View Issue Details

IDProjectCategoryView StatusLast Update
15957Bug reportsOtherpublic2020-12-29 09:36
Reporterollehar Assigned Topstelling  
PriorityhighSeveritypartial_block 
Status closedResolutionfixed 
Product Version4.1.9 
Target Version4.1.9Fixed in Version4.4.0-RC1 
Summary15957: Add permission check for group creation
DescriptionIn the code it looks like anyone logged in can add groups to any survey.

Check methods:

loadQuestionGroup
getQuestionsForGroup
saveQuestionGroupData
updateOrder
etc etc
TagsNo tags attached.
Complete LimeSurvey version number (& build)latest master
I will donate to the project if issue is resolvedNo
Browser-
Database & DB-Version-
Server OS (if known)-
Webserver software & version (if known)-
PHP Version-

Activities

cdorin

cdorin

2020-03-16 18:28

manager   ~56575

Have you succeeded to reproduce it? Could you please provide the steps to reproduce it?
ollehar

ollehar

2020-03-16 18:45

administrator   ~56578

No, you'd need to handcraft a POST request. But it's obvious when reading the code that permission checks are not in place.
cdorin

cdorin

2020-10-18 19:15

manager   ~60244

@pstelling, is this covered by your task permission-related task? :)

Issue History

Date Modified Username Field Change
2020-03-06 16:23 ollehar New Issue
2020-03-06 16:23 ollehar Priority none => high
2020-03-06 16:23 ollehar Description Updated View Revisions
2020-03-16 18:29 cdorin Note Added: 56575
2020-03-16 18:29 cdorin Assigned To => cdorin
2020-03-16 18:29 cdorin Status new => feedback
2020-03-16 18:45 ollehar Note Added: 56578
2020-03-16 18:45 ollehar Status feedback => assigned
2020-10-18 19:15 cdorin Note Added: 60244
2020-12-28 18:31 cdorin Assigned To cdorin => pstelling
2020-12-28 18:31 cdorin Status assigned => new
2020-12-28 18:31 cdorin Status new => feedback
2020-12-29 09:36 cdorin Status feedback => closed
2020-12-29 09:36 cdorin Resolution open => fixed
2020-12-29 09:36 cdorin Fixed in Version => 4.4.0-RC1