View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 4
IDProjectCategoryView StatusDate SubmittedLast Update
18720Bug reportsErgonomypublic2023-04-05 19:182023-06-02 13:05
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version6.0.x 
Summary18720: Script show as updatable for simple user with XSS
Description

When script are not updatable ; it show as readonly on last 5.X version, it's not the case in 6.X

Steps To Reproduce

Steps to reproduce

Set option as XSS + no script updatabe availblae
Create a simple user
Login and try to edit a question script :

Expected result

Show as readonly of disable
But when save : nothing is saved : script stay same.

Actual result

seems to work : seems to be editable

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)6.0.0
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

Relationship GraphDependency Graph
related to 18567 new Big survey (lot of group and qquestion) really hard to edit 

Users monitoring this issue

There are no users monitoring this issue.

Activities

tibor.pacalat

tibor.pacalat

2023-05-16 10:04

administrator   ~75003

@DenisChenu why is this minor, sounds like a security issue?
DenisChenu

DenisChenu

2023-05-16 12:05

developer   ~75006

No : it shown as updatable, but when save : it was not updated :)

More ergonomic here.
DenisChenu

DenisChenu

2023-05-17 19:37

developer   ~75046

https://github.com/LimeSurvey/LimeSurvey/pull/3145
DenisChenu

DenisChenu

2023-06-02 13:03

developer   ~75381

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=34764
DenisChenu

DenisChenu

2023-06-02 13:03

developer   ~75382

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=34763
tibor.pacalat

tibor.pacalat

2023-06-02 13:05

administrator   ~75383

tested and merged

Related Changesets

LimeSurvey: master 6181e6c4

2023-06-02 13:03:22

DenisChenu


Committer: GitHub Details Diff 		Fixed issue 18720: Script show as updatable for simple user with XSS (#3145)

* Fixed issue 18720: Script show as updatable for simple user with XSS

* Dev: Show You do not have sufficient permissions only if don't have permission		 Affected Issues
18720
mod - application/views/questionAdministration/textElements.php Diff File
mod - assets/packages/jquery-ace/jquery.ace.js Diff File

LimeSurvey: master 6181e6c4

2023-06-02 13:03:22

DenisChenu


Committer: GitHub Details Diff 		Fixed issue 18720: Script show as updatable for simple user with XSS (#3145)

* Fixed issue 18720: Script show as updatable for simple user with XSS

* Dev: Show You do not have sufficient permissions only if don't have permission		 Affected Issues
18720
mod - application/views/questionAdministration/textElements.php Diff File
mod - assets/packages/jquery-ace/jquery.ace.js Diff File

Issue History

Date Modified Username Field Change
2023-04-05 19:18 DenisChenu New Issue
2023-04-07 20:13 DenisChenu Relationship added related to 18567
2023-05-16 10:04 tibor.pacalat Note Added: 75003
2023-05-16 10:04 tibor.pacalat Bug heat 0 => 2
2023-05-16 12:05 DenisChenu Note Added: 75006
2023-05-16 12:05 DenisChenu Bug heat 2 => 4
2023-05-16 12:06 DenisChenu Steps to Reproduce Updated
2023-05-16 12:06 DenisChenu Steps to Reproduce Updated
2023-05-16 16:06 DenisChenu Assigned To => DenisChenu
2023-05-16 16:06 DenisChenu Status new => assigned
2023-05-17 19:37 DenisChenu Note Added: 75046
2023-05-17 19:37 DenisChenu Assigned To DenisChenu => gabrieljenik
2023-05-17 19:37 DenisChenu Status assigned => ready for code review
2023-05-17 21:57 gabrieljenik Assigned To gabrieljenik => DenisChenu
2023-05-17 21:57 gabrieljenik Status ready for code review => ready for testing
2023-05-18 16:53 DenisChenu Assigned To DenisChenu => tibor.pacalat
2023-06-02 13:03 DenisChenu Changeset attached => LimeSurvey master 6181e6c4
2023-06-02 13:03 DenisChenu Note Added: 75381
2023-06-02 13:03 DenisChenu Assigned To tibor.pacalat => DenisChenu
2023-06-02 13:03 DenisChenu Resolution open => fixed
2023-06-02 13:03 DenisChenu Changeset attached => LimeSurvey master 6181e6c4
2023-06-02 13:03 DenisChenu Note Added: 75382
2023-06-02 13:05 tibor.pacalat Status ready for testing => closed
2023-06-02 13:05 tibor.pacalat Note Added: 75383