View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 12
IDProjectCategoryView StatusDate SubmittedLast Update
16978Bug reportsUser / Groups / Rolespublic2021-01-15 12:172021-03-19 22:30
Reporterriqcles Assigned Toc_schmitz  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version4.3.33 
Summary16978: Create users and manage a group - confidentiality
Description

Create users and manage a group
The admin create two users:
1.a user (UB) with the following rights:
create users (all rights)
create groups (all rights)

  1. a UC user with the unique right to create questionnaires.

User UB creates 2 accounts: UB1 and UB2
The UB user who has all the rights to group management and who is not admin, can add the UB1 and UB2 accounts, but also all the accounts that have not been created by him (UC and admin)

He will not be able to delete the UC and admin accounts, even if he has all the rights for the management of his group.

There is the confidentiality issue if we do not want UB to see all the user accounts present in our installation of LimeSurvey.

In my case, I have over 400 accounts and you never know.

I did my tests on the demo site which is in V4.3.33, but I have the problem in V3.

Here is the link on the forum for managing users and groups.
https://forums.limesurvey.org/forum/french-forum/118722-cr%C3%A9ation-de-permissions?start=30#210386

I also have the problem on users:
We take the case of UB which has all rights.
UB can display a list of all users of the LimeSurvey installation. He can only act on those he created, but it is annoying to see all the other users.

Steps To Reproduce

Go to limesurvey demo
create a user with all permission for user and group
connect with this user
list all user --> you see all user
create two user
create a group
add user --> you see all user.

TagsNo tags attached.
Attached Files
4.png (44,444 bytes)   
4.png (44,444 bytes)   
0_1.png (81,734 bytes)   
0_1.png (81,734 bytes)   
1.png (56,005 bytes)   
1.png (56,005 bytes)   
3.png (32,306 bytes)   
3.png (32,306 bytes)   
Bug heat12
Complete LimeSurvey version number (& build)LimeSurvey Version 4.3.33
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql ? demo site - me postgres 10
Server OS (if known)
Webserver software & version (if known)
PHP Versionphp demo site

Users monitoring this issue

DenisChenu, gwdgls

Activities

gwdgls

gwdgls

2021-03-15 10:09

reporter   ~63356

This issue is interesting for us, too!
c_schmitz

c_schmitz

2021-03-18 16:00

administrator   ~63440

So the issue is that user UB can see all users in the user list, even the ones he does not own?
gwdgls

gwdgls

2021-03-19 10:56

reporter   ~63466

Though I didn't originally post this issue and hope not to interfere with riqcles - yes, this is exactly our point!
Although I admit that I cannot see at the moment how users' visibility to others could be managed to solve the issue. Mail domains are probably the only possible characteristic to filter by. But this would be only partly useful as sometimes users from different institutions or mail providers need to cooperate in a certain group or on a certain survey.

It would be marvellous if someone could come up with a good solution!
DenisChenu

DenisChenu

2021-03-19 10:58

developer   ~63468

It's the purpose of "Group member can only see own group" , no ?

Except for superadmin.
gwdgls

gwdgls

2021-03-19 11:01

reporter   ~63469

As I understand it, user with the right to add or delete other users from a group should only see certain users and not all. @riqcles, am I right?
gwdgls

gwdgls

2021-03-19 11:04

reporter   ~63470

... sorry, reading the description again: I think it is "user with the right to add or delete other users from a group should only see users created by himself/herself."

Which would help us probably, too.
riqcles

riqcles

2021-03-19 22:30

reporter   ~63491

Yes, UB must see only user create by him (in this example UB1 UB2 and UB ! )
and UB1 can only see UB1 and not the other.

For the group, it's the same :
UB must see only UB1 and UB2

Issue History

Date Modified Username Field Change
2021-01-15 12:17 riqcles New Issue
2021-01-15 12:17 riqcles File Added: 4.png
2021-01-15 12:17 riqcles File Added: 0_1.png
2021-01-15 12:17 riqcles File Added: 1.png
2021-01-15 12:17 riqcles File Added: 3.png
2021-01-15 12:24 DenisChenu Issue Monitored: DenisChenu
2021-03-15 10:09 gwdgls Issue Monitored: gwdgls
2021-03-15 10:09 gwdgls Note Added: 63356
2021-03-18 16:00 c_schmitz Note Added: 63440
2021-03-19 07:24 c_schmitz Assigned To => c_schmitz
2021-03-19 07:24 c_schmitz Status new => feedback
2021-03-19 10:56 gwdgls Note Added: 63466
2021-03-19 10:58 DenisChenu Note Added: 63468
2021-03-19 11:01 gwdgls Note Added: 63469
2021-03-19 11:04 gwdgls Note Added: 63470
2021-03-19 22:30 riqcles Note Added: 63491
2021-03-19 22:30 riqcles Status feedback => assigned