Fixed issue #10829: Survey admins presented with inappropriate control

buttons Dev: Don't allow to display reorder form if no update permission.
LimeSurvey · Apr 15, 2016 · 64248d5 · 64248d5
1 parent 65d409f
commit 64248d5
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/application/controllers/admin/surveyadmin.php b/application/controllers/admin/surveyadmin.php
@@ -1234,7 +1234,13 @@ public function organize($iSurveyID)
         $thereIsPostData = $request->getPost('orgdata') !== null;
         $userHasPermissionToUpdate = Permission::model()->hasSurveyPermission($iSurveyID, 'surveycontent', 'update');
 
-        if ($thereIsPostData && $userHasPermissionToUpdate)
+        if (!$userHasPermissionToUpdate)
+        {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(Yii::app()->request->urlReferrer);
+        }
+
+        if ($thereIsPostData)
         {
             // Save the new ordering
             $this->_reorderGroup($iSurveyID);