View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
15957Bug reportsOtherpublic2020-12-29 09:36
Reporterollehar Assigned Topstelling  
PriorityhighSeveritypartial_block 
Status closedResolutionfixed 
Product Version4.1.9 
Target Version4.1.9Fixed in Version4.4.0-RC1 
Summary15957: Add permission check for group creation
Description

In the code it looks like anyone logged in can add groups to any survey.

Check methods:

loadQuestionGroup
getQuestionsForGroup
saveQuestionGroupData
updateOrder
etc etc

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)latest master
I will donate to the project if issue is resolvedNo
Browser-
Database type & version-
Server OS (if known)-
Webserver software & version (if known)-
PHP Version-

Users monitoring this issue

There are no users monitoring this issue.

Activities

cdorin

cdorin

2020-03-16 18:28

reporter   ~56575

Have you succeeded to reproduce it? Could you please provide the steps to reproduce it?

ollehar

ollehar

2020-03-16 18:45

administrator   ~56578

No, you'd need to handcraft a POST request. But it's obvious when reading the code that permission checks are not in place.

cdorin

cdorin

2020-10-18 19:15

reporter   ~60244

@pstelling, is this covered by your task permission-related task? :)

Issue History

Date Modified Username Field Change
2020-03-06 16:23 ollehar New Issue
2020-03-06 16:23 ollehar Priority none => high
2020-03-06 16:23 ollehar Description Updated
2020-03-16 18:29 cdorin Note Added: 56575
2020-03-16 18:29 cdorin Assigned To => cdorin
2020-03-16 18:29 cdorin Status new => feedback
2020-03-16 18:45 ollehar Note Added: 56578
2020-03-16 18:45 ollehar Status feedback => assigned
2020-10-18 19:15 cdorin Note Added: 60244
2020-12-28 18:31 cdorin Assigned To cdorin => pstelling
2020-12-28 18:31 cdorin Status assigned => new
2020-12-28 18:31 cdorin Status new => feedback
2020-12-29 09:36 cdorin Status feedback => closed
2020-12-29 09:36 cdorin Resolution open => fixed
2020-12-29 09:36 cdorin Fixed in Version => 4.4.0-RC1