View Issue Details

IDProjectCategoryView StatusLast Update
14732Bug reportsUser / Groups / Rolespublic2019-11-26 18:02
Reportercarrasin Assigned Tocdorin  
PrioritynoneSeverityblock 
Status assignedResolutionopen 
Product Version3.16.x 
Summary14732: Superadmin user cannot modify members of a group he don't belong
Description

Superadmin users incluiding 'admin' can see all groups but cannot modify the groups properties or members.

As I undestand the security variable 'usercontrolSameGroupPolicy ' only applies for non-admin users.

Below the buttons "Edit current user group" and "Delete current user group" it shows :

PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 19, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 26, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 27, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 34, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 35, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index

Steps To Reproduce
  1. As superAdmin user Go to Configuration -> Create/edit user groups
  2. click on "view users", he/she get a new window to edit the group's members but cannot delete users from the group (no Action buttons)
  3. In that window he/she cannot use buttons : "Edit current user group" or "Delete current user group". And below those buttons it shows PHP Notice messages of the descriptions
Additional Information

We modified two files from the code that fix the problem

TagsNo tags attached.
Complete LimeSurvey version number (& build)LimeSurvey-3.15.9-190214
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionPostgresql 9.6
Server OS (if known)Debian GNU/Linux 9.8 (stretch)
Webserver software & version (if known)
PHP Version7.0

Activities

carrasin

carrasin

2019-04-03 16:52

reporter  

superadmin_groups.diff (2,308 bytes)   
Sólo en /srv/limesurvey/limesurvey-3.15-20190228-094129/application/config: config.php
diff -ru application/core/Survey_Common_Action.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php
--- application/core/Survey_Common_Action.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php	2019-03-28 11:27:28.554748919 -0300
@@ -1157,7 +1157,7 @@
             if (!empty($ugid)) {
                 $userGroup = UserGroup::model()->findByPk($ugid);
                 $uid = Yii::app()->session['loginID'];
-                if ($userGroup && $userGroup->hasUser($uid)) {
+                if (($userGroup && $userGroup->hasUser($uid)) || Permission::model()->hasGlobalPermission('superadmin') ) {
                     $data['userGroup'] = $userGroup;
                 } else {
                     $data['userGroup'] = null;
diff -ru application/views/admin/usergroup/viewUserGroup_view.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php
--- application/views/admin/usergroup/viewUserGroup_view.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php	2019-03-28 11:17:58.733479788 -0300
@@ -50,7 +50,7 @@
                         <tr class='<?php echo $currentuser["rowclass"];?>'>
                             <td align='center'>
                             <?php
-                            if(isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true && $currentuser["userid"] != '1')
+                            if ( (isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true || Permission::model()->hasGlobalPermission('superadmin')) && $currentuser["userid"] != '1')
                             { ?>
                                 <?php echo CHtml::form(array("admin/usergroups/sa/user/ugid/{$ugid}/action/remove"), 'post'); ?>
                                     <button  data-toggle="tooltip" data-placement="bottom" title="<?php eT('Delete');?>" type="submit" onclick='return confirm("<?php eT("Are you sure you want to delete this entry?","js");?>")' class="btn btn-default btn-xs ">
superadmin_groups.diff (2,308 bytes)   

Issue History

Date Modified Username Field Change
2019-04-03 16:52 carrasin New Issue
2019-04-03 16:52 carrasin File Added: superadmin_groups.diff
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles
2019-11-26 18:02 cdorin Assigned To => cdorin
2019-11-26 18:02 cdorin Status new => assigned