Fixed issue: View access to survey group even though no permission

Fixed issue: Don't update survey group if no POST was submitted Fixed issue: Create token table on Postgres throws index error, if done repeatedly
LimeSurvey · Oct 22, 2020 · 258ce7e · Shnoulle · Oct 22, 2020 · 258ce7e
1 parent 40b57dc
commit 258ce7e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/application/controllers/admin/questiongroups.php b/application/controllers/admin/questiongroups.php
@@ -302,6 +302,10 @@ public function delete($iSurveyId = null, $iGroupId = null, $asJson = false)
      */
     public function view($surveyid, $gid, $landOnSideMenuTab = 'structure')
     {
+        if (!Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'read')) {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(array('admin/survey/sa/listquestiongroups/surveyid/'.$surveyid));
+        }                
         $aData = array();
         $aData['surveyid'] = $iSurveyID = $surveyid;
         $survey = Survey::model()->findByPk($iSurveyID);
@@ -809,6 +813,12 @@ public function update($gid)
         $surveyid = $group->sid;
         $survey = Survey::model()->findByPk($surveyid);
 
+        if (!App()->request->isPostRequest) {
+            $this->getController()->redirect(
+                array('admin/questiongroups/sa/view/surveyid/'.$surveyid.'/gid/'.$gid)
+            );
+        }
+
         if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'update')) {
             App()->loadHelper('surveytranslator');
 

diff --git a/application/models/Token.php b/application/models/Token.php
@@ -199,7 +199,7 @@ public static function createTable($surveyId, array $extraFields = array())
         $db->createCommand()->createTable($sTableName, $fields, $options);
 
         /**
-         * The random component in the index name is needed because MSSQL is being the dorky kid and 
+         * The random component in the index name is needed because Postgres is being the dorky kid and 
          * complaining about duplicates when renaming the table and trying to use the same index again 
          * on a new token table (for example on reactivation)
          */
@@ -212,7 +212,7 @@ public static function createTable($surveyId, array $extraFields = array())
                 $db->createCommand()->createIndex('idx_email', $sTableName, 'email(30)', false);
                 break;
             case 'pgsql':
-                $db->createCommand()->createIndex('idx_email', $sTableName, 'email', false);
+                $db->createCommand()->createIndex('idx_email_'.$surveyId_.rand(1, 50000), $sTableName, 'email', false);
                 break;
         }