15693: Allow simple user to update script with XSS enable - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

252

ID	Project	Category	View Status	Date Submitted	Last Update

15693	Feature requests	Security	public	2020-01-07 17:29	2021-03-07 21:55

Reporter	DenisChenu	Assigned To	DenisChenu
Priority	none	Severity	feature
Status	closed	Resolution	fixed
Fixed in Version	4.x.x

Summary	15693: Allow simple user to update script with XSS enable
Description	By default : question->script must be disabled for simple user if XSS is enable. Then it can be great to allow question->script even if XSS is enable for this user.
Additional Information	https://github.com/LimeSurvey/LimeSurvey/pull/1358
Tags	No tags attached.
Attached Files	Capture d’écran du 2020-01-13 09-13-05.png (9,704 bytes) Capture d’écran du 2020-01-13 09-13-05.png (9,704 bytes) Capture d’écran du 2020-01-13 09-13-19.png (20,452 bytes) Capture d’écran du 2020-01-13 09-13-19.png (20,452 bytes)

Bug heat	252
Story point estimate
Users affected %

User List	There are no users monitoring this issue.

DenisChenu 2020-01-07 17:30 developer ~55141	And if we can disallow XSS for superadmin too : we need to allow question->script ONLY for superadmin too … : need another feature request ?

DenisChenu 2020-01-13 09:12 developer ~55216	https://github.com/LimeSurvey/LimeSurvey/pull/1366/files

DenisChenu 2020-01-17 17:43 developer ~55368	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29408

DenisChenu 2020-01-17 17:45 developer ~55369	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29409

DenisChenu 2020-01-17 17:52 developer ~55370	https://github.com/LimeSurvey/LimeSurvey/pull/1372

DenisChenu 2020-01-22 09:47 developer ~55425	PS : need this before https://bugs.limesurvey.org/view.php?id=15096

DenisChenu 2020-01-28 15:02 developer ~55498	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29460

LimeSurvey: master 96c06a9d 2020-01-17 18:43 DenisChenu Details Diff	New feature 15693: Allow simple user to update script with XSS enable Dec: add the settings and use it	Affected Issues 15693
	mod - application/config/config-defaults.php	Diff File
	mod - application/core/LSWebUser.php	Diff File
	mod - application/views/admin/globalsettings/_security.php	Diff File
LimeSurvey: master 97d8e349 2020-01-17 18:44 DenisChenu Details Diff	Revert "New feature 15693: Allow simple user to update script with XSS enable" Dev: bad push … This reverts commit 96c06a9d93a4209e43c94eeac6d822ebf7aca760.	Affected Issues 15693
	mod - application/config/config-defaults.php	Diff File
	mod - application/core/LSWebUser.php	Diff File
	mod - application/views/admin/globalsettings/_security.php	Diff File
LimeSurvey: master ae8a6cb8 2020-01-28 16:02 DenisChenu Committer: ~~markusfluer~~ Details Diff	New feature 15693: Allow simple user to update script with XSS enable (#1372)	Affected Issues 15693
	mod - application/config/config-defaults.php	Diff File
	mod - application/core/LSWebUser.php	Diff File
	mod - application/views/admin/globalsettings/_security.php	Diff File

Date Modified	Username	Field	Change
2020-01-07 17:29	DenisChenu	New Issue
2020-01-07 17:29	DenisChenu	Relationship added	related to 15690
2020-01-07 17:29	DenisChenu	Relationship added	related to 15096
2020-01-07 17:30	DenisChenu	Note Added: 55141
2020-01-10 16:20	DenisChenu	Relationship added	related to 15702
2020-01-13 09:12	DenisChenu	Note Added: 55216
2020-01-13 09:12	DenisChenu	Assigned To	=> DenisChenu
2020-01-13 09:12	DenisChenu	Status	new => ready for testing
2020-01-13 09:13	DenisChenu	File Added: Capture d’écran du 2020-01-13 09-13-05.png
2020-01-13 09:13	DenisChenu	File Added: Capture d’écran du 2020-01-13 09-13-19.png
2020-01-13 14:35	DenisChenu	Assigned To	DenisChenu => ollehar
2020-01-17 15:42	DenisChenu	Assigned To	ollehar => DenisChenu
2020-01-17 15:42	DenisChenu	Status	ready for testing => assigned
2020-01-17 17:42	DenisChenu	Summary	Allow configure question script allowed => Allow simple user to update script with XSS enable
2020-01-17 17:43	DenisChenu	Changeset attached	=> LimeSurvey master 96c06a9d
2020-01-17 17:43	DenisChenu	Note Added: 55368
2020-01-17 17:43	DenisChenu	Resolution	open => fixed
2020-01-17 17:45	DenisChenu	Changeset attached	=> LimeSurvey master 97d8e349
2020-01-17 17:45	DenisChenu	Note Added: 55369
2020-01-17 17:52	DenisChenu	Assigned To	DenisChenu => cdorin
2020-01-17 17:52	DenisChenu	Status	assigned => ready for testing
2020-01-17 17:52	DenisChenu	Note Added: 55370
2020-01-22 09:47	DenisChenu	Note Added: 55425
2020-01-28 15:02	~~markusfluer~~	Changeset attached	=> LimeSurvey master ae8a6cb8
2020-01-28 15:02	DenisChenu	Note Added: 55498
2020-01-28 15:02	DenisChenu	Assigned To	cdorin => DenisChenu
2020-02-19 08:10	DenisChenu	Status	ready for testing => resolved
2020-02-19 08:10	DenisChenu	Fixed in Version	=> 4.x.x
2021-01-29 09:08	DenisChenu	Relationship added	related to 17028
2021-03-07 21:55	c_schmitz	Status	resolved => closed

View Issue Details

Relationships

Users monitoring this issue

Activities

Related Changesets

Issue History

related to	15690	closed	DenisChenu	Bug reports	User with XSS enable can add/update scripts
related to	15096	closed	DenisChenu	Feature requests	XSS for super-admin too
related to	15702	closed	DenisChenu	Bug reports	Script text field should be read-only when user is not allowed to add scripts
related to	17028	closed	DenisChenu	Bug reports	Script are not saved