View Issue Details

This bug affects 1 person(s).
 10
IDProjectCategoryView StatusLast Update
16428Bug reportsSurvey editingpublic2020-10-30 09:25
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynormalSeverityminor 
Status closedResolutionreopened 
Product Version4.3.1 
Fixed in Version4.3.23 
Summary16428: Simple user reset Survey group to default one
Description

An user with only some survey access reset the survey group

Steps To Reproduce
  1. Create an user restricted with 'create survey right'
  2. Give him all rights on one survey
  3. Set this survey to "TEST" group
  4. Log out
  5. Log in as restricted user
  6. Edit survey global settings : survey is set to Default group
Additional Information

See screencast

Surely here since Survey group creation

With user management : survey group management can not be done

Since in 4.X : survey group used for "Theme settings" : this can reset "Logo" for example …

TagsNo tags attached.
Attached Files
Peek 25-06-2020 17-59.gif (1,857,004 bytes)
Bug heat10
Complete LimeSurvey version number (& build)4.3.1 github
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 16440 resolvedcdorin Feature requests Survey group Permission : minimal system 
related to 15421 closedcdorin Feature requests Survey group Permission : minimal system 
related to 16766 closedDenisChenu Bug reports Simple user reset Survey group to default one 

Users monitoring this issue

Jmantysalo

Activities

DenisChenu

DenisChenu

2020-06-25 18:04

developer   ~58490

Last edited: 2020-06-25 18:04

For this one : we need same system than template.
Default Survey group list are :

  • Survey group with this user access
  • + current survey group.
cdorin

cdorin

2020-06-25 22:02

reporter   ~58503

Last edited: 2020-06-29 01:51

In this scenario:

  • superadministrator should be the only one that has the right to edit global survey settings.

For survey group settings:

  • CRUD permissions at the global user management level: Create, View/Read, Update, Delete

Would that be alright or am is there any other possible scenario missing?

DenisChenu

DenisChenu

2020-06-26 08:39

developer   ~58509

Last edited: 2020-06-29 01:51

Not exactly , because in my opinion :

If an user can't read Group1 but a survey he can edit was in Group1 : Group1 must be in the list.

We don't need Permission here.

I check if theme have the same issue, if yes : it was already fixed before : but if an user don't have read right on a template (theme now) : we always add the template in the list.

Jmantysalo

Jmantysalo

2020-06-29 14:30

reporter   ~58541

Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.

DenisChenu

DenisChenu

2020-06-29 14:44

developer   ~58542

Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.

? Can you explain ?

cdorin

cdorin

2020-06-29 14:53

reporter   ~58543

User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.

cdorin

cdorin

2020-06-29 14:57

reporter   ~58544

About 16428:58509, yes, I see your point.
Then we can think of:

  • Create: create survey groups and edit your own survey groups
  • Read/View: view all survey groups and their settings
  • Update: update other survey group settings that are not yours
  • Delete
DenisChenu

DenisChenu

2020-06-29 15:22

developer   ~58552

User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.

It's false : User 1 can not see group : he need All survey access.

If user have only "create" rights : he can not see the group. Then he need "Update all survey" or "See all survey" ?

DenisChenu

DenisChenu

2020-06-29 15:23

developer   ~58553

Then we can think of:

  • Create: create survey groups and edit your own survey groups
  • Read/View: view all survey groups and their settings
  • Update: update other survey group settings that are not yours
  • Delete

It's an easy step here, but still need Permission on group …

Jmantysalo

Jmantysalo

2020-06-30 10:14

reporter   ~58571

It's false : User 1 can not see group : he need All survey access.

I just tested this on a fresh install... and you are right. But what has been changed, as I saw this problem earlier. What is exactly the permission needed to change for example "Send detailed admin notification email to:" -setting in the question group "Default"?

DenisChenu

DenisChenu

2020-06-30 10:16

developer   ~58572

@Jmantysalo : i didn't know. All Permission oin Survey group are unclear …

Maybe See all survey or Update all survey ?

ollehar

ollehar

2020-06-30 15:02

administrator   ~58580

  1. Log in as restricted user

Which user is this?

DenisChenu

DenisChenu

2020-06-30 15:06

developer   ~58581

Create an user with 'create survey right'
Give him all rights on one survey

cdorin

cdorin

2020-10-20 13:03

reporter   ~60299

The discussion about survey groups moved to 16440 . Is it ok if I close this ticket?
@Jmantysalo, I added you to the respective ticket as well.

Jmantysalo

Jmantysalo

2020-10-20 13:16

reporter   ~60301

Is it ok if I close this ticket?

Yes, of course.

DenisChenu

DenisChenu

2020-10-20 14:26

developer   ~60304

@cdorin : it's not related to a feature about SurveyGroup rights here .

