View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|16428||Bug reports||Survey editing||public||2020-06-25 18:02||2020-10-30 09:25|
|Fixed in Version||4.3.23|
|Summary||16428: Simple user reset Survey group to default one|
|Description||An user with only some survey access reset the survey group|
|Steps To Reproduce||1. Create an user `restricted` with 'create survey right'|
2. Give him all rights on one survey
3. Set this survey to "TEST" group
4. Log out
5. Log in as `restricted` user
6. Edit survey global settings : survey is set to Default group
|Additional Information||See screencast|
Surely here since Survey group creation
With user management : survey group management can not be done
Since in 4.X : survey group used for "Theme settings" : this can reset "Logo" for example …
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||4.3.1 github|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||not relevant|
|Server OS (if known)||not relevant|
|Webserver software & version (if known)||not relevant|
|PHP Version||not relevant|
Peek 25-06-2020 17-59.gif (1,857,004 bytes)
For this one : we need same system than template.
Default Survey group list are :
- Survey group with this user access
- `+` current survey group.
In this scenario:
- superadministrator should be the only one that has the right to edit global survey settings.
For survey group settings:
- CRUD permissions at the global user management level: Create, View/Read, Update, Delete
Would that be alright or am is there any other possible scenario missing?
Not exactly , because in my opinion :
If an user can't read Group1 but a survey he can edit was in Group1 : Group1 must be in the list.
We don't need Permission here.
I check if theme have the same issue, if yes : it was already fixed before : but if an user don't have read right on a template (theme now) : we always add the template in the list.
|Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.|
> Really something should be done. Now a user can modify settings for the default survey group. It's much worse than just a logo.
? Can you explain ?
|User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.|
About 16428:58509, yes, I see your point.
Then we can think of:
- Create: create survey groups and edit your own survey groups
- Read/View: view all survey groups and their settings
- Update: update other survey group settings that are not yours
> User 1 can change the survey group settings so that email notifications (for example) are sent to third-parties if the survey "inherits" the value from group settings.
It's false : User 1 can not see group : he need All survey access.
If user have only "create" rights : he can not see the group. Then he need "Update all survey" or "See all survey" ?
> Then we can think of:
> - Create: create survey groups and edit your own survey groups
> - Read/View: view all survey groups and their settings
> - Update: update other survey group settings that are not yours
> - Delete
It's an easy step here, but still need Permission on group …
> It's false : User 1 can not see group : he need All survey access.
I just tested this on a fresh install... and you are right. But what has been changed, as I saw this problem earlier. What is exactly the permission needed to change for example "Send detailed admin notification email to:" -setting in the question group "Default"?
@Jmantysalo : i didn't know. All Permission oin Survey group are unclear …
Maybe See all survey or Update all survey ?
> 5. Log in as restricted user
Which user is this?
> Create an user with 'create survey right'
> Give him all rights on one survey
The discussion about survey groups moved to 16440 . Is it ok if I close this ticket?
@Jmantysalo, I added you to the respective ticket as well.
> Is it ok if I close this ticket?
Yes, of course.
@cdorin : it's not related to a feature about SurveyGroup rights here .
Else : it broke again.
If user can update Survey1 in SurveyGroup1 but don't have read access on SurveyGroup1 : it broke again, it's reset again.
|Ah, I see - thanks for the additional info, @DenisChenu|
|I fix it quickly before working on real feature :)|
|Clone for 3.X|
|2020-06-25 18:02||DenisChenu||New Issue|
|2020-06-25 18:02||DenisChenu||File Added: Peek 25-06-2020 17-59.gif|
|2020-06-25 18:02||DenisChenu||Relationship added||child of 15421|
|2020-06-25 18:04||DenisChenu||Note Added: 58490|
|2020-06-25 18:04||DenisChenu||Note Edited: 58490||View Revisions|
|2020-06-25 18:07||DenisChenu||Assigned To||=> ollehar|
|2020-06-25 18:07||DenisChenu||Status||new => feedback|
|2020-06-25 22:02||cdorin||Note Added: 58503|
|2020-06-26 08:39||DenisChenu||Note Added: 58509|
|2020-06-26 08:39||DenisChenu||Status||feedback => assigned|
|2020-06-29 01:51||cdorin||Zoho Sprints||=> |Yes||
||Zoho Sprints ID||=> 14469000000155001|
|2020-06-29 08:15||DenisChenu||Summary||Simple user reset Surevy group to default one => Simple user reset Survey group to default one|
|2020-06-29 14:30||Jmantysalo||Note Added: 58541|
|2020-06-29 14:44||DenisChenu||Note Added: 58542|
|2020-06-29 14:53||cdorin||Note Added: 58543|
|2020-06-29 14:57||cdorin||Note Added: 58544|
|2020-06-29 15:22||DenisChenu||Note Added: 58552|
|2020-06-29 15:23||DenisChenu||Note Added: 58553|
|2020-06-30 10:14||Jmantysalo||Note Added: 58571|
|2020-06-30 10:16||DenisChenu||Note Added: 58572|
|2020-06-30 15:02||ollehar||Note Added: 58580|
|2020-06-30 15:06||DenisChenu||Note Added: 58581|
|2020-06-30 15:08||DenisChenu||Steps to Reproduce Updated||View Revisions|
|2020-06-30 16:40||DenisChenu||Relationship replaced||related to 15421|
|2020-10-20 13:02||cdorin||Relationship added||related to 16440|
|2020-10-20 13:03||cdorin||Note Added: 60299|
|2020-10-20 13:03||cdorin||Assigned To||ollehar =>|
|2020-10-20 13:03||cdorin||Status||assigned => feedback|
|2020-10-20 13:16||Jmantysalo||Note Added: 60301|
|2020-10-20 14:26||DenisChenu||Note Added: 60304|
|2020-10-20 14:26||DenisChenu||Status||feedback => new|
|2020-10-20 15:17||cdorin||Note Added: 60308|
|2020-10-20 15:19||cdorin||Priority||none => normal|
|2020-10-20 15:19||cdorin||Status||new => confirmed|
|2020-10-20 15:19||cdorin||Zoho Sprints||Yes => |Yes||
|2020-10-20 15:28||DenisChenu||Note Added: 60311|
|2020-10-20 15:28||DenisChenu||Assigned To||=> DenisChenu|
|2020-10-20 15:28||DenisChenu||Status||confirmed => assigned|
|2020-10-20 18:16||DenisChenu||Status||assigned => closed|
|2020-10-20 18:16||DenisChenu||Resolution||open => fixed|
|2020-10-20 18:16||DenisChenu||Note Added: 60317|
|2020-10-20 18:17||DenisChenu||Status||closed => feedback|
|2020-10-20 18:17||DenisChenu||Resolution||fixed => reopened|
|2020-10-20 18:17||DenisChenu||Issue cloned: 16766|
|2020-10-22 09:36||DenisChenu||Relationship added||related to 16766|
|2020-10-30 09:25||DenisChenu||Changeset attached||=> LimeSurvey master d4db1fe7|
|2020-10-30 09:25||DenisChenu||Status||feedback => closed|
|2020-10-30 09:25||DenisChenu||Fixed in Version||=> 4.3.23|
|2020-10-30 09:25||DenisChenu||Note Added: 60451|