New feature: Detailed survey permissions based on a CRUD model

Dev Checked permissions: surveycontent - Added new permissions atoms 'import' & 'export' - please reinstall DB Dev Work in progress git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_dev@9324 b72ed6b6-b9f8-46b5-92b4-906544132732
LimeSurvey · Oct 24, 2010 · 8118a82 · 8118a82
1 parent 7d53bd1
commit 8118a82
Show file tree

Hide file tree

Showing 17 changed files with 260 additions and 271 deletions.
diff --git a/admin/admin.php b/admin/admin.php
@@ -82,7 +82,7 @@
     if (
     preg_match
     (
-			'/^(delsurvey|delgroup|delquestion|insertnewsurvey|updatesubquestions|copynewquestion|insertnewgroup|insertCSV|insertnewquestion|updatesurveysettings|updatesurveysettingsandeditlocalesettings|updatesurveylocalesettings|updategroup|deactivate|savepersonalsettings|updatequestion|updateansweroptions|renumberquestions|updatedefaultvalues)$/', 
+			'/^(delsurvey|delgroup|delquestion|insertnewsurvey|updatesubquestions|copynewquestion|insertquestiongroup|insertCSV|insertquestion|updatesurveysettings|updatesurveysettingsandeditlocalesettings|updatesurveylocalesettings|updategroup|deactivate|savepersonalsettings|updatequestion|updateansweroptions|renumberquestions|updatedefaultvalues)$/', 
     $action
     )
 
