View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 4
IDProjectCategoryView StatusDate SubmittedLast Update
19630Bug reportsUsability/user experiencepublic2024-06-26 13:002024-12-02 17:44
Reportertibor.pacalat Assigned Totibor.pacalat  
PrioritynoneSeverityminor 
Status in testingResolutionopen 
Product Version6.5.x 
Summary19630: Add warning to permissions interface when assigning "Settings & Plugins" to an admin
Description

We should add a warning to permissions interface when assigning "Settings & Plugins" to an admin, to make it clear it should only be assigned to trusted persons.

Something like:
"This permission allows to change security relevant settings. Please make sure to assign this only to trusted persons."

Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)6.5.14+240624
I will donate to the project if issue is resolvedNo
Browser
Database type & version.
Server OS (if known)
Webserver software & version (if known)
PHP Version.

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2024-06-26 14:52

developer   ~80469

@tibor.pacalat writing in english ? To me ?
Really ???

Please : someone else :)
tibor.pacalat

tibor.pacalat

2024-06-26 15:44

administrator   ~80471

@DenisChenu LOL, really funny! On a more serious note, you can use exactly this as text:
"This permission allows an admin to change security relevant settings. Please make sure to assign this only to trusted persons."
DenisChenu

DenisChenu

2024-11-28 16:37

developer   ~81526

Hi think we need to add more warnings

  1. Superadmin : have something red/danger !
  2. template : this allows js , the Cross Site Scripting
DenisChenu

DenisChenu

2024-11-28 17:27

developer   ~81530

@tibor.pacalat maybe more warnings ?
Can be done in same PR IMHO
DenisChenu

DenisChenu

2024-11-29 11:49

developer   ~81533

https://github.com/LimeSurvey/LimeSurvey/pull/4067
tibor.pacalat

tibor.pacalat

2024-11-29 17:02

administrator   ~81535

Hi Denis, sure you can add those warnings as well. I tested your PR https://github.com/LimeSurvey/LimeSurvey/pull/4067, but I don't see any warnings :/

Went to User management and created new user and in that process assigned general Settings & Plugins permission.
After that tried to unassign it and reassign it, no warning ...
DenisChenu

DenisChenu

2024-11-29 17:22

developer   ~81539

?
DenisChenu

DenisChenu

2024-11-29 17:23

developer   ~81540

You don't have it here ?

Capture d’écran du 2024-11-29 17-22-51.png (48,146 bytes)   
Capture d’écran du 2024-11-29 17-22-51.png (48,146 bytes)   
DenisChenu

DenisChenu

2024-11-29 17:25

developer   ~81541

In roles

Capture d’écran du 2024-11-29 17-24-58.png (96,978 bytes)   
Capture d’écran du 2024-11-29 17-24-58.png (96,978 bytes)   
tibor.pacalat

tibor.pacalat

2024-11-29 17:35

administrator   ~81542

@DenisChenu I am sorry, I didn't notice it, because I was expecting something else. That being said, I think we ned to make it more prominent.
Can we make it like this?

Screenshot 2024-11-29 at 17.34.56.png (112,148 bytes)
DenisChenu

DenisChenu

2024-11-29 17:40

developer   ~81543

I put the opacity:50 because i think it was more prominent than needed ;)

Else
For theme edition
"If you allow update or import theme, user can add script. This allows this user to add cross-site scripting using JavaScript function. Please make sure to assign this only to trusted persons."
For super admin
"This setting allow all action by this user. Please make sure to assign this only to trusted persons."
tibor.pacalat

tibor.pacalat

2024-11-29 17:55

administrator   ~81544

For theme:
"Update/import theme allows an admin to potentially use cross-site scripting using JavaScript. Please make sure to assign this only to trusted persons."
For superadmin:
"This setting allows an admin to perform all actions. Please make sure to assign this only to trusted persons."
DenisChenu

DenisChenu

2024-11-29 18:14

developer   ~81546

Done
tibor.pacalat

tibor.pacalat

2024-12-02 17:16

administrator   ~81550

Can you also make font smaller (for warnings) like in the screenshot I sent you?
DenisChenu

DenisChenu

2024-12-02 17:44

developer   ~81552

I don't understand : out it small and it's "less important" no ?
I put a small to check

Issue History

Date Modified Username Field Change
2024-06-26 13:00 tibor.pacalat New Issue
2024-06-26 13:00 tibor.pacalat Assigned To => DenisChenu
2024-06-26 13:00 tibor.pacalat Status new => assigned
2024-06-26 14:52 DenisChenu Note Added: 80469
2024-06-26 14:52 DenisChenu Bug heat 0 => 2
2024-06-26 14:52 DenisChenu Assigned To DenisChenu => tibor.pacalat
2024-06-26 15:44 tibor.pacalat Note Added: 80471
2024-06-26 15:44 tibor.pacalat Bug heat 2 => 4
2024-06-26 15:44 tibor.pacalat Assigned To tibor.pacalat => DenisChenu
2024-11-28 16:37 DenisChenu Note Added: 81526
2024-11-28 17:27 DenisChenu Assigned To DenisChenu => gabrieljenik
2024-11-28 17:27 DenisChenu Status assigned => ready for code review
2024-11-28 17:27 DenisChenu Note Added: 81530
2024-11-28 18:46 gabrieljenik Assigned To gabrieljenik => tibor.pacalat
2024-11-28 18:46 gabrieljenik Status ready for code review => ready for testing
2024-11-29 11:49 DenisChenu Note Added: 81533
2024-11-29 17:02 tibor.pacalat Note Added: 81535
2024-11-29 17:22 DenisChenu Note Added: 81539
2024-11-29 17:23 DenisChenu Note Added: 81540
2024-11-29 17:23 DenisChenu File Added: Capture d’écran du 2024-11-29 17-22-51.png
2024-11-29 17:25 DenisChenu Note Added: 81541
2024-11-29 17:25 DenisChenu File Added: Capture d’écran du 2024-11-29 17-24-58.png
2024-11-29 17:35 tibor.pacalat Note Added: 81542
2024-11-29 17:35 tibor.pacalat File Added: Screenshot 2024-11-29 at 17.34.56.png
2024-11-29 17:40 DenisChenu Note Added: 81543
2024-11-29 17:50 DenisChenu Status ready for testing => in testing
2024-11-29 17:55 tibor.pacalat Note Added: 81544
2024-11-29 18:14 DenisChenu Note Added: 81546
2024-12-02 17:16 tibor.pacalat Note Added: 81550
2024-12-02 17:44 DenisChenu Note Added: 81552