View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
19414Bug reportsUser / Groups / Rolespublic2024-02-13 16:25
ReporterDenisChenu Assigned To 
Status newResolutionopen 
Product Version5.6.x 
Summary19414: No way to assign minimal roles by «admin user»

Since fix (18977: Improper Authorization in add role function leads to privilege escalation)
An admin user can not give role with only "Manage survey" for example

Steps To Reproduce

Steps to reproduce

Create role with "Create survey" + "Use theme"
Create an user with

  • All User permssion
  • All Surveys permission
  • All theme permission

As this user : create an user and try to give the role 'SurveyCreator'

Expected result

The user can give this roles

Actual result

No way to give this roles

TagsNo tags attached.
Bug heat2
Complete LimeSurvey version number (& build) 6.4.6
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

There are no users monitoring this issue.




2024-02-13 16:24

developer   ~79476

An idea to correct this situation would be to have an additional option on roles: who can assign or delete this role. with:

  • superadmin/write OR
  • superadmin (only) OR
  • "Only user permission"

This settings can be only updated by superadmin/write permssion user. And only such user can update roles.



2024-02-13 16:25

developer   ~79477

Ping @tibor.pacalat : can you ask if such solution can be accepted in 5.X ?
Else : i need a new plugin … :(

Issue History

Date Modified Username Field Change
2024-02-13 16:21 DenisChenu New Issue
2024-02-13 16:24 DenisChenu Note Added: 79476
2024-02-13 16:24 DenisChenu Bug heat 0 => 2
2024-02-13 16:25 DenisChenu Note Added: 79477