@@ -174,62 +174,62 @@
     }
     elseif ($action == 'conditions')
     {
-        if(bHasSurveyPermission($surveyid,'questions','read'))    {include('conditionshandling.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','read'))    {include('conditionshandling.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'extendedconditions')
     {
-        if(bHasSurveyPermission($surveyid,'questions','read'))    {include('extendedconditionshandling.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','read'))    {include('extendedconditionshandling.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'importsurveyresources')
     {
-        if (bHasSurveyPermission($surveyid,'questions','update'))	{$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('import_resources_zip.php');}
+        if (bHasSurveyPermission($surveyid,'surveycontent','import'))	{$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('import_resources_zip.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructureLsrcCsv')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('export_structure_lsrc.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('export_structure_lsrc.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructurequexml')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('export_structure_quexml.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('export_structure_quexml.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructurexml')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('export_structure_xml.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('export_structure_xml.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructurecsvGroup')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('dumpgroup.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('dumpgroup.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructureLsrcCsvGroup')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('dumpgroup.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('dumpgroup.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructurecsvQuestion')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('dumpquestion.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('dumpquestion.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportstructureLsrcCsvQuestion')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {include('dumpquestion.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {include('dumpquestion.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportsurvresources')
     {
-        if(bHasSurveyPermission($surveyid,'exportstructure','read'))    {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('export_resources_zip.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','export'))    {$_SESSION['FileManagerContext']="edit:survey:$surveyid";include('export_resources_zip.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'deactivate')
     {
-        if(bHasSurveyPermission($surveyid,'surveyactivation','update'))    {include('deactivate.php');}
+        if(bHasSurveyPermission($surveyid,'surveyactivation','export'))    {include('deactivate.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'deletesurvey')
@@ -239,17 +239,17 @@
     }
     elseif ($action == 'resetsurveylogic')
     {
-        if(bHasSurveyPermission($surveyid,'question','update'))    {include('resetsurveylogic.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','update'))    {include('resetsurveylogic.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'importgroup')
     {
-        if(bHasSurveyPermission($surveyid,'question','create'))    {include('importgroup.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','import'))    {include('importgroup.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'importquestion')
     {
-        if(bHasSurveyPermission($surveyid,'question','create'))    {include('importquestion.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','import'))    {include('importquestion.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'listcolumn')
@@ -259,12 +259,12 @@
     }
     elseif ($action == 'previewquestion')
     {
-        if(bHasSurveyPermission($surveyid,'question','read'))    {include('preview.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','read'))    {include('preview.php');}
         else { include('access_denied.php');}
     }
     elseif ($action=='addgroup' || $action=='editgroup' || $action=='ordergroups')
     {
-        if(bHasSurveyPermission($surveyid,'question','read'))    {$_SESSION['FileManagerContext']="edit:group:$surveyid"; include('questiongrouphandling.php');}
+        if(bHasSurveyPermission($surveyid,'surveycontent','read'))    {$_SESSION['FileManagerContext']="edit:group:$surveyid"; include('questiongrouphandling.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'saved')
@@ -281,8 +281,16 @@
 //</AdV>    
     elseif ($action == 'tokens')
     {
-        if(bHasSurveyPermission($surveyid,'tokens','read'))    {$_SESSION['FileManagerContext']="edit:emailsettings:$surveyid"; include('tokens.php'); include('bounceprocessing.php');}
+        if(bHasSurveyPermission($surveyid,'tokens','read'))    
+        {
+            $_SESSION['FileManagerContext']="edit:emailsettings:$surveyid"; 
+            include('tokens.php'); 
+        }
         else { include('access_denied.php'); }
+        if(bHasSurveyPermission($surveyid,'tokens','update'))    
+        {
+            include('bounceprocessing.php');
+        }
     }
     elseif ($action == 'iteratesurvey')
     {
@@ -341,7 +349,7 @@
                 break;
             case 'editsurveylocalesettings':
 			case 'updatesurveysettingsandeditlocalesettings':
-                if (bHasSurveyPermission($surveyid,'edit_survey_property'))
+                if (bHasSurveyPermission($surveyid,'surveysettings','update') && bHasSurveyPermission($surveyid,'surveylocale','read'))
                 {
                     $_SESSION['FileManagerContext']="edit:survey:$surveyid";
                     include('fck_LimeReplacementFields.php');exit;
@@ -352,7 +360,7 @@
                 }
                 break;
             case 'tokens': // email
-                if (bHasSurveyPermission($surveyid,'activate_survey'))
+                if (bHasSurveyPermission($surveyid,'tokens','update'))
                 {
                     $_SESSION['FileManagerContext']="edit:emailsettings:$surveyid";
                     include('fck_LimeReplacementFields.php');exit;
@@ -365,7 +373,7 @@
             case 'editquestion':
             case 'copyquestion':
             case 'addquestion':
-                if (bHasSurveyPermission($surveyid,'define_questions'))
+                if (bHasSurveyPermission($surveyid,'surveycontent','read'))
                 {
                     $_SESSION['FileManagerContext']="edit:question:$surveyid";
                     include('fck_LimeReplacementFields.php');exit;
@@ -377,7 +385,7 @@
                 break;
             case 'editgroup':
             case 'addgroup':
-                if (bHasSurveyPermission($surveyid,'define_questions'))
+                if (bHasSurveyPermission($surveyid,'surveycontent','read'))
                 {
                     $_SESSION['FileManagerContext']="edit:group:$surveyid";
                     include('fck_LimeReplacementFields.php');exit;
@@ -388,7 +396,7 @@
                 }
                 break;
             case 'editanswer':
-                if (bHasSurveyPermission($surveyid,'define_questions'))
+                if (bHasSurveyPermission($surveyid,'surveycontent','read'))
                 {
                     $_SESSION['FileManagerContext']="edit:answer:$surveyid";
                     include('fck_LimeReplacementFields.php');exit;
@@ -400,7 +408,7 @@
                 break;
             case 'assessments':
             case 'assessmentedit':
-                if(bHasSurveyPermission($surveyid,'define_questions'))    {
+                if(bHasSurveyPermission($surveyid,'assessments','read'))    {
                     $_SESSION['FileManagerContext']="edit:assessments:$surveyid";
                     include('fck_LimeReplacementFields.php');
                 }
@@ -438,22 +446,22 @@
     }
     elseif ($action == 'exportresults')
     {
-        if(bHasSurveyPermission($surveyid,'export'))    {include('exportresults.php');}
+        if(bHasSurveyPermission($surveyid,'exportresponses','read'))    {include('exportresults.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'statistics')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))    {include('statistics.php');}
+        if(bHasSurveyPermission($surveyid,'statistics','read'))    {include('statistics.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'importoldresponses')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))    {include('importoldresponses.php');}
+        if(bHasSurveyPermission($surveyid,'responses','create'))    {include('importoldresponses.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'exportspss')
     {
-        if(bHasSurveyPermission($surveyid,'export'))
+        if(bHasSurveyPermission($surveyid,'exportresponses','read'))
         {
             include('export_data_spss.php');
         }
@@ -475,23 +483,23 @@
     }
     elseif ($action == 'exportr')
     {
-        if(bHasSurveyPermission($surveyid,'export'))    {include('export_data_r.php');}
+        if(bHasSurveyPermission($surveyid,'exportresponses','read'))    {include('export_data_r.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'vvexport')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))    {include('vvexport.php');}
+        if(bHasSurveyPermission($surveyid,'exportresponses','read'))    {include('vvexport.php');}
         else { include('access_denied.php');}
     }
     elseif ($action == 'vvimport')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))    {include('vvimport.php');}
+        if(bHasSurveyPermission($surveyid,'responses','create'))    {include('vvimport.php');}
         else { include('access_denied.php');}
     }
     if ($action=='addquestion'    || $action=='copyquestion' || $action=='editquestion' || $action=='editdefaultvalues' ||
         $action=='orderquestions' || $action=='ajaxquestionattributes' || $action=='ajaxlabelsetpicker' || $action=='ajaxlabelsetdetails')
     {
-        if(bHasSurveyPermission($surveyid,'questions','read'))
+        if(bHasSurveyPermission($surveyid,'surveycontent','read'))
         {
             $_SESSION['FileManagerContext']="edit:question:$surveyid";
             include('questionhandling.php');

