View Issue Details

IDProjectCategoryView StatusLast Update
16958Bug reportsUser / Groups / Rolespublic2021-04-11 10:33
ReporterDenisChenu Assigned Togabrieljenik  
PriorityhighSeverityminor 
Status resolvedResolutionfixed 
Product Version4.3.33 
Summary16958: User with roles can not have more rights …
DescriptionIf you set an user with a roles : this user can not have more right
Steps To ReproduceCreate an user
Create a role : set Label sets to ON (for example)
Try to give more right to user : sghow OK
Edit Permission : permission is not set
Additional Informationhttps://github.com/LimeSurvey/LimeSurvey/blob/68ce18e22194171e1c56c27f36ad7ce5b34adc8a/application/models/Permission.php#L504 issue : return false

And more : test is **stupid** ! totally stupid : why check ALL roles permission if you need only one … permission : just check if this role have this permission …
TagsNo tags attached.
Complete LimeSurvey version number (& build)4.3.32
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Activities

DenisChenu

DenisChenu

2021-01-08 09:58

developer  

Peek 08-01-2021 09-48.gif (1,584,891 bytes)
DenisChenu

DenisChenu

2021-01-08 10:02

developer   ~61459

Lol : remove login permission …

This feature are really tested ?

This feature **must be moved** to a core plugin or extension …
Peek 08-01-2021 10-01.gif (788,209 bytes)
DenisChenu

DenisChenu

2021-02-10 15:45

developer   ~62113

See : https://forums.limesurvey.org/forum/installation-a-update-issues/123615-user-can-see-own-survey-but-can-t-access-it#211811

Maybe usage is (for example)

Create a role "User log in"
Create a role "user survey update"
Create a role "Use survey read"

And give multiple role to a user ?

I don't know …
c_schmitz

c_schmitz

2021-03-16 07:57

administrator   ~63386

To be honest. I don't understand the issue. Can you explain in French maybe? Or use https://www.deepl.com/translator ?
DenisChenu

DenisChenu

2021-03-16 08:28

developer   ~63387

Screencast https://bugs.limesurvey.org/view.php?id=16958#c61459 show an issue

If dummyuser have a role with only "create survey" : he can not login , even if he has login right on User right.
User cannot have more right than roles.

If usere have one role and this role doens't allow "Login via DB" : user can not login via DB.

I make some screenshit to explain step by step.
Maybe it's the desired behaviour but must be documented and explain clearly.
DenisChenu

DenisChenu

2021-03-16 08:38

developer   ~63388

1. Create a role without any right (Test roles) : UserRole-issue-00
2. Create an user and give some right : UserRole-issue-01
3. Assign previous role to this user Test roles : UserRole-issue-02
4. Check user right : UserRole-issue-03
5. Give some user right : UserRole-issue-04
6. Save : see the OK : UserRole-issue-05
7. Check user right : no right : UserRole-issue-06

It's the desired behaviour ? Maybe but then

1. must be documented : https://manual.limesurvey.org/Manage_roles it's "The roles that a user is assigned to provides the permissions they need for their role. " provice don't mean remove
2. Must be show clearly in GUI : show a sentence in user right and disable all checkbox for example.
UserRole-issue-05.png (8,215 bytes)   
UserRole-issue-05.png (8,215 bytes)   
UserRole-issue-06.png (85,036 bytes)   
UserRole-issue-06.png (85,036 bytes)   
UserRole-issue-00.png (71,963 bytes)   
UserRole-issue-00.png (71,963 bytes)   
UserRole-issue-01.png (91,534 bytes)   
UserRole-issue-01.png (91,534 bytes)   
UserRole-issue-02.png (13,292 bytes)   
UserRole-issue-02.png (13,292 bytes)   
UserRole-issue-03.png (86,891 bytes)   
UserRole-issue-03.png (86,891 bytes)   
UserRole-issue-04.png (86,995 bytes)   
UserRole-issue-04.png (86,995 bytes)   
gabrieljenik

gabrieljenik

2021-03-25 13:14

manager   ~63599

So right now, permissions can't be added to a user with roles.
Maybe by design. Myabe a bug?
Initially will show a message stating that is not possible.
Then review what is the desired behaviour.
Should it be allowed to add permissions individually besides than having a role?
c_schmitz

c_schmitz

2021-03-25 18:30

administrator   ~63630

Last edited: 2021-03-25 18:31

View 2 revisions

ok, so we have to different systems here: RBAC (Role-based access) and UBAC (user-based access)

