View Issue Details

IDProjectCategoryView StatusLast Update
15957Bug reportsOtherpublic2020-10-18 19:15
Reporterollehar Assigned Tocdorin  
PriorityhighSeveritypartial_block 
Status assignedResolutionopen 
Product Version4.1.9 
Target Version4.1.9 
Summary15957: Add permission check for group creation
Description

In the code it looks like anyone logged in can add groups to any survey.

Check methods:

loadQuestionGroup
getQuestionsForGroup
saveQuestionGroupData
updateOrder
etc etc

TagsNo tags attached.
Complete LimeSurvey version number (& build)latest master
I will donate to the project if issue is resolvedNo
Browser-
Database & DB-Version-
Server OS (if known)-
Webserver software & version (if known)-
PHP Version-

Activities

cdorin

cdorin

2020-03-16 18:28

manager   ~56575

Have you succeeded to reproduce it? Could you please provide the steps to reproduce it?

ollehar

ollehar

2020-03-16 18:45

administrator   ~56578

No, you'd need to handcraft a POST request. But it's obvious when reading the code that permission checks are not in place.

cdorin

cdorin

2020-10-18 19:15

manager   ~60244

@pstelling, is this covered by your task permission-related task? :)

Issue History

Date Modified Username Field Change
2020-03-06 16:23 ollehar New Issue
2020-03-06 16:23 ollehar Priority none => high
2020-03-06 16:23 ollehar Description Updated View Revisions
2020-03-16 18:29 cdorin Note Added: 56575
2020-03-16 18:29 cdorin Assigned To => cdorin
2020-03-16 18:29 cdorin Status new => feedback
2020-03-16 18:45 ollehar Note Added: 56578
2020-03-16 18:45 ollehar Status feedback => assigned
2020-10-18 19:15 cdorin Note Added: 60244