diff --git a/admin/admin_functions.php b/admin/admin_functions.php
@@ -71,7 +71,7 @@ function db_switchIDInsert($table,$state)
 function bHasSurveyPermission($iSID, $sPermission, $sCRUD, $iUID=null)
 {
     global $dbprefix, $connect;
-    if (!in_array($sCRUD,array('create','read','update','delete'))) return false;
+    if (!in_array($sCRUD,array('create','read','update','delete','import','export'))) return false;
     $sCRUD=$sCRUD.'_p';
     $iSID = (int)$iSID;
     global $aSurveyPermissionCache;
@@ -151,10 +151,12 @@ function SetSurveyPermissions($iUserID, $iSurveyID, $aPermissions)
         if (!isset($aPermissions['read'])) {$aPermissions['read']=0;}
         if (!isset($aPermissions['update'])) {$aPermissions['update']=0;}
         if (!isset($aPermissions['delete'])) {$aPermissions['delete']=0;}
-        if ($aPermissions['create']==1 || $aPermissions['read']==1 ||$aPermissions['update']==1 || $aPermissions['delete']==1)
+        if (!isset($aPermissions['import'])) {$aPermissions['import']=0;}
+        if (!isset($aPermissions['export'])) {$aPermissions['export']=0;}
+        if ($aPermissions['create']==1 || $aPermissions['read']==1 ||$aPermissions['update']==1 || $aPermissions['delete']==1  || $aPermissions['import']==1  || $aPermissions['export']==1)
         {
-            $sQuery = "INSERT INTO ".db_table_name('survey_permissions')." (sid, uid, permission, create_p, read_p, update_p, delete_p)
-                       VALUES ({$iSurveyID},{$iUserID},'{$sPermissionname}',{$aPermissions['create']},{$aPermissions['read']},{$aPermissions['update']},{$aPermissions['delete']})";
+            $sQuery = "INSERT INTO ".db_table_name('survey_permissions')." (sid, uid, permission, create_p, read_p, update_p, delete_p, import_p, export_p)
+                       VALUES ({$iSurveyID},{$iUserID},'{$sPermissionname}',{$aPermissions['create']},{$aPermissions['read']},{$aPermissions['update']},{$aPermissions['delete']},{$aPermissions['import']},{$aPermissions['export']})";
             $bResult=$connect->Execute($sQuery);
         }
     }

