Fixed issue #10822: Groups Edit-Form while no Rights to edit? When ac…

…cessing the User-Groups Lists, a User can see the "Edit User-Group" Button and (after clicking) the Form, even if he has no rights for that group.
LimeSurvey · May 4, 2016 · 5a2e0bb · 5a2e0bb
1 parent ffdaa7c
commit 5a2e0bb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 46 deletions.
diff --git a/application/controllers/admin/usergroups.php b/application/controllers/admin/usergroups.php
@@ -219,7 +219,8 @@ function edit($ugid)
 
         $action = (isset($_POST['action'])) ? $_POST['action'] : '';
         if (Permission::model()->hasGlobalPermission('usergroups','update')) {
-            if ($action == "editusergroupindb") {
+            if ($action == "editusergroupindb")
+             {
 
                 $ugid = (int)$_POST['ugid'];
 

diff --git a/application/models/UserGroup.php b/application/models/UserGroup.php
@@ -226,7 +226,7 @@ public function getbuttons()
         $button = '<a class="btn btn-default list-btn" data-toggle="tooltip" data-placement="left" title="'.gT('View users').'" href="'.$url.'" role="button"><span class="glyphicon glyphicon-list-alt" ></span></a>';
 
         // Edit user group
-        if(Permission::model()->hasGlobalPermission('users','update'))
+        if(Permission::model()->hasGlobalPermission('usergroups','update'))
         {
             $url = Yii::app()->createUrl("admin/usergroups/sa/edit/ugid/$this->ugid");
             $button .= ' <a class="btn btn-default list-btn" data-toggle="tooltip" data-placement="left" title="'.gT('Edit user group').'" href="'.$url.'" role="button"><span class="glyphicon glyphicon-pencil" ></span></a>';
@@ -238,7 +238,7 @@ public function getbuttons()
         $button .= ' <a class="btn btn-default list-btn" data-toggle="tooltip" data-placement="left" title="'.gT('Email user group').'" href="'.$url.'" role="button"><span class="icon-invite" ></span></a>';
 
         // Delete user group
-        if(Permission::model()->hasGlobalPermission('users','delete'))
+        if(Permission::model()->hasGlobalPermission('usergroups','delete'))
         {
             $url = Yii::app()->createUrl("admin/usergroups/sa/delete/ugid/$this->ugid");
             $button .= ' <a class="btn btn-default list-btn" data-toggle="tooltip" data-placement="left" title="'.gT('Delete user group').'" href="'.$url.'" role="button" data-confirm="'.gT('Are you sure you want to delete this user group?').'"><span class="glyphicon glyphicon-trash text-warning"></span></a>';
@@ -288,6 +288,11 @@ function search()
 
         $criteria->join .='LEFT JOIN {{users}} AS users ON ( users.uid = t.owner_id )';
 
+        if (!Permission::model()->hasGlobalPermission('superadmin','read'))
+        {
+            $criteria->addCondition("t.owner_id=".App()->user->getId(), "AND");
+        }
+
         $dataProvider=new CActiveDataProvider('UserGroup', array(
             'sort'=>$sort,
             'criteria'=>$criteria,
@@ -299,47 +304,4 @@ function search()
         return $dataProvider;
     }
 
-    /*
-    function multi_select($fields, $from, $condition=FALSE)
-    {
-        foreach ($fields as $field)
-        {
-            $this->db->select($field);
-        }
-
-        foreach ($from AS $f)
-        {
-            $this->db->from($f);
-        }
-
-        if ($condition != FALSE)
-        {
-            $this->db->where($condition);
-        }
-
-        if ($order != FALSE)
-        {
-            $this->db->order_by($order);
-        }
-
-        if (isset($join['where'], $join['type'], $join['on']))
-        {
-            $this->db->join($condition);
-        }
-
-        $data = $this->db->get();
-        return $data;
-    }
-
-    function update($what, $where=FALSE)
-    {
-        if ($where != FALSE) $this->db->where($where);
-        return (bool) $this->db->update('user_groups', $what);
-    }
-
-    function delete($condition)
-    {
-        return (bool) $this->db->delete('user_groups', $condition);
-    }*/
-
 }