20313: "Add user" option on Survey Dashboard links to incorrect page and has incorrect permission check.

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

20313	Bug reports	Menu system	public	2025-10-21 13:08	2025-10-21 18:41

Reporter	eiclu	Assigned To	DenisChenu
Priority	none	Severity	partial_block
Status	assigned	Resolution	open
Product Version	6.6.x

Summary	20313: "Add user" option on Survey Dashboard links to incorrect page and has incorrect permission check.
Description	This bug affects the "Add user" option available in the survey-specific dropdown menu on the main Dashboard. This menu item, intended to provide granular access control for a survey, is currently dysfunctional in two critical ways. First, it links to the wrong page, redirecting users to the general Global User Management interface (/userManagement) instead of the specific Survey Permissions page (/surveyPermissions/index?surveyid=ID). Second, the link's visibility check uses the wrong permission (survey_update), causing a "Forbidden" error for non-admin users who do see the link but lack the actual permission required to access the target page. This leads to confusion and completely breaks the workflow for colleagues attempting to assign users or groups to their surveys. Relevant line of code: https://github.com/LimeSurvey/LimeSurvey/blob/00f8fc7cc01d500be0dcedfccb3a41f3fa79892c/application/models/Survey.php#L1521C49-L1521C62
Steps To Reproduce	Steps to Reproduce Log in as a user (Non-Admin with "survey_update" permission). Navigate to the Dashboard. Locate any survey in the list. Click the dropdown menu (e.g., three dots or gear icon) for that survey. Click the "Add user" option. Expected Behavior The "Add user" link should direct the user to the specific Survey Permissions management page: /surveyPermissions/index?surveyid=ID (where ID is the selected survey's ID). The link should only be visible to users who possess the necessary permission to view the Survey Permissions page (e.g., a permission_required other than survey_update, likely one related to managing survey-specific users/permissions). Actual Behavior The link incorrectly redirects to the Global User Management interface: /userManagement. The option's visibility check uses the survey_update permission. However, this permission is insufficient to access the Survey Permissions page (/surveyPermissions/index?surveyid=ID). A non-admin user with only survey_update who manually navigates to the correct URL will be met with a "Forbidden" error, indicating the wrong permission is being checked for link display.
Tags	No tags attached.

Bug heat	4
Complete LimeSurvey version number (& build)	6.15.16+251006
I will donate to the project if issue is resolved	No
Browser
Database type & version	MySQL 8.4.6-6
Server OS (if known)
Webserver software & version (if known)
PHP Version	8.3

User List	There are no users monitoring this issue.

tibor.pacalat 2025-10-21 17:06 administrator ~83625	I think it is a bit convoluted, but Add user beside survey (as far as I know) always lead to User Management page, because you could need to create user to assign it ownership of the survey for example. If you add view/read permission beside "update survey" that admin will be able to go to Survey Permissions page. @DenisChenu do you see this as a bug or? IMO permissions need some love, that for sure. But I think this is just "by the design".

DenisChenu 2025-10-21 18:36 developer ~83628	First, it links to the wrong page, redirecting users to the general Global User Management interface (/userManagement) instead of the specific Survey Permissions page (/surveyPermissions/index?surveyid=ID). I'm OK : it must go to /surveyPermissions/index?surveyid=ID : else , it's not related to survey. Second, the link's visibility check uses the wrong permission (survey_update), causing a "Forbidden" error for non-admin users who do see the link but lack the actual permission required to access the target page. This leads to confusion and completely breaks the workflow for colleagues attempting to assign users or groups to their surveys. Not checked but right, minimal permission for this link must be surveysecurity_read I think it is a bit convoluted, but Add user beside survey (as far as I know) always lead to User Management page, because you could need to create user to assign it ownership of the survey for example. This link didn't exist in 5.X, added in 6.X. And clearly : it's a link related to Survey : then must go to Survey page If you add view/read permission beside "update survey" that admin will be able to go to Survey Permissions page. must be, but we talk for this link Clearly a bug Capture d’écran du 2025-10-21 18-36-15.png (28,973 bytes) Capture d’écran du 2025-10-21 18-36-15.png (28,973 bytes)

tibor.pacalat 2025-10-21 18:41 administrator ~83629	Ok, thanks for your insights. I'll assign this to you.

Date Modified	Username	Field	Change
2025-10-21 13:08	eiclu	New Issue
2025-10-21 17:06	tibor.pacalat	Note Added: 83625
2025-10-21 17:06	tibor.pacalat	Bug heat	0 => 2
2025-10-21 17:06	tibor.pacalat	Assigned To	=> tibor.pacalat
2025-10-21 17:06	tibor.pacalat	Status	new => assigned
2025-10-21 18:36	DenisChenu	Note Added: 83628
2025-10-21 18:36	DenisChenu	File Added: Capture d’écran du 2025-10-21 18-36-15.png
2025-10-21 18:36	DenisChenu	Bug heat	2 => 4
2025-10-21 18:41	tibor.pacalat	Note Added: 83629
2025-10-21 18:41	tibor.pacalat	Assigned To	tibor.pacalat => DenisChenu

View Issue Details

Steps to Reproduce

Expected Behavior

Actual Behavior

Users monitoring this issue

Activities

Issue History