From 64248d5c05aac9b0f23f418ac8915b918cf9affe Mon Sep 17 00:00:00 2001
From: Olle Haerstedt <olle.haerstedt@limesurvey.org>
Date: Fri, 15 Apr 2016 12:59:43 +0200
Subject: [PATCH] Fixed issue #10829: Survey admins presented with
 inappropriate control buttons

Dev: Don't allow to display reorder form if no update permission.
---
 application/controllers/admin/surveyadmin.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/application/controllers/admin/surveyadmin.php b/application/controllers/admin/surveyadmin.php
index 6387d217196..bea2ff65d58 100644
--- a/application/controllers/admin/surveyadmin.php
+++ b/application/controllers/admin/surveyadmin.php
@@ -1234,7 +1234,13 @@ public function organize($iSurveyID)
         $thereIsPostData = $request->getPost('orgdata') !== null;
         $userHasPermissionToUpdate = Permission::model()->hasSurveyPermission($iSurveyID, 'surveycontent', 'update');
 
-        if ($thereIsPostData && $userHasPermissionToUpdate)
+        if (!$userHasPermissionToUpdate)
+        {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(Yii::app()->request->urlReferrer);
+        }
+
+        if ($thereIsPostData)
         {
             // Save the new ordering
             $this->_reorderGroup($iSurveyID);