From 77263a322eb31094ebc5157b1231e427e781131a Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Thu, 29 Jun 2017 13:12:12 +0200
Subject: [PATCH] Fixed issue #12491: Permission to delete participants not
 obeyed in export dialog

---
 application/helpers/export_helper.php          | 2 +-
 application/views/admin/token/exportdialog.php | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/application/helpers/export_helper.php b/application/helpers/export_helper.php
index ae83a089cfe..46de9c03639 100644
--- a/application/helpers/export_helper.php
+++ b/application/helpers/export_helper.php
@@ -1830,7 +1830,7 @@ function tokensExport($iSurveyID)
         $aExportedTokens[] = $brow['tid'];
     }
 
-    if (Yii::app()->request->getPost('tokendeleteexported') && !empty($aExportedTokens))
+    if (Yii::app()->request->getPost('tokendeleteexported') && Permission::model()->hasSurveyPermission($iSurveyId, 'tokens', 'delete') && !empty($aExportedTokens))
     {
         Token::model($iSurveyID)->deleteByPk($aExportedTokens);
     }
diff --git a/application/views/admin/token/exportdialog.php b/application/views/admin/token/exportdialog.php
index 9551a64a542..7edac4bd3af 100644
--- a/application/views/admin/token/exportdialog.php
+++ b/application/views/admin/token/exportdialog.php
@@ -88,6 +88,8 @@
                     </div>
 
                     <!--Delete exported tokens -->
+                    <?php if (Permission::model()->hasSurveyPermission($iSurveyId, 'tokens', 'delete')) { ?>
+
                     <div class="form-group control-group " data-name="tokendeleteexported">
                         <label class="default control-label col-lg-2 col-sm-5 col-md-2" for="tokendeleteexported">
                             <?php eT('Delete exported participants:'); ?>
@@ -105,6 +107,7 @@
                             <?php eT('Warning: Deleted participants entries cannot be recovered.'); ?>
                         </div>
                     </div>
+                    <?php } ?>
                 </div>
                 <div class="buttons control-group hidden"><button class="btn" type="submit" name="submit"><?php eT('Export tokens'); ?></button></div>
             </form>