View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
09638Bug reportsSecuritypublic2015-05-19 10:302015-05-19 12:31
Reporterandre_DUS Assigned Toc_schmitz  
PriorityimmediateSeveritypartial_block 
Status closedResolutionno change required 
Product Version2.05+ 
Summary09638: Non-Superadmins can see any survey (structure, token, data, etc.) without having permissions set
Description

After upgrading to the latest stable version 2.05+ 150508, all non-superadmin user accounts are able to see all available surveys on the system with unrestricted viewing access to structure, tokens, data and settings.

I have suspended all user accounts by overwriting their passwords for now.

Steps To Reproduce
  • Any existing non-superadmin user on the system.
  • New users also show this issue.
Additional Information

This behavior was reported by a user this morning after I had performed a comfort upgrade to build 150508.

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)150508
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL 5.5
Server OS (if known)Debian 3.2.68-1+deb7u1 x86_64
Webserver software & version (if known)Apache 2.4.12 2015-01-29
PHP VersionPHP 5.3 API20090626 via CGI/FastCGI, Also PHP 5.4

Relationships

Relationship GraphDependency Graph
related to 09571 closedDenisChenu Permission Survey : set to whole : no edit on another survey 

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2015-05-19 11:40

administrator   ~32221

What was your previous version?
c_schmitz

c_schmitz

2015-05-19 11:48

administrator   ~32223

I cannot reproduce the issue. What permissions are given to a new user?
andre_DUS

andre_DUS

2015-05-19 12:01

reporter   ~32228

I created a new blank user with global rights to create/view/edit/delete/export a survey. No group membership or further authorization is given.

Previous Version was 2.05+ build unknown, DB Version 178. Where do I find this in the backup ZIPs?
c_schmitz

c_schmitz

2015-05-19 12:10

administrator   ~32230

Last edited: 2015-05-19 12:11

A user that may not have any access to other surveys than his own may only have a global 'create' permission for surveys - at default he is always able to see his own surveys.

The additional permission details (view/edit/delete/export) count for all surveys.
So just remove the additional permissions and everything should be fine.

Issue History

Date Modified Username Field Change
2015-05-19 10:30 andre_DUS New Issue
2015-05-19 11:40 c_schmitz Note Added: 32221
2015-05-19 11:48 c_schmitz Note Added: 32223
2015-05-19 12:00 c_schmitz Assigned To => c_schmitz
2015-05-19 12:00 c_schmitz Status new => feedback
2015-05-19 12:01 andre_DUS Note Added: 32228
2015-05-19 12:01 andre_DUS Status feedback => assigned
2015-05-19 12:10 c_schmitz Note Added: 32230
2015-05-19 12:10 c_schmitz Note Edited: 32230
2015-05-19 12:11 c_schmitz Note Edited: 32230
2015-05-19 12:30 c_schmitz Relationship added related to 09571
2015-05-19 12:31 c_schmitz Status assigned => closed
2015-05-19 12:31 c_schmitz Resolution open => no change required