Else : it broke again.

If user can update Survey1 in SurveyGroup1 but don't have read access on SurveyGroup1 : it broke again, it's reset again.

cdorin

cdorin

2020-10-20 15:17

reporter   ~60308

Ah, I see - thanks for the additional info, @DenisChenu

DenisChenu

DenisChenu

2020-10-20 15:28

developer   ~60311

I fix it quickly before working on real feature :)

DenisChenu

DenisChenu

2020-10-20 18:16

developer   ~60317

Clone for 3.X

DenisChenu

DenisChenu

2020-10-30 09:25

developer   ~60451

https://bugs.limesurvey.org/plugin.php?page=Source/view&id=30644

Related Changesets

LimeSurvey: master d4db1fe7

2020-10-22 09:35:42

DenisChenu

Details Diff
Fixed issue 16766: Simple user reset Survey group to default one
Dev: use same criteria for search and list
Dev: cherry-picked OK
Affected Issues
16428, 16766
mod - application/models/SurveysGroups.php Diff File

Issue History

Date Modified Username Field Change
2020-06-25 18:02 DenisChenu New Issue
2020-06-25 18:02 DenisChenu File Added: Peek 25-06-2020 17-59.gif
2020-06-25 18:02 DenisChenu Relationship added child of 15421
2020-06-25 18:04 DenisChenu Note Added: 58490
2020-06-25 18:04 DenisChenu Note Edited: 58490
2020-06-25 18:07 DenisChenu Assigned To => ollehar
2020-06-25 18:07 DenisChenu Status new => feedback
2020-06-25 22:02 cdorin Note Added: 58503
2020-06-26 08:39 DenisChenu Note Added: 58509
2020-06-26 08:39 DenisChenu Status feedback => assigned
2020-06-29 01:49 cdorin Issue Monitored: Jmantysalo
2020-06-29 01:51 cdorin Zoho Sprints => |Yes|
2020-06-29 01:51 swendrich Zoho Sprints ID => 14469000000155001
2020-06-29 08:15 DenisChenu Summary Simple user reset Surevy group to default one => Simple user reset Survey group to default one
2020-06-29 14:30 Jmantysalo Note Added: 58541
2020-06-29 14:44 DenisChenu Note Added: 58542
2020-06-29 14:53 cdorin Note Added: 58543
2020-06-29 14:57 cdorin Note Added: 58544
2020-06-29 15:22 DenisChenu Note Added: 58552
2020-06-29 15:23 DenisChenu Note Added: 58553
2020-06-30 10:14 Jmantysalo Note Added: 58571
2020-06-30 10:16 DenisChenu Note Added: 58572
2020-06-30 15:02 ollehar Note Added: 58580
2020-06-30 15:06 DenisChenu Note Added: 58581
2020-06-30 15:08 DenisChenu Steps to Reproduce Updated
2020-06-30 16:40 DenisChenu Relationship replaced related to 15421
2020-10-20 13:02 cdorin Relationship added related to 16440
2020-10-20 13:03 cdorin Note Added: 60299
2020-10-20 13:03 cdorin Assigned To ollehar =>
2020-10-20 13:03 cdorin Status assigned => feedback
2020-10-20 13:16 Jmantysalo Note Added: 60301
2020-10-20 14:26 DenisChenu Note Added: 60304
2020-10-20 14:26 DenisChenu Status feedback => new
2020-10-20 15:17 cdorin Note Added: 60308
2020-10-20 15:19 cdorin Priority none => normal
2020-10-20 15:19 cdorin Status new => confirmed
2020-10-20 15:19 cdorin Zoho Sprints Yes => |Yes|
2020-10-20 15:28 DenisChenu Note Added: 60311
2020-10-20 15:28 DenisChenu Assigned To => DenisChenu
2020-10-20 15:28 DenisChenu Status confirmed => assigned
2020-10-20 18:16 DenisChenu Status assigned => closed
2020-10-20 18:16 DenisChenu Resolution open => fixed
2020-10-20 18:16 DenisChenu Note Added: 60317
2020-10-20 18:17 DenisChenu Status closed => feedback
2020-10-20 18:17 DenisChenu Resolution fixed => reopened
2020-10-20 18:17 DenisChenu Issue cloned: 16766
2020-10-22 09:36 DenisChenu Relationship added related to 16766
2020-10-30 09:25 DenisChenu Changeset attached => LimeSurvey master d4db1fe7
2020-10-30 09:25 DenisChenu Status feedback => closed
2020-10-30 09:25 DenisChenu Fixed in Version => 4.3.23
2020-10-30 09:25 DenisChenu Note Added: 60451
2021-08-02 17:18 guest Bug heat 8 => 10