View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
15957 | Bug reports | Other | public | 2020-03-06 16:23 | 2020-12-29 09:36 |
Reporter | ollehar | Assigned To | pstelling | ||
Priority | high | Severity | partial_block | ||
Status | closed | Resolution | fixed | ||
Product Version | 4.1.9 | ||||
Target Version | 4.1.9 | Fixed in Version | 4.4.0-RC1 | ||
Summary | 15957: Add permission check for group creation | ||||
Description | In the code it looks like anyone logged in can add groups to any survey. Check methods: loadQuestionGroup | ||||
Tags | No tags attached. | ||||
Bug heat | 4 | ||||
Complete LimeSurvey version number (& build) | latest master | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | - | ||||
Database type & version | - | ||||
Server OS (if known) | - | ||||
Webserver software & version (if known) | - | ||||
PHP Version | - | ||||
Have you succeeded to reproduce it? Could you please provide the steps to reproduce it? |
|
No, you'd need to handcraft a POST request. But it's obvious when reading the code that permission checks are not in place. |
|
@pstelling, is this covered by your task permission-related task? :) |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-03-06 16:23 | ollehar | New Issue | |
2020-03-06 16:23 | ollehar | Priority | none => high |
2020-03-06 16:23 | ollehar | Description Updated | |
2020-03-16 18:29 | cdorin | Note Added: 56575 | |
2020-03-16 18:29 | cdorin | Assigned To | => cdorin |
2020-03-16 18:29 | cdorin | Status | new => feedback |
2020-03-16 18:45 | ollehar | Note Added: 56578 | |
2020-03-16 18:45 | ollehar | Status | feedback => assigned |
2020-10-18 19:15 | cdorin | Note Added: 60244 | |
2020-12-28 18:31 | cdorin | Assigned To | cdorin => pstelling |
2020-12-28 18:31 | cdorin | Status | assigned => new |
2020-12-28 18:31 | cdorin | Status | new => feedback |
2020-12-29 09:36 | cdorin | Status | feedback => closed |
2020-12-29 09:36 | cdorin | Resolution | open => fixed |
2020-12-29 09:36 | cdorin | Fixed in Version | => 4.4.0-RC1 |