From 16d62242b25e19ec5b8ea33a45c6ebcc3727ef35 Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Fri, 5 Mar 2021 17:27:42 +0100
Subject: [PATCH] Fixed issue #14732: Superadmin user cannot modify members of
 a group he is not a member of

---
 application/core/Survey_Common_Action.php              |  2 +-
 .../views/admin/usergroup/viewUserGroup_view.php       | 10 +++-------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/application/core/Survey_Common_Action.php b/application/core/Survey_Common_Action.php
index e0922ba99d9..8f8809424a9 100644
--- a/application/core/Survey_Common_Action.php
+++ b/application/core/Survey_Common_Action.php
@@ -1173,7 +1173,7 @@ public function _userGroupBar(array $aData)
             if (!empty($ugid)) {
                 $userGroup = UserGroup::model()->findByPk($ugid);
                 $uid = Yii::app()->session['loginID'];
-                if ($userGroup && $userGroup->hasUser($uid)) {
+                if (($userGroup && $userGroup->hasUser($uid)) || Permission::model()->hasGlobalPermission('superadmin') ) {
                     $data['userGroup'] = $userGroup;
                 } else {
                     $data['userGroup'] = null;
diff --git a/application/views/admin/usergroup/viewUserGroup_view.php b/application/views/admin/usergroup/viewUserGroup_view.php
index 9024365540c..b0df2245f30 100644
--- a/application/views/admin/usergroup/viewUserGroup_view.php
+++ b/application/views/admin/usergroup/viewUserGroup_view.php
@@ -44,14 +44,12 @@
                         </tr></thead>
                     <tbody>
                     <?php
-                    foreach ($userloop as $currentuser)
-                    {
+                    foreach ($userloop as $currentuser) {
                         ?>
                         <tr class='<?php echo $currentuser["rowclass"];?>'>
                             <td align='center'>
                             <?php
-                            if(isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true && $currentuser["userid"] != '1')
-                            { ?>
+                            if ((isset($currentuser["displayactions"]) && $currentuser["displayactions"] == true || Permission::model()->hasGlobalPermission('superadmin')) && $currentuser["userid"] != '1') { ?>
                                 <?php echo CHtml::form(array("admin/usergroups/sa/user/ugid/{$ugid}/action/remove"), 'post'); ?>
                                     <button  data-toggle="tooltip" data-placement="bottom" title="<?php eT('Delete');?>" type="submit" onclick='return confirm("<?php eT("Are you sure you want to delete this entry?","js");?>")' class="btn btn-default btn-xs ">
                                         <span class="fa fa-trash text-warning"></span>
@@ -59,9 +57,7 @@
                                     <input name='uid' type='hidden' value='<?php echo $currentuser["userid"]; ?>' />
                                 </form>
                                 <?php
-                            }
-                            else
-                            {
+                            } else {
                                 ?>
                                 &nbsp;
                             <?php