Potential fix : https://github.com/LimeSurvey/LimeSurvey/pull/2603/files#diff-6f1c5976e0d24b8aa7349798b9a06c59081576fef190ed5a0a7a7cf6a947caedR432-R441

Again too big fix? What about changing return type string to ?string?

Again too big fix?

? There are no fix currently ? the line show replace

            return $this->renderPartial(
                'partial/error',
                ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
            );

by

            );
            return Yii::app()->getController()->renderPartial('/admin/super/_renderJson', [
                "data" => [
                    'success' => true,// With false : nothing was updated
                    'html'    => $this->renderPartial(
                        'partial/error',
                        ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true],
                        true
                    )
                ]
            ]);

BUT : personalty i' for a Throw 403 error !

What about changing return type string to ?string?

Because in this case : when there are error : nothing is shown … (best is to throw error in this case : same result for user except if he look at console).

Hm, then there's also an error in which permissions are shown in the GUI? If you can get to a 403 without hacking.

Hm, then there's also an error in which permission are shown in the GUI? If you can get to a 403 without hacking.

How ? Not currently (fixed).

But : current situation : throw a 500 and show nothing to user
Your fix : no 500, but show nothing to user

Need 2 browser (or hack HTML)

Oh... Why you waste my time like this, Denis... T_T

I really don't understand your point of view here !

Why discuss ?

There are an issue
Your solution fix the 500 error but didn't fix the issue … (JS error if i remind)

Oh : you're right about 2 browse : but very rare issue … superadmin remove your right during your action …

Oh... Why you waste my time like this, Denis... T_T

I report with CLEAR way to reproduce …
Did you test ?

Speaking of time wasting …

Nope, I missed the "hack" part.

2 solutions :

Create a private renderError on this class just to show something without updating JS : quickest
Throw error 403 and update JS : better but more time.

Tell me your choice ;)

My choice would be to fix things that are completely bonkers first, before giving hackers nice error messages xD

:D

Yes : but other part are hard to fix for dev whe this part is broken ;)

My choice would be to fix things that are completely bonkers first, before giving hackers nice error messages xD

Then : just a 403 error without updating anything else is OK ?
And quick here

Yeah sure