diff --git a/admin/database.php b/admin/database.php
@@ -49,7 +49,7 @@ function get_max_question_order($gid)
 
 if(isset($surveyid))
 {
-    if ($action == "insertnewgroup" && bHasSurveyPermission($surveyid, 'question','create'))
+    if ($action == "insertquestiongroup" && bHasSurveyPermission($surveyid, 'surveycontent','create'))
     {
         $grplangs = GetAdditionalLanguagesFromSurveyID($postsid);
         $baselang = GetBaseLanguageFromSurveyID($postsid);
@@ -183,7 +183,7 @@ function get_max_question_order($gid)
         }
     }
 
-    elseif ($action == "delgroup" && bHasSurveyPermission($surveyid, 'define_questions'))
+    elseif ($action == "delgroup" && bHasSurveyPermission($surveyid, 'surveycontent','delete'))
     {
         if (!isset($gid)) $gid=returnglobal('gid');
         $query = "SELECT qid FROM ".db_table_name('groups')." g, ".db_table_name('questions')." q WHERE g.gid=q.gid AND g.gid=$gid AND q.parent_qid=0 group by qid";
@@ -215,7 +215,7 @@ function get_max_question_order($gid)
         }
     }
 
-    elseif ($action == "insertnewquestion" && bHasSurveyPermission($surveyid, 'question','create'))
+    elseif ($action == "insertquestion" && bHasSurveyPermission($surveyid, 'surveycontent','create'))
     {
         $baselang = GetBaseLanguageFromSurveyID($postsid);
         if (strlen($_POST['title']) < 1)
@@ -316,7 +316,7 @@ function get_max_question_order($gid)
             //surveyFixColumns($surveyid);
         }
     }
-    elseif ($action == "renumberquestions" && bHasSurveyPermission($surveyid, 'question','update'))
+    elseif ($action == "renumberquestions" && bHasSurveyPermission($surveyid, 'surveycontent','update'))
     {
         //Automatically renumbers the "question codes" so that they follow
         //a methodical numbering method
@@ -349,7 +349,7 @@ function get_max_question_order($gid)
     }
 
 
-    elseif ($action == "updatedefaultvalues" && bHasSurveyPermission($surveyid, 'question','update'))     
+    elseif ($action == "updatedefaultvalues" && bHasSurveyPermission($surveyid, 'surveycontent','update'))     
     {
 
         $questlangs = GetAdditionalLanguagesFromSurveyID($surveyid);
@@ -422,7 +422,7 @@ function get_max_question_order($gid)
     }
 
 
-    elseif ($action == "updatequestion" && bHasSurveyPermission($surveyid, 'question','update'))
+    elseif ($action == "updatequestion" && bHasSurveyPermission($surveyid, 'surveycontent','update'))
     {
         $cqquery = "SELECT type, gid FROM ".db_table_name('questions')." WHERE qid={$postqid}";
         $cqresult=db_execute_assoc($cqquery) or safe_die ("Couldn't get question type to check for change<br />".$cqquery."<br />".$connect->ErrorMsg()); // Checked
@@ -657,7 +657,7 @@ function get_max_question_order($gid)
         }
     }
 
-    elseif ($action == "copynewquestion" && bHasSurveyPermission($surveyid, 'question','create'))     
+    elseif ($action == "copynewquestion" && bHasSurveyPermission($surveyid, 'surveycontent','create'))     
     {
 
         if (!$_POST['title'])
@@ -806,7 +806,7 @@ function get_max_question_order($gid)
             $qid=$newqid; //Sets the qid so that admin.php displays the newly created question
         }
     }
-    elseif ($action == "delquestion" && bHