View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
18289Bug reportsUser / Groups / Rolespublic2022-09-01 13:27
ReporterDenisChenu Assigned To 
PrioritynoneSeveritypartial_block 
Status confirmedResolutionopen 
Product Version5.3.x 
Summary18289: User with group creation allowed can not see is own group
Description

If you set an user with Create user + create group can not see own group in Survey and SurveyGroup permission

Steps To Reproduce

Steps to reproduce

  1. usercontrolSameGroupPolicy as true
  2. Create an user with User read/create permission + UserGroup read/create permission
  3. Set User group Policy to On
  4. Allow user to create Survey
  5. Connect as this user
  6. Create a new user
  7. Create a new group
  8. Add the user to this group
  9. Create a survey
  10. Check permission list

Expected result

See the new Group created

Actual result

Nothing in list

Additional Information
  1. usercontrolSameGroupPolicy as true here.
TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)5.3.28
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

parent of 18281 feedbackc_schmitz Users in group are not deleted 
related to 18294 ready for mergeollehar User was not added to group created automatically 
Not all the children of this issue are yet resolved or closed.

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2022-07-27 18:17

developer   ~71199

The origin of this issue seems : current user was not set in Created group. In 3.X : if an user create a group : he was included in it.

Now : it was not in group, and can add it himself in group …

DenisChenu

DenisChenu

2022-07-27 18:19

developer   ~71201

Confirm the origin of the issue.

In 3.X : current user added (and can not delete himself via GUI)

But we can easily fix to include owner_id for group + for user

DenisChenu

DenisChenu

2022-07-29 09:08

developer   ~71239

But we can easily fix to include owner_id for group + for user

Work for getUserGroupList() function : https://github.com/LimeSurvey/LimeSurvey/blob/3682d8cdc75173957d1e2688c5f86fb3535cae34/application/helpers/common_helper.php#L4146
Not for getUserList function ( https://github.com/LimeSurvey/LimeSurvey/blob/master/application/helpers/common_helper.php#L680 complex to update this one)

DenisChenu

DenisChenu

2022-08-04 16:12

developer   ~71326

@gabrieljenik : you can not add owner_id to user list else you can give access to a group where user was removed from group in 3.X

In 3.X

  1. User 1 create UserGroupA (user can see this group) and UserGroupB
  2. Superadmin remove user 1 from UserGroupA
  3. User 1 can NOT see UserGroupA but still see UserGroupB

Update to 5.X now : no issue User 1 can NOT see UserGroupA but still see UserGroupB

If you fix the owner_id system User 1 can see UserGroupA .

Maybe reset the owner_id when update ? Since it's not used ?

gabrieljenik

gabrieljenik

2022-08-22 21:08

manager   ~71514

From what I read here, there 2 problems:

Problem 1)
View si retrieveing groups with the wrong query/logic criteria.
New LS5 schema by owner is not used.

Problem 2)
Some old groups created in LS3 could present permission issues with this LS5 logic
Very hard to sharply identify these groups.

I would work on #1 and then somehow show an alert ro superadmins on grups that are candidates #2.

Thoughts?

DenisChenu

DenisChenu

2022-08-24 08:23

developer   ~71523

Problem : User with group creation allowed can not see is own group

Reason :
in 3.X (2.05 until 5.3.28).: we don't use owner_id
In 3.X : when user create group : it was added to group.
In 5.0.0 : we don't use owner_id (OK why not)
In 5.0.0 : when user create group : it was NOT added to group.

Problem 1)
View si retrieveing groups with the wrong query/logic criteria.
New LS5 schema by owner is not used.

It's NOT the problem …
The problem is : We don't add current user when he create a group.

If you add owner_id to permission : this potentially BROKE current permission system. Potentially : some user can see forbidden user name …

Then you need to update API version (5.5.0 to 6.0.0) if you add owner_id to manager UserGroup
My opinion : it can be done only in DEV
And you need to be allowed to update owner via GUI
You can add a complete Permission system (GUI and lot of part of SurveyGroup can be reused)

Issue History

Date Modified Username Field Change
2022-07-27 18:15 DenisChenu New Issue
2022-07-27 18:17 DenisChenu Note Added: 71199
2022-07-27 18:17 DenisChenu Bug heat 0 => 2
2022-07-27 18:19 DenisChenu Assigned To => DenisChenu
2022-07-27 18:19 DenisChenu Status new => confirmed
2022-07-27 18:19 DenisChenu Note Added: 71201
2022-07-29 09:05 DenisChenu Assigned To DenisChenu =>
2022-07-29 09:08 DenisChenu Note Added: 71239
2022-07-29 10:16 DenisChenu Relationship added related to 18294
2022-08-04 15:36 gabrieljenik Assigned To => gabrieljenik
2022-08-04 15:36 gabrieljenik Status confirmed => assigned
2022-08-04 15:36 gabrieljenik Severity minor => partial_block
2022-08-04 16:12 DenisChenu Note Added: 71326
2022-08-22 21:08 gabrieljenik Note Added: 71514
2022-08-22 21:08 gabrieljenik Bug heat 2 => 4
2022-08-22 21:09 gabrieljenik Assigned To gabrieljenik =>
2022-08-22 21:09 gabrieljenik Status assigned => feedback
2022-08-23 15:49 DenisChenu Relationship added parent of 18281
2022-08-24 08:23 DenisChenu Note Added: 71523
2022-08-24 08:23 DenisChenu Status feedback => new
2022-08-25 21:58 gabrieljenik Assigned To => gabrieljenik
2022-08-25 21:58 gabrieljenik Status new => confirmed
2022-08-25 21:58 gabrieljenik Assigned To gabrieljenik =>
2022-09-01 13:27 DenisChenu Steps to Reproduce Updated
2022-09-01 13:27 DenisChenu Additional Information Updated