From 327dd94c65c2bc7ab447ad2a451f0929ab305616 Mon Sep 17 00:00:00 2001
From: Olle Haerstedt <olle.haerstedt@limesurvey.org>
Date: Fri, 15 Apr 2016 13:08:41 +0200
Subject: [PATCH] Fixed issue #10829: Survey admins presented with
 inappropriate control buttons

Dev: Hide edit buttons in question group list if user lacks permission.
---
 application/models/QuestionGroup.php | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/application/models/QuestionGroup.php b/application/models/QuestionGroup.php
index b9cbb984a39..6c3f14282f0 100644
--- a/application/models/QuestionGroup.php
+++ b/application/models/QuestionGroup.php
@@ -212,20 +212,30 @@ public function getbuttons()
         $oSurvey=Survey::model()->findByPk($this->sid);
         $surveyIsActive = $oSurvey->active !== 'N';
         $baselang = $oSurvey->language;
+        $button = '';
 
         // Add question to this group
-        $url = Yii::app()->createUrl("admin/questions/sa/newquestion/surveyid/$this->sid/gid/$this->gid");
-        $button = '<a class="btn btn-default list-btn ' . ($surveyIsActive ? 'disabled' : '') . ' "  data-toggle="tooltip"  data-placement="left" title="'.gT('Add new question to group').'" href="'.$url.'" role="button"><span class="glyphicon glyphicon-plus-sign " ></span></a>';
+        if (Permission::model()->hasSurveyPermission($this->sid, 'surveycontent', 'update'))
+        {
+            $url = Yii::app()->createUrl("admin/questions/sa/newquestion/surveyid/$this->sid/gid/$this->gid");
+            $button .= '<a class="btn btn-default list-btn ' . ($surveyIsActive ? 'disabled' : '') . ' "  data-toggle="tooltip"  data-placement="left" title="'.gT('Add new question to group').'" href="'.$url.'" role="button"><span class="glyphicon glyphicon-plus-sign " ></span></a>';
+        }
 
         // Group edition
         // Edit
-        $url = Yii::app()->createUrl("admin/questiongroups/sa/edit/surveyid/$this->sid/gid/$this->gid");
-        $button .= '  <a class="btn btn-default  list-btn" href="'.$url.'" role="button" data-toggle="tooltip" title="'.gT('Edit group').'"><span class="glyphicon glyphicon-pencil " ></span></a>';
+        if (Permission::model()->hasSurveyPermission($this->sid, 'surveycontent', 'update'))
+        {
+            $url = Yii::app()->createUrl("admin/questiongroups/sa/edit/surveyid/$this->sid/gid/$this->gid");
+            $button .= '  <a class="btn btn-default  list-btn" href="'.$url.'" role="button" data-toggle="tooltip" title="'.gT('Edit group').'"><span class="glyphicon glyphicon-pencil " ></span></a>';
+        }
 
         // View summary
-        $url = Yii::app()->createUrl("/admin/questiongroups/sa/view/surveyid/");
-        $url .= '/'.$this->sid.'/gid/'.$this->gid;
-        $button .= '  <a class="btn btn-default  list-btn" href="'.$url.'" role="button" data-toggle="tooltip" title="'.gT('Group summary').'"><span class="glyphicon glyphicon-list-alt " ></span></a>';
+        if (Permission::model()->hasSurveyPermission($this->sid, 'surveycontent', 'read'))
+        {
+            $url = Yii::app()->createUrl("/admin/questiongroups/sa/view/surveyid/");
+            $url .= '/'.$this->sid.'/gid/'.$this->gid;
+            $button .= '  <a class="btn btn-default  list-btn" href="'.$url.'" role="button" data-toggle="tooltip" title="'.gT('Group summary').'"><span class="glyphicon glyphicon-list-alt " ></span></a>';
+        }
 
         $iQuestionsInGroup = Question::model()->countByAttributes(array('sid' => $this->sid, 'gid' => $this->gid, 'language' => $baselang));