Fixed issue #17696: Mass changing expiration date fails (except for s…

…uperadmin) (#2144) * Fixed issue #17696: Mass changing expiration date fails (except for superadmin) * Fixed issue #17696: Mass changing expiration date fails (except for superadmin) - Check template permission Co-authored-by: encuestabizdevgit <devgit@encuesta.biz>
LimeSurvey · Nov 18, 2021 · 2d33c76 · 2d33c76
1 parent 09202ff
commit 2d33c76
Showing 1 changed file with 12 additions and 20 deletions.
diff --git a/application/controllers/SurveyAdministrationController.php b/application/controllers/SurveyAdministrationController.php
@@ -779,12 +779,6 @@ public function actionGetCurrentEditorValues($sid)
      */
     public function actionChangeMultipleTheme()
     {
-        //only superadmin can do this
-        if (!Yii::app()->request->isPostRequest && !Permission::model()->hasGlobalPermission('superadmin', 'update')) {
-            Yii::app()->user->setFlash('error', gT("Access denied"));
-            $this->redirect(Yii::app()->request->urlReferrer);
-        }
-
         $sSurveys = $_POST['sItems'];
         $aSIDs = json_decode($sSurveys);
         $aResults = array();
@@ -810,11 +804,6 @@ public function actionChangeMultipleTheme()
      */
     public function actionChangeMultipleSurveyGroup()
     {
-        if (!Yii::app()->request->isPostRequest && !Permission::model()->hasGlobalPermission('superadmin', 'update')) {
-            Yii::app()->user->setFlash('error', gT("Access denied"));
-            $this->redirect(Yii::app()->request->urlReferrer);
-        }
-
         $sSurveys = $_POST['sItems'];
         $aSIDs = json_decode($sSurveys);
         $aResults = array();
@@ -825,7 +814,7 @@ public function actionChangeMultipleSurveyGroup()
             $oSurvey = Survey::model()->findByPk((int)$iSurveyID);
             $oSurvey->gsid = $iSurveyGroupId;
             $aResults[$iSurveyID]['title'] = $oSurvey->correct_relation_defaultlanguage->surveyls_title;
-            if (!Permission::model()->hasGlobalPermission('superadmin', 'update')) {
+            if (!Permission::model()->hasSurveyPermission($iSurveyID, 'surveysettings', 'update')) {
                 $aResults[$iSurveyID]['result'] = false;
                 $aResults[$iSurveyID]['error'] = gT("User does not have valid permissions");
             } else {
@@ -2340,12 +2329,6 @@ public function actionDatetimesettings()
      */
     public function actionExpireMultipleSurveys()
     {
-        //permission check: only superadmin is allowed to do this
-        if (!Yii::app()->request->isPostRequest && !Permission::model()->hasGlobalPermission('superadmin')) {
-            Yii::app()->user->setFlash('error', gT("Access denied"));
-            $this->redirect(Yii::app()->request->urlReferrer);
-        }
-
         $sSurveys = $_POST['sItems'];
         $aSIDs = json_decode($sSurveys);
         $aResults = array();
@@ -2363,7 +2346,7 @@ public function actionExpireMultipleSurveys()
             $survey = Survey::model()->findByPk($sid);
             $survey->expires = $expires;
             $aResults[$survey->primaryKey]['title'] = ellipsize($survey->correct_relation_defaultlanguage->surveyls_title, 30);
-            if (!Permission::model()->hasGlobalPermission('superadmin')) {
+            if (!Permission::model()->hasSurveyPermission($sid, 'surveysettings', 'update')) {
                 $aResults[$survey->primaryKey]['result'] = false;
                 $aResults[$survey->primaryKey]['error'] = gT("User does not have valid permissions");
             } else {
@@ -2632,7 +2615,7 @@ public function changeTemplate($iSurveyID, $template, $aResults = null, $bReturn
 
         $survey = Survey::model()->findByPk($iSurveyID);
 
-        if (!Permission::model()->hasSurveyPermission($iSurveyID, 'surveyactivation', 'update')) {
+        if (!Permission::model()->hasSurveyPermission($iSurveyID, 'surveysettings', 'update')) {
             if (!empty($bReturn)) {
                 $aResults[$iSurveyID]['title'] = $survey->correct_relation_defaultlanguage->surveyls_title;
                 $aResults[$iSurveyID]['result'] = false;
@@ -2641,6 +2624,15 @@ public function changeTemplate($iSurveyID, $template, $aResults = null, $bReturn
             } else {
                 die('No permission');
             }
+        } elseif (!Permission::model()->hasGlobalPermission('templates','read') && !Permission::model()->hasTemplatePermission($template)) {
+            if (!empty($bReturn)) {
+                $aResults[$iSurveyID]['title'] = $survey->correct_relation_defaultlanguage->surveyls_title;
+                $aResults[$iSurveyID]['result'] = false;
+                $aResults[$iSurveyID]['error'] = gT("User does not have permission to use this theme");
+                return $aResults;
+            } else {
+                die('No permission');
+            }
         }
 
         $survey->template = $sTemplate;