Fixed issue #18113: [security] Any admin user can read any question a…

…ttributes
LimeSurvey · May 19, 2022 · 4e4ceb8 · 4e4ceb8
1 parent 3d4a16b
commit 4e4ceb8
Showing 1 changed file with 0 additions and 33 deletions.
diff --git a/application/controllers/QuestionAdministrationController.php b/application/controllers/QuestionAdministrationController.php
@@ -607,39 +607,6 @@ public function actionGetGeneralOptions(
     }
 
 
-    /**
-     * Action (called by ajaxrequest and returning json)
-     * Returns a preformatted json of advanced settings.
-     *
-     * @param int $iQuestionId
-     * @param string $sQuestionType
-     * @param boolean $returnArray
-     * @param string $questionThemeName
-     *
-     * @return void|array
-     * @throws CException
-     * @todo Delete when Vue is gone?
-     */
-    public function actionGetAdvancedOptions(
-        $iQuestionId = null,
-        $sQuestionType = null,
-        $returnArray = false, //todo see were this ajaxrequest is done and take out the parameter there and here
-        $questionThemeName = null
-    ) {
-        //here we get a Question object (also if question is new --> QuestionCreate)
-        // TODO: this object doesn't seem to be needed here.
-        $oQuestion = $this->getQuestionObject($iQuestionId, $sQuestionType, null, $questionThemeName);
-        $aAdvancedOptionsArray = $this->getAdvancedOptions($iQuestionId, $sQuestionType, $questionThemeName);
-
-        $this->renderJSON(
-            [
-                'advancedSettings'       => $aAdvancedOptionsArray,
-                'questionTypeDefinition' => $oQuestion->questionType,
-            ]
-        );
-    }
-
-
     /**
      * Collect initial question data
      * This either creates a temporary question object, or calls a question object from the database