16509: Permissions are weakly checked on conditions designer

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

16509	Bug reports	Question editor	public	2020-07-21 02:04	2020-08-03 11:23

Reporter	gabrieljenik	Assigned To
Priority	none	Severity	block
Status	closed	Resolution	fixed
Product Version	4.3.4

Summary	16509: Permissions are weakly checked on conditions designer
Description	While reviewing 16127 got to see that permission checking wasn't checked properly
Tags	No tags attached.

Bug heat	8
Complete LimeSurvey version number (& build)	4.3.4
I will donate to the project if issue is resolved	No
Browser
Database type & version	Mysql
Server OS (if known)
Webserver software & version (if known)
PHP Version	7

User List	There are no users monitoring this issue.

gabrieljenik 2020-07-21 02:23 manager ~59010	Addedit in the same PR as in the screen reorg https://github.com/LimeSurvey/LimeSurvey/pull/1494

~~user225042~~ 2020-07-24 14:36 ~59074	Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details 16509_Permissions.png (184,035 bytes)

gabrieljenik 2020-07-24 15:08 manager ~59075	I forsee the following testing scenarios: 0) Grab the url for the conditions manager for a given question. Ex: http://<lspath>/index.php/admin/conditions/sa/index/subaction/editconditionsform/surveyid/279323/gid/27/qid/577 1) Create a user with no read permissions over a survey. a) Make sure the user can't see the conditions for a question, even using the direct url. 2) Create a user with read permissions over a survey. a) Make sure the user can see the conditions for a question b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url. 3) Create a user with update permissions over a survey (but not owner neither superadmin). a) Make sure the user can see the conditions for a question b) Make sure the user can update nor add nor remove conditions for a question. Thanks

gabrieljenik 2020-07-24 15:09 manager ~59076 Last edited: 2020-07-24 15:11	Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. Ok, so test case #2 is not being tested successfully, right?

~~user225042~~ 2020-07-24 15:21 ~59079	Ok I will test this scenario's and get back to you

gabrieljenik 2020-07-24 19:47 manager ~59086	Tested the issue after pulling the PR, I see the copy conditions button and also the user does not have full access. I am not sure what other things to be tested here? Please refer the attachment for more details That screen doesn't look like the one redesigned. This is the one for a redonly user. image.png (94,109 bytes) image.png (94,109 bytes)

~~user225042~~ 2020-07-27 17:36 ~59104	Tested the issue after pulling the PR, below are my findings. Please refer the attachment for more details 0) Grab the url for the conditions manager for a given question. Ex: http://master.local/index.php?r=admin/conditions/sa/index/subaction/editconditionsform&surveyid=112615&gid=29&qid=1396 1) Create a user with no read permissions over a survey --Getting a forbidden message a) Make sure the user can't see the conditions for a question, even using the direct url. 2) Create a user with read permissions over a survey. ---Working as expected a) Make sure the user can see the conditions for a question b) Make sure the user can't update nor add nor remove conditions for a question, even using direct url. 3) Create a user with update permissions over a survey (but not owner neither superadmin). --Getting a forbidden message a) Make sure the user can see the conditions for a question b) Make sure the user can update nor add nor remove conditions for a question. 4) Create a user with view & update permissions over a survey a) Make sure the user can see the conditions for a question b) Make sure the user can update nor add nor remove conditions for a question. 16509_Tim_ReadAccess.png (171,415 bytes) 16509_Tim_NoReadAccess.png (141,687 bytes) 16509_Tim_UpdateAccess.png (148,068 bytes) 16509_Tim_View&UpdateAccess.png (179,253 bytes)

gabrieljenik 2020-07-27 18:01 manager ~59106	Understand #1 and #3 are working as expected, right?

~~user225042~~ 2020-07-28 17:36 ~59117	When the user as read only permissions the user can't see the conditions for a question, even using the direct url. ---Working as expected When the user with update permissions over a survey user can't see the conditions for a question-- Update works with view been checked ---Working as expected When the user with view & update permissions over a survey user can add, update or delete conditions---Working as expected

~~user234287~~ 2020-08-03 10:20 ~59249	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30337

lime_release_bot 2020-08-03 11:23 administrator ~59254	Fixed in Release 4.3.8+200803

LimeSurvey: master f8156841 2020-07-21 04:19 gabrieljenik Committer: ~~user234287~~ Details Diff	Fixed issue 16509: Permissions are weakly checked on conditions designer Added permissions checking for update actions	Affected Issues 16509
	mod - application/controllers/admin/conditionsaction.php	Diff File
	mod - application/views/admin/conditions/conditionshead_view.php	Diff File
	mod - application/views/admin/conditions/conditionslist_view.php	Diff File
LimeSurvey: master 4333ad23 2020-07-27 18:49 gabrieljenik Committer: ~~user234287~~ Details Diff	Fixed issue 16509: Permissions are weakly checked on conditions designer Added permissions checking for update actions	Affected Issues 16509
	mod - application/views/admin/conditions/includes/conditionslist_footer_view.php	Diff File

Date Modified	Username	Field	Change
2020-07-21 02:04	gabrieljenik	New Issue
2020-07-21 02:23	gabrieljenik	Relationship added	related to 16127
2020-07-21 02:23	gabrieljenik	Note Added: 59010
2020-07-24 14:36	~~user225042~~	Note Added: 59074
2020-07-24 14:36	~~user225042~~	File Added: 16509_Permissions.png
2020-07-24 15:08	gabrieljenik	Note Added: 59075
2020-07-24 15:09	gabrieljenik	Note Added: 59076
2020-07-24 15:11	gabrieljenik	Note Edited: 59076
2020-07-24 15:21	~~user225042~~	Note Added: 59079
2020-07-24 16:05	~~user225042~~	File Deleted: 16509_RedDot.png
2020-07-24 19:47	gabrieljenik	Note Added: 59086
2020-07-24 19:47	gabrieljenik	File Added: image.png
2020-07-27 17:36	~~user225042~~	Note Added: 59104
2020-07-27 17:36	~~user225042~~	File Added: 16509_Tim_ReadAccess.png
2020-07-27 17:36	~~user225042~~	File Added: 16509_Tim_NoReadAccess.png
2020-07-27 17:36	~~user225042~~	File Added: 16509_Tim_UpdateAccess.png
2020-07-27 17:36	~~user225042~~	File Added: 16509_Tim_View&UpdateAccess.png
2020-07-27 18:01	gabrieljenik	Note Added: 59106
2020-07-28 17:36	~~user225042~~	Note Added: 59117
2020-08-03 10:20	~~user234287~~	Changeset attached	=> LimeSurvey master 4333ad23
2020-08-03 10:20	~~user234287~~	Changeset attached	=> LimeSurvey master f8156841
2020-08-03 10:20	~~user234287~~	Note Added: 59249
2020-08-03 11:23	lime_release_bot	Note Added: 59254
2020-08-03 11:23	lime_release_bot	Status	new => closed
2020-08-03 11:23	lime_release_bot	Resolution	open => fixed

View Issue Details

Relationships

Users monitoring this issue

Activities

Related Changesets

Issue History