View Issue Details

IDProjectCategoryView StatusLast Update
16509Bug reportsQuestion editorpublic2020-08-03 11:23
Reportergabrieljenik Assigned To 
PrioritynoneSeverityblock 
Status closedResolutionfixed 
Product Version4.3.4 
Summary16509: Permissions are weakly checked on conditions designer
Description

While reviewing 16127 got to see that permission checking wasn't checked properly

TagsNo tags attached.
Complete LimeSurvey version number (& build)4.3.4
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionMysql
Server OS (if known)
Webserver software & version (if known)
PHP Version7

Relationships

related to 16127 closedJHoeck Copy condition and other buttons missing in top panel 

Activities

gabrieljenik

gabrieljenik

2020-07-21 02:23

developer   ~59010

Addedit in the same PR as in the screen reorg
https://github.com/LimeSurvey/LimeSurvey/pull/1494

sushmanadendla

sushmanadendla

2020-07-24 14:36

manager   ~59074

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details

16509_Permissions.png (184,035 bytes)
gabrieljenik

gabrieljenik

2020-07-24 15:08

developer   ~59075

I forsee the following testing scenarios:

0) Grab the url for the conditions manager for a given question. Ex:
http://<lspath>/index.php/admin/conditions/sa/index/subaction/editconditionsform/surveyid/279323/gid/27/qid/577

1) Create a user with no read permissions over a survey.
a) Make sure the user can't see the conditions for a question, even using the direct url.

2) Create a user with read permissions over a survey.
a) Make sure the user can see the conditions for a question
b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url.

3) Create a user with update permissions over a survey (but not owner neither superadmin).
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

Thanks

gabrieljenik

gabrieljenik

2020-07-24 15:09

developer   ~59076

Last edited: 2020-07-24 15:11

View 2 revisions

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access.

Ok, so test case #2 is not being tested successfully, right?

sushmanadendla

sushmanadendla

2020-07-24 15:21

manager   ~59079

Ok I will test this scenario's and get back to you

gabrieljenik

gabrieljenik

2020-07-24 19:47

developer   ~59086

Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details

That screen doesn't look like the one redesigned.
This is the one for a redonly user.

image.png (94,109 bytes)   
image.png (94,109 bytes)   
sushmanadendla

sushmanadendla

2020-07-27 17:36

manager   ~59104

Tested the issue after pulling the PR, below are my findings. Please refer the attachment for more details

0) Grab the url for the conditions manager for a given question. Ex:
http://master.local/index.php?r=admin/conditions/sa/index/subaction/editconditionsform&surveyid=112615&gid=29&qid=1396

1) Create a user with no read permissions over a survey --Getting a forbidden message
a) Make sure the user can't see the conditions for a question, even using the direct url.

2) Create a user with read permissions over a survey. ---Working as expected
a) Make sure the user can see the conditions for a question
b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url.

3) Create a user with update permissions over a survey (but not owner neither superadmin). --Getting a forbidden message
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

4) Create a user with view & update permissions over a survey
a) Make sure the user can see the conditions for a question
b) Make sure the user can update nor add nor remove conditions for a question.

16509_Tim_ReadAccess.png (171,415 bytes)
gabrieljenik

gabrieljenik

2020-07-27 18:01

developer   ~59106

Understand #1 and #3 are working as expected, right?

sushmanadendla

sushmanadendla

2020-07-28 17:36

manager   ~59117

  1. When the user as read only permissions the user can't see the conditions for a question, even using the direct url. ---Working as expected
  2. When the user with update permissions over a survey user can't see the conditions for a question-- Update works with view been checked ---Working as expected
  3. When the user with view & update permissions over a survey user can add, update or delete conditions---Working as expected
eddylackmann007

eddylackmann007

2020-08-03 10:20

reporter   ~59249

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30337

lime_release_bot

lime_release_bot

2020-08-03 11:23

administrator   ~59254

Fixed in Release 4.3.8+200803

Related Changesets

LimeSurvey: master f8156841

2020-07-21 02:19:01

gabrieljenik


Committer: eddylackmann007 Details Diff
Fixed issue 16509: Permissions are weakly checked on conditions designer

Added permissions checking for update actions
Affected Issues
16509
mod - application/controllers/admin/conditionsaction.php Diff File
mod - application/views/admin/conditions/conditionshead_view.php Diff File
mod - application/views/admin/conditions/conditionslist_view.php Diff File

LimeSurvey: master 4333ad23

2020-07-27 16:49:56

gabrieljenik


Committer: eddylackmann007 Details Diff
Fixed issue 16509: Permissions are weakly checked on conditions designer

Added permissions checking for update actions
Affected Issues
16509
mod - application/views/admin/conditions/includes/conditionslist_footer_view.php Diff File

Issue History

Date Modified Username Field Change
2020-07-21 02:04 gabrieljenik New Issue
2020-07-21 02:23 gabrieljenik Relationship added related to 16127
2020-07-21 02:23 gabrieljenik Note Added: 59010
2020-07-24 14:36 sushmanadendla Note Added: 59074
2020-07-24 14:36 sushmanadendla File Added: 16509_Permissions.png
2020-07-24 15:08 gabrieljenik Note Added: 59075
2020-07-24 15:09 gabrieljenik Note Added: 59076
2020-07-24 15:11 gabrieljenik Note Edited: 59076 View Revisions
2020-07-24 15:21 sushmanadendla Note Added: 59079
2020-07-24 16:05 sushmanadendla File Deleted: 16509_RedDot.png
2020-07-24 19:47 gabrieljenik Note Added: 59086
2020-07-24 19:47 gabrieljenik File Added: image.png
2020-07-27 17:36 sushmanadendla Note Added: 59104
2020-07-27 17:36 sushmanadendla File Added: 16509_Tim_ReadAccess.png
2020-07-27 17:36 sushmanadendla File Added: 16509_Tim_NoReadAccess.png
2020-07-27 17:36 sushmanadendla File Added: 16509_Tim_UpdateAccess.png
2020-07-27 17:36 sushmanadendla File Added: 16509_Tim_View&UpdateAccess.png
2020-07-27 18:01 gabrieljenik Note Added: 59106
2020-07-28 17:36 sushmanadendla Note Added: 59117
2020-08-03 10:20 eddylackmann007 Changeset attached => LimeSurvey master 4333ad23
2020-08-03 10:20 eddylackmann007 Changeset attached => LimeSurvey master f8156841
2020-08-03 10:20 eddylackmann007 Note Added: 59249
2020-08-03 11:23 lime_release_bot Note Added: 59254
2020-08-03 11:23 lime_release_bot Status new => closed
2020-08-03 11:23 lime_release_bot Resolution open => fixed