06936: Restricted users can add/delete attributes in central participant database panel when they shouldn't have access

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

06936	Bug reports	Security	public	2012-11-22 16:52	2012-12-07 09:58

Reporter	pfpDave	Assigned To	c_schmitz
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.00+
Fixed in Version	2.00+

Summary	06936: Restricted users can add/delete attributes in central participant database panel when they shouldn't have access
Description	Restricted user with global permissions only to create surveys Survey --> Token Management --> Display tokens 'View this person in the central participant database' icon exists next to users click above icon Click Attribute Managent Edit as desired Also if the user clicks 'Display Participants' here they get the error below. They also get a CDbException error if they click export to CSV. Additionally they can click Import from CSV and get the form (haven't tested past here).
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	121115
I will donate to the project if issue is resolved	No
Browser	IE8
Database type & version	SQL Express 2012
Server OS (if known)	Server 2008
Webserver software & version (if known)	IIS 7
PHP Version	5.4.8

User List	There are no users monitoring this issue.

c_schmitz 2012-11-30 12:58 administrator ~22733	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10600

c_schmitz 2012-11-30 13:26 administrator ~22734	Fix committed to 2.1 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10608

c_schmitz 2012-12-04 13:16 administrator ~22862	LimeSurvey 2.0+ build 121204 released.

pfpDave 2012-12-05 13:58 reporter ~22900	I assume the fix was to remove the 'View this person in the central participant database' icon? This has clearly worked but there is a button called 'Add Participants to Central Database' visible which does nothing when clicked ... if this shouldn't be there perhaps it should be hidden so as not to cause confusion?

c_schmitz 2012-12-05 15:20 administrator ~22914	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10731

c_schmitz 2012-12-06 10:45 administrator ~22969	Fix committed to 2.1 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10758

c_schmitz 2012-12-07 09:58 administrator ~23008	2.00+ build 121207 released.

LimeSurvey: master ea5b4cfc 2012-11-30 12:57 c_schmitz Details Diff	Fixed issue 06936: Restricted users can enter central participant database panel when they shouldn't have access	Affected Issues 06936
	mod - application/controllers/admin/participantsaction.php	Diff File
	mod - application/controllers/admin/tokens.php	Diff File
	mod - application/views/admin/token/browse.php	Diff File
	mod - scripts/admin/tokens.js	Diff File
LimeSurvey: 2.1 c3a72c77 2012-11-30 13:26 c_schmitz Details Diff	Fixed issue 06936: Restricted users can enter central participant database panel when they shouldn't have access	Affected Issues 06936
	mod - application/controllers/admin/participantsaction.php	Diff File
	mod - application/controllers/admin/tokens.php	Diff File
	mod - application/views/admin/token/browse.php	Diff File
	mod - scripts/admin/tokens.js	Diff File
LimeSurvey: master bb6994a1 2012-12-05 15:19 c_schmitz Details Diff	Fixed issue 06936: CPDB button visible in tokens even if admin has no permission to access CPDB	Affected Issues 06936
	mod - application/views/admin/token/browse.php	Diff File
LimeSurvey: 2.1 ef9ecd61 2012-12-05 15:19 c_schmitz Details Diff	Fixed issue 06936: CPDB button visible in tokens even if admin has no permission to access CPDB	Affected Issues 06936
	mod - application/views/admin/token/browse.php	Diff File

Date Modified	Username	Field	Change
2012-11-22 16:52	pfpDave	New Issue
2012-11-25 22:05	c_schmitz	Description Updated
2012-11-25 22:06	c_schmitz	Assigned To	=> c_schmitz
2012-11-25 22:06	c_schmitz	Status	new => assigned
2012-11-30 12:58	c_schmitz	Changeset attached	=> LimeSurvey master ea5b4cfc
2012-11-30 12:58	c_schmitz	Note Added: 22733
2012-11-30 12:58	c_schmitz	Resolution	open => fixed
2012-11-30 12:58	c_schmitz	Status	assigned => resolved
2012-11-30 12:58	c_schmitz	Fixed in Version	=> 2.00+
2012-11-30 13:26	c_schmitz	Changeset attached	=> LimeSurvey 2.1 c3a72c77
2012-11-30 13:26	c_schmitz	Note Added: 22734
2012-12-04 13:16	c_schmitz	Note Added: 22862
2012-12-04 13:16	c_schmitz	Status	resolved => closed
2012-12-05 13:58	pfpDave	Note Added: 22900
2012-12-05 13:58	pfpDave	Status	closed => feedback
2012-12-05 13:58	pfpDave	Resolution	fixed => reopened
2012-12-05 15:20	c_schmitz	Changeset attached	=> LimeSurvey master bb6994a1
2012-12-05 15:20	c_schmitz	Note Added: 22914
2012-12-05 15:20	c_schmitz	Status	feedback => resolved
2012-12-05 15:20	c_schmitz	Resolution	reopened => fixed
2012-12-06 10:45	c_schmitz	Changeset attached	=> LimeSurvey 2.1 ef9ecd61
2012-12-06 10:45	c_schmitz	Note Added: 22969
2012-12-07 09:58	c_schmitz	Note Added: 23008
2012-12-07 09:58	c_schmitz	Status	resolved => closed