Both systems basically exclude each other.

So, if a role is assigned then the application should confirm: "Do you want to remove all user permission and assign the role instead?"

If you edit the permission on a user with a role it should discard the role with a similar message: "Do you want to remove the role(s) and assign individual user permissions?"

If you add several roles to the same user the permissions are/should be cumulative.

The interface needs to reflect that.
DenisChenu

DenisChenu

2021-03-25 18:53

developer   ~63631

> The interface needs to reflect that.

yes :)
gabrieljenik

gabrieljenik

2021-04-01 15:56

manager   ~63780

In the assignment of roles there was already a message, which always appears: roles.png

Added a warning message to the assignment of permissions, which appears only if the user has some role assigned: permissions.png
I placed it close to the save button.

Also modified the controller so that it effectively cleans up the roles when you assign individual permissions.

PR: https://github.com/LimeSurvey/LimeSurvey/pull/1835
gabrieljenik

gabrieljenik

2021-04-07 10:28

manager   ~63852

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31550

Related Changesets

LimeSurvey: master 83668ed3

2021-04-07 10:28:41

gabrieljenik


Committer: GitHub Details Diff
Fixed issue 16958: User with roles can not have more rights (#1835)

Added a warning message to the assignment of permissions. Modified the controller so that it effectively cleans up the roles when you assign individual permissions.
Affected Issues
16958
mod - application/controllers/UserManagementController.php Diff File
mod - application/views/userManagement/partial/editpermissions.php Diff File

Issue History

Date Modified Username Field Change
2021-01-08 09:58 DenisChenu New Issue
2021-01-08 09:58 DenisChenu File Added: Capture d’écran du 2021-01-08 09-44-37.png
2021-01-08 09:58 DenisChenu File Added: Peek 08-01-2021 09-48.gif
2021-01-08 10:02 DenisChenu Note Added: 61459
2021-01-08 10:02 DenisChenu File Added: Peek 08-01-2021 10-01.gif
2021-01-12 20:07 DenisChenu Summary User with roles can npot have more rights … => User with roles can not have more rights …
2021-02-07 20:40 cdorin Priority none => high
2021-02-07 20:40 cdorin Status new => confirmed
2021-02-10 15:45 DenisChenu Note Added: 62113
2021-03-16 07:57 c_schmitz Note Added: 63386
2021-03-16 08:28 DenisChenu Note Added: 63387
2021-03-16 08:38 DenisChenu Note Added: 63388
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-01.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-02.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-03.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-04.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-05.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-06.png
2021-03-16 08:38 DenisChenu File Added: UserRole-issue-00.png
2021-03-25 13:14 gabrieljenik Note Added: 63599
2021-03-25 18:30 c_schmitz Note Added: 63630
2021-03-25 18:31 c_schmitz Note Edited: 63630 View Revisions
2021-03-25 18:53 DenisChenu Note Added: 63631
2021-04-01 15:56 gabrieljenik Note Added: 63780
2021-04-07 10:28 gabrieljenik Changeset attached => LimeSurvey master 83668ed3
2021-04-07 10:28 gabrieljenik Note Added: 63852
2021-04-07 10:28 gabrieljenik Assigned To => gabrieljenik
2021-04-07 10:28 gabrieljenik Resolution open => fixed
2021-04-11 10:33 c_schmitz Status confirmed => resolved