View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
18364Bug reportsErgonomypublic2022-09-23 18:30
ReporterDenisChenu Assigned ToDenisChenu  
PrioritylowSeverityminor 
Status assignedResolutionopen 
Product Version5.4.x 
Summary18364: Strange error return when there are issue about permission
Description

When permission is saved : there are a strange error if user can not have access

Steps To Reproduce

Steps to reproduce

Need 2 browser (or hack HTML)

In Browser 1 : As superadmin Create an user with user/create permission right
In Browser 2 : log in as this user
In Browser 2 :Create a user
In Browser 2 : open permission dialog
In Browser 1 : As superadmin : remove user update permissuion
In Browser 2 : save

Expected result

See a error about right

Actual result

See a ezrror with numbe,
Looking at console : 500 error

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)5.4.1
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2022-09-20 15:18

developer  

Peek 20-09-2022 15-15.gif (669,003 bytes)
DenisChenu

DenisChenu

2022-09-20 15:18

developer   ~71856

Potential fix : https://github.com/LimeSurvey/LimeSurvey/pull/2603/files#diff-6f1c5976e0d24b8aa7349798b9a06c59081576fef190ed5a0a7a7cf6a947caedR432-R441

ollehar

ollehar

2022-09-23 16:31

administrator   ~71906

Again too big fix? What about changing return type string to ?string?

DenisChenu

DenisChenu

2022-09-23 16:43

developer   ~71909

Again too big fix?

? There are no fix currently ? the line show replace

            return $this->renderPartial(
                'partial/error',
                ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
            );

by

            );
            return Yii::app()->getController()->renderPartial('/admin/super/_renderJson', [
                "data" => [
                    'success' => true,// With false : nothing was updated
                    'html'    => $this->renderPartial(
                        'partial/error',
                        ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true],
                        true
                    )
                ]
            ]);

BUT : personalty i' for a Throw 403 error !

What about changing return type string to ?string?

Because in this case : when there are error : nothing is shown … (best is to throw error in this case : same result for user except if he look at console).

ollehar

ollehar

2022-09-23 16:47

administrator   ~71910

Last edited: 2022-09-23 17:01

Hm, then there's also an error in which permissions are shown in the GUI? If you can get to a 403 without hacking.

DenisChenu

DenisChenu

2022-09-23 17:01

developer   ~71911

Hm, then there's also an error in which permission are shown in the GUI? If you can get to a 403 without hacking.

How ? Not currently (fixed).

But : current situation : throw a 500 and show nothing to user
Your fix : no 500, but show nothing to user

ollehar

ollehar

2022-09-23 17:01

administrator   ~71912

Need 2 browser (or hack HTML)

Oh... Why you waste my time like this, Denis... T_T

DenisChenu

DenisChenu

2022-09-23 17:04

developer   ~71913

I really don't understand your point of view here !

Why discuss ?

There are an issue
Your solution fix the 500 error but didn't fix the issue … (JS error if i remind)

DenisChenu

DenisChenu

2022-09-23 17:05

developer   ~71914

Oh : you're right about 2 browse : but very rare issue … superadmin remove your right during your action …

DenisChenu

DenisChenu

2022-09-23 17:06

developer   ~71915

Oh... Why you waste my time like this, Denis... T_T

I report with CLEAR way to reproduce …
Did you test ?

Speaking of time wasting …

ollehar

ollehar

2022-09-23 17:19

administrator   ~71918

Nope, I missed the "hack" part.

DenisChenu

DenisChenu

2022-09-23 17:51

developer   ~71923

2 solutions :

Create a private renderError on this class just to show something without updating JS : quickest
Throw error 403 and update JS : better but more time.

Tell me your choice ;)

ollehar

ollehar

2022-09-23 17:52

administrator   ~71924

My choice would be to fix things that are completely bonkers first, before giving hackers nice error messages xD

DenisChenu

DenisChenu

2022-09-23 17:52

developer   ~71925

:D

Yes : but other part are hard to fix for dev whe this part is broken ;)

DenisChenu

DenisChenu

2022-09-23 17:53

developer   ~71926

My choice would be to fix things that are completely bonkers first, before giving hackers nice error messages xD

Then : just a 403 error without updating anything else is OK ?
And quick here

ollehar

ollehar

2022-09-23 17:55

administrator   ~71927

Yeah sure

Issue History

Date Modified Username Field Change
2022-09-20 15:18 DenisChenu New Issue
2022-09-20 15:18 DenisChenu File Added: Peek 20-09-2022 15-15.gif
2022-09-20 15:18 DenisChenu Note Added: 71856
2022-09-20 15:18 DenisChenu Bug heat 0 => 2
2022-09-23 16:31 ollehar Note Added: 71906
2022-09-23 16:31 ollehar Bug heat 2 => 4
2022-09-23 16:32 ollehar Priority none => normal
2022-09-23 16:43 DenisChenu Note Added: 71909
2022-09-23 16:47 ollehar Note Added: 71910
2022-09-23 17:01 ollehar Note Edited: 71910
2022-09-23 17:01 DenisChenu Note Added: 71911
2022-09-23 17:01 ollehar Note Added: 71912
2022-09-23 17:04 DenisChenu Note Added: 71913
2022-09-23 17:05 DenisChenu Note Added: 71914
2022-09-23 17:06 DenisChenu Note Added: 71915
2022-09-23 17:18 ollehar Priority normal => low
2022-09-23 17:19 ollehar Note Added: 71918
2022-09-23 17:51 DenisChenu Note Added: 71923
2022-09-23 17:52 ollehar Note Added: 71924
2022-09-23 17:52 DenisChenu Note Added: 71925
2022-09-23 17:53 DenisChenu Note Added: 71926
2022-09-23 17:55 ollehar Note Added: 71927
2022-09-23 18:30 DenisChenu Assigned To => DenisChenu
2022-09-23 18:30 DenisChenu Status new => assigned