View Issue Details

IDProjectCategoryView StatusLast Update
17149Bug reportsUser / Groups / Rolespublic2021-03-08 19:36
Reporterdanguyfredux Assigned Toollehar  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.19.1 
Fixed in Version3.25.17 
Summary17149: UserGroup::hasUser() incorrectly returns true for all non-superadmins
DescriptionThe function hasUser() is used by _userGroupBar() in application/core/Survey_Common_Action.php to validate that the user is either a member of the User Group in question or a superadmin. As written it does basically the opposite: if the user is NOT a superadmin it returns true, if they are a superadmin it returns true/false depending on whether they are a member of the group.

_userGroupBar() returns information about the User Group in order to populate the button bar at the top of the User Group page. As a result of this bug, the "Mail to all members" and "Edit current user group" buttons lack the ugid and so error when clicked.
Steps To Reproduce* Be a superadmin
* Visit the User Group page of a group to which you do not belong
* Click the "Mail to all members" and/or "Edit current user group" buttons
* Receive error message
Additional InformationThere is no security issue here, I believe, because even though hasUser() returns true for all non-superadmins this function is not used anywhere else. A malicious user attempting to access a User Group page for a User Group to which he does not belong will get a permission denied. A malicious user attempting the access the mail or edit links for a User Group to which he does not belong will be able to hit those links but the mail will not send and the group settings will not populate to be edited.

I'll submit a quick fix. It's just an errant !bang!.
TagsNo tags attached.
Complete LimeSurvey version number (& build)3.25.13+210216
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionn/a
Server OS (if known)
Webserver software & version (if known)
PHP Versionn/a

Activities

guest

guest

2021-03-05 11:04

viewer   ~62750

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31265

Related Changesets

LimeSurvey: 3.x-LTS 4367fecf

2021-03-05 11:04:10

dans


Committer: GitHub Details Diff
Fixed issue 17149: UserGroup hasUser() return true for superadmin (#1789)

Co-authored-by: Daniel Fowlkes <daniel_g_fowlkes@omb.eop.gov>
Affected Issues
17149
mod - application/models/UserGroup.php Diff File

Issue History

Date Modified Username Field Change
2021-03-02 15:14 danguyfredux New Issue
2021-03-05 11:04 dans Changeset attached => LimeSurvey 3.x-LTS 4367fecf
2021-03-05 11:04 guest Note Added: 62750
2021-03-05 11:47 ollehar Assigned To => ollehar
2021-03-05 11:47 ollehar Status new => resolved
2021-03-05 11:47 ollehar Resolution open => fixed
2021-03-08 19:36 c_schmitz Fixed in Version => 3.25.17
2021-03-08 19:36 c_schmitz Status resolved => closed