View Issue Details

IDProjectCategoryView StatusLast Update
14732Bug reports[All Projects] User/User groupspublic2019-04-03 16:52
ReportercarrasinAssigned To 
PrioritynoneSeveritycrash 
Status newResolutionopen 
Product Version3.16.x 
Target VersionFixed in Version 
Summary14732: Superadmin user cannot modify members of a group he don't belong
Description

Superadmin users incluiding 'admin' can see all groups but cannot modify the groups properties or members.

As I undestand the security variable 'usercontrolSameGroupPolicy ' only applies for non-admin users.

Below the buttons "Edit current user group" and "Delete current user group" it shows :

PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 19, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 26, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 27, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 34, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 35, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index

Steps To Reproduce
  1. As superAdmin user Go to Configuration -> Create/edit user groups
  2. click on "view users", he/she get a new window to edit the group's members but cannot delete users from the group (no Action buttons)
  3. In that window he/she cannot use buttons : "Edit current user group" or "Delete current user group". And below those buttons it shows PHP Notice messages of the descriptions
Additional Information

We modified two files from the code that fix the problem

TagsNo tags attached.
Complete LimeSurvey version number (& build)LimeSurvey-3.15.9-190214
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionPostgresql 9.6
Server OS (if known)Debian GNU/Linux 9.8 (stretch)
Webserver software & version (if known)
PHP Version7.0

Activities

carrasin

carrasin

2019-04-03 16:52

reporter  

superadmin_groups.diff (2,308 bytes)
Sólo en /srv/limesurvey/limesurvey-3.15-20190228-094129/application/config: config.php
diff -ru application/core/Survey_Common_Action.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php
--- application/core/Survey_Common_Action.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php	2019-03-28 11:27:28.554748919 -0300
@@ -1157,7 +1157,7 @@
             if (!empty($ugid)) {
                 $userGroup = UserGroup::model()->findByPk($ugid);
                 $uid = Yii::app()->session['loginID'];
-                if ($userGroup && $userGroup->hasUser($uid)) {
+                if (($userGroup && $userGroup->hasUser($uid)) || Permission::model()->hasGlobalPermission('superadmin') ) {
                     $data['userGroup'] = $userGroup;
                 } else {
                     $data['userGroup'] = null;
diff -ru application/views/admin/usergroup/viewUserGroup_view.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php
--- application/views/admin/usergroup/viewUserGroup_view.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php	2019-03-28 11:17:58.733479788 -0300
@@ -50,7 +50,7 @@
                         <tr class='<?php echo $currentuser["rowclass"];?>'>
                             <td align='center'>
                             <?php
-                            if(isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true && $currentuser["userid"] != '1')
+                            if ( (isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true || Permission::model()->hasGlobalPermission('superadmin')) && $currentuser["userid"] != '1')
                             { ?>
                                 <?php echo CHtml::form(array("admin/usergroups/sa/user/ugid/{$ugid}/action/remove"), 'post'); ?>
                                     <button  data-toggle="tooltip" data-placement="bottom" title="<?php eT('Delete');?>" type="submit" onclick='return confirm("<?php eT("Are you sure you want to delete this entry?","js");?>")' class="btn btn-default btn-xs ">
superadmin_groups.diff (2,308 bytes)

Issue History

Date Modified Username Field Change
2019-04-03 16:52 carrasin New Issue
2019-04-03 16:52 carrasin File Added: superadmin_groups.diff