View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 4
IDProjectCategoryView StatusDate SubmittedLast Update
14732Bug reportsUser / Groups / Rolespublic2019-04-03 16:522021-03-08 19:35
Reportercarrasin Assigned Toc_schmitz  
PrioritylowSeverityblock 
Status closedResolutionfixed 
Product Version3.16.x 
Fixed in Version3.25.17 
Summary14732: Superadmin user cannot modify members of a group he don't belong
Description

Superadmin users incluiding 'admin' can see all groups but cannot modify the groups properties or members.

As I undestand the security variable 'usercontrolSameGroupPolicy ' only applies for non-admin users.

Below the buttons "Edit current user group" and "Delete current user group" it shows :

PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 19, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 26, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 27, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 34, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index
PHP Notice: Trying to get property of non-object in /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/usergroupbar_view.php on line 35, referer: https://servicios.unl.edu.ar/test/encuestas/index.php/admin/usergroups/sa/index

Steps To Reproduce
  1. As superAdmin user Go to Configuration -> Create/edit user groups
  2. click on "view users", he/she get a new window to edit the group's members but cannot delete users from the group (no Action buttons)
  3. In that window he/she cannot use buttons : "Edit current user group" or "Delete current user group". And below those buttons it shows PHP Notice messages of the descriptions
Additional Information

We modified two files from the code that fix the problem

TagsNo tags attached.
Attached Files
superadmin_groups.diff (2,308 bytes)    
Sólo en /srv/limesurvey/limesurvey-3.15-20190228-094129/application/config: config.php
diff -ru application/core/Survey_Common_Action.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php
--- application/core/Survey_Common_Action.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/core/Survey_Common_Action.php	2019-03-28 11:27:28.554748919 -0300
@@ -1157,7 +1157,7 @@
             if (!empty($ugid)) {
                 $userGroup = UserGroup::model()->findByPk($ugid);
                 $uid = Yii::app()->session['loginID'];
-                if ($userGroup && $userGroup->hasUser($uid)) {
+                if (($userGroup && $userGroup->hasUser($uid)) || Permission::model()->hasGlobalPermission('superadmin') ) {
                     $data['userGroup'] = $userGroup;
                 } else {
                     $data['userGroup'] = null;
diff -ru application/views/admin/usergroup/viewUserGroup_view.php /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php
--- application/views/admin/usergroup/viewUserGroup_view.php	2019-02-14 08:54:53.000000000 -0300
+++ /srv/limesurvey/limesurvey-3.15-20190228-094129/application/views/admin/usergroup/viewUserGroup_view.php	2019-03-28 11:17:58.733479788 -0300
@@ -50,7 +50,7 @@
                         <tr class='<?php echo $currentuser["rowclass"];?>'>
                             <td align='center'>
                             <?php
-                            if(isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true && $currentuser["userid"] != '1')
+                            if ( (isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true || Permission::model()->hasGlobalPermission('superadmin')) && $currentuser["userid"] != '1')
                             { ?>
                                 <?php echo CHtml::form(array("admin/usergroups/sa/user/ugid/{$ugid}/action/remove"), 'post'); ?>
                                     <button  data-toggle="tooltip" data-placement="bottom" title="<?php eT('Delete');?>" type="submit" onclick='return confirm("<?php eT("Are you sure you want to delete this entry?","js");?>")' class="btn btn-default btn-xs ">
superadmin_groups.diff (2,308 bytes)   
Bug heat4
Complete LimeSurvey version number (& build)LimeSurvey-3.15.9-190214
I will donate to the project if issue is resolvedNo
Browser
Database type & versionPostgresql 9.6
Server OS (if known)Debian GNU/Linux 9.8 (stretch)
Webserver software & version (if known)
PHP Version7.0

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2021-03-05 17:27

administrator   ~62799

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31278
c_schmitz

c_schmitz

2021-03-05 17:28

administrator   ~62800

Thank you for the patch!
c_schmitz

c_schmitz

2021-03-05 17:34

administrator   ~62803

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31279
carrasin

carrasin

2021-03-05 18:52

reporter   ~62805

You're welcome, thanks for the tool!

Related Changesets

LimeSurvey: 3.x-LTS 16d62242

2021-03-05 18:27

c_schmitz


Details Diff		 Fixed issue 14732: Superadmin user cannot modify members of a group he is not a member of Affected Issues
14732
mod - application/core/Survey_Common_Action.php Diff File
mod - application/views/admin/usergroup/viewUserGroup_view.php Diff File

LimeSurvey: master 506c5d02

2021-03-05 18:27

c_schmitz


Details Diff		 Fixed issue 14732: Superadmin user cannot modify members of a group he is not a member of Affected Issues
14732
mod - application/core/Survey_Common_Action.php Diff File
mod - application/views/userGroup/viewUserGroup_view.php Diff File

Issue History

Date Modified Username Field Change
2019-04-03 16:52 carrasin New Issue
2019-04-03 16:52 carrasin File Added: superadmin_groups.diff
2019-11-01 17:26 c_schmitz Category User/User groups => User / Groups / Roles
2019-11-26 18:02 cdorin Assigned To => cdorin
2019-11-26 18:02 cdorin Status new => assigned
2021-02-08 17:07 cdorin Assigned To cdorin =>
2021-02-08 17:07 cdorin Priority none => low
2021-02-08 17:07 cdorin Status assigned => confirmed
2021-02-08 17:07 cdorin Description Updated
2021-02-08 17:07 cdorin Steps to Reproduce Updated
2021-02-08 17:07 cdorin Additional Information Updated
2021-02-08 17:07 cdorin Sync to Zoho Project => |Yes|
2021-03-05 17:27 c_schmitz Assigned To => c_schmitz
2021-03-05 17:27 c_schmitz Status confirmed => assigned
2021-03-05 17:27 c_schmitz Changeset attached => LimeSurvey 3.x-LTS 16d62242
2021-03-05 17:27 c_schmitz Note Added: 62799
2021-03-05 17:27 c_schmitz Resolution open => fixed
2021-03-05 17:27 c_schmitz Status assigned => resolved
2021-03-05 17:28 c_schmitz Note Added: 62800
2021-03-05 17:34 c_schmitz Changeset attached => LimeSurvey master 506c5d02
2021-03-05 17:34 c_schmitz Note Added: 62803
2021-03-05 18:52 carrasin Note Added: 62805
2021-03-08 19:35 c_schmitz Fixed in Version => 3.25.17
2021-03-08 19:35 c_schmitz Status resolved => closed