Merge pull request #135 from trougakoss/master

Fixed issue:#07881: Only survey owner has access to the survey
LimeSurvey · Oct 7, 2013 · 3c14791 · 3c14791
2 parents d6db14a + ea8cb8e
commit 3c14791
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/application/controllers/admin/remotecontrol.php b/application/controllers/admin/remotecontrol.php
@@ -511,30 +511,48 @@ public function list_surveys($sSessionKey, $sUser=NULL)
        {
 		   $sCurrentUser =  Yii::app()->session['user'];
 
+		   $aUserSurveys = array();
+
 		   if( Yii::app()->session['USER_RIGHT_SUPERADMIN'] == 1)
 		   {
 				if ($sUser == null)
+				{
 					$aUserSurveys = Survey::model()->findAll(); //list all surveys
+				}
 				else
 				{
 				   $aUserData = User::model()->findByAttributes(array('users_name' => $sUser));
 				   if (!isset($aUserData))
 						return array('status' => 'Invalid user');
 					else
-						$aUserSurveys = Survey::model()->findAllByAttributes(array("owner_id"=>$aUserData->attributes['uid']));
+					{
+						$sUid = $aUserData->attributes['uid'];
+					}
 				}
 			}
 			else
 			{
 				if (($sCurrentUser == $sUser) || ($sUser == null) )
 				{
-					$sUid =  User::model()->findByAttributes(array('users_name' => $sCurrentUser))->uid;
-					$aUserSurveys = Survey::model()->findAllByAttributes(array("owner_id"=>$sUid));
+					$sUid =  User::model()->findByAttributes(array('users_name' => $sCurrentUser))->uid;					
 				}
 				else
 					return array('status' => 'No permission');
 			}
 
+
+			if($sUid!=null){
+			//we request user and not admin surveys
+
+					$surveyPermissions = Survey_permissions::model()->findAllByAttributes(array("uid"=>$sUid));
+					foreach($surveyPermissions as $row)
+					   $ids[] = $row['sid'];
+
+					$ids = array_unique($ids);
+					$aUserSurveys = Survey::model()->findAllByAttributes(array("sid"=>$ids));
+			}
+
+
 		   if(count($aUserSurveys)==0)
 				return array('status' => 'No surveys found');