From 258ce7e27a862e85a1b005d99db693b4e026f2c9 Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Thu, 22 Oct 2020 13:07:12 +0200
Subject: [PATCH] Fixed issue: View access to survey group even though no
 permission Fixed issue: Don't update survey group if no POST was submitted
 Fixed issue: Create token table on Postgres throws index error, if done
 repeatedly

---
 application/controllers/admin/questiongroups.php | 10 ++++++++++
 application/models/Token.php                     |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/application/controllers/admin/questiongroups.php b/application/controllers/admin/questiongroups.php
index 10788324f51..71c6d815afc 100644
--- a/application/controllers/admin/questiongroups.php
+++ b/application/controllers/admin/questiongroups.php
@@ -302,6 +302,10 @@ public function delete($iSurveyId = null, $iGroupId = null, $asJson = false)
      */
     public function view($surveyid, $gid, $landOnSideMenuTab = 'structure')
     {
+        if (!Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'read')) {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(array('admin/survey/sa/listquestiongroups/surveyid/'.$surveyid));
+        }                
         $aData = array();
         $aData['surveyid'] = $iSurveyID = $surveyid;
         $survey = Survey::model()->findByPk($iSurveyID);
@@ -809,6 +813,12 @@ public function update($gid)
         $surveyid = $group->sid;
         $survey = Survey::model()->findByPk($surveyid);
 
+        if (!App()->request->isPostRequest) {
+            $this->getController()->redirect(
+                array('admin/questiongroups/sa/view/surveyid/'.$surveyid.'/gid/'.$gid)
+            );
+        }
+
         if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'update')) {
             App()->loadHelper('surveytranslator');
 
diff --git a/application/models/Token.php b/application/models/Token.php
index 6e6a8ba27c8..b3cf7f23488 100644
--- a/application/models/Token.php
+++ b/application/models/Token.php
@@ -199,7 +199,7 @@ public static function createTable($surveyId, array $extraFields = array())
         $db->createCommand()->createTable($sTableName, $fields, $options);
 
         /**
-         * The random component in the index name is needed because MSSQL is being the dorky kid and 
+         * The random component in the index name is needed because Postgres is being the dorky kid and 
          * complaining about duplicates when renaming the table and trying to use the same index again 
          * on a new token table (for example on reactivation)
          */
@@ -212,7 +212,7 @@ public static function createTable($surveyId, array $extraFields = array())
                 $db->createCommand()->createIndex('idx_email', $sTableName, 'email(30)', false);
                 break;
             case 'pgsql':
-                $db->createCommand()->createIndex('idx_email', $sTableName, 'email', false);
+                $db->createCommand()->createIndex('idx_email_'.$surveyId_.rand(1, 50000), $sTableName, 'email', false);
                 break;
         }