0300
@@ -50,7 +50,7 @@
                         <tr class='<?php echo $currentuser["rowclass"];?>'>
                             <td align='center'>
                             <?php
-                            if(isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true && $currentuser["userid"] != '1')
+                            if ( (isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true || Permission::model()->hasGlobalPermission('superadmin')) && $currentuser["userid"] != '1')
                             { ?>
                                 <?php echo CHtml::form(array("admin/usergroups/sa/user/ugid/{$ugid}/action/remove"), 'post'); ?>
                                     <button  data-toggle="tooltip" data-placement="bottom" title="<?php eT('Delete');?>" type="submit" onclick='return confirm("<?php eT("Are you sure you want to delete this entry?","js");?>")' class="btn btn-default btn-xs ">
superadmin_groups.diff (2,308 bytes)   
c_schmitz

c_schmitz

2021-03-05 17:27

administrator   ~62799

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31278
c_schmitz

c_schmitz

2021-03-05 17:28

administrator   ~62800

Thank you for the patch!
c_schmitz

c_schmitz

2021-03-05 17:34

administrator   ~62803

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31279
carrasin

carrasin

2021-03-05 18:52

reporter   ~62805

You're welcome, thanks for the tool!

Related Changesets

LimeSurvey: 3.x-LTS 16d62242

2021-03-05 17:27:42

c_schmitz

Details Diff
Fixed issue 14732: Superadmin user cannot modify members of a group he is not a member of Affected Issues
14732
mod - application/core/Survey_Common_Action.php Diff File
mod - application/views/admin/usergroup/viewUserGroup_view.php Diff File

LimeSurvey: master 506c5d02

2021-03-05 17:27:42

c_schmitz

Details Diff
Fixed issue 14732: Superadmin user cannot modify members of a group he is not a member of Affected Issues
14732
mod - application/core/Survey_Common_Action.php Diff File
mod - application/views/userGroup/viewUserGroup_view.php Diff File

Issue History

Date Modified Username Field Change
2019-04-03 16:52 carrasin New Issue
2019-04-03 16:52 carrasin File Added: superadmin_groups.diff
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles
2019-11-26 18:02 cdorin Assigned To => cdorin
2019-11-26 18:02 cdorin Status new => assigned
2021-02-08 17:07 cdorin Assigned To cdorin =>
2021-02-08 17:07 cdorin Priority none => low
2021-02-08 17:07 cdorin Status assigned => confirmed
2021-02-08 17:07 cdorin Description Updated View Revisions
2021-02-08 17:07 cdorin Steps to Reproduce Updated View Revisions
2021-02-08 17:07 cdorin Additional Information Updated View Revisions
2021-03-05 17:27 c_schmitz Assigned To => c_schmitz
2021-03-05 17:27 c_schmitz Status confirmed => assigned
2021-03-05 17:27 c_schmitz Changeset attached => LimeSurvey 3.x-LTS 16d62242
2021-03-05 17:27 c_schmitz Note Added: 62799
2021-03-05 17:27 c_schmitz Resolution open => fixed
2021-03-05 17:27 c_schmitz Status assigned => resolved
2021-03-05 17:28 c_schmitz Note Added: 62800
2021-03-05 17:34 c_schmitz Changeset attached => LimeSurvey master 506c5d02
2021-03-05 17:34 c_schmitz Note Added: 62803
2021-03-05 18:52 carrasin Note Added: 62805
2021-03-08 19:35 c_schmitz Fixed in Version => 3.25.17
2021-03-08 19:35 c_schmitz Status resolved => closed