Fixed issue #12491: Permission to delete participants not obeyed in e…

…xport dialog
LimeSurvey · Jun 29, 2017 · 77263a3 · 77263a3
1 parent 801a5d9
commit 77263a3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/application/helpers/export_helper.php b/application/helpers/export_helper.php
@@ -1830,7 +1830,7 @@ function tokensExport($iSurveyID)
         $aExportedTokens[] = $brow['tid'];
     }
 
-    if (Yii::app()->request->getPost('tokendeleteexported') && !empty($aExportedTokens))
+    if (Yii::app()->request->getPost('tokendeleteexported') && Permission::model()->hasSurveyPermission($iSurveyId, 'tokens', 'delete') && !empty($aExportedTokens))
     {
         Token::model($iSurveyID)->deleteByPk($aExportedTokens);
     }

diff --git a/application/views/admin/token/exportdialog.php b/application/views/admin/token/exportdialog.php
@@ -88,6 +88,8 @@
                     </div>
 
                     <!--Delete exported tokens -->
+                    <?php if (Permission::model()->hasSurveyPermission($iSurveyId, 'tokens', 'delete')) { ?>
+
                     <div class="form-group control-group " data-name="tokendeleteexported">
                         <label class="default control-label col-lg-2 col-sm-5 col-md-2" for="tokendeleteexported">
                             <?php eT('Delete exported participants:'); ?>
@@ -105,6 +107,7 @@
                             <?php eT('Warning: Deleted participants entries cannot be recovered.'); ?>
                         </div>
                     </div>
+                    <?php } ?>
                 </div>
                 <div class="buttons control-group hidden"><button class="btn" type="submit" name="submit"><?php eT('Export tokens'); ?></button></div>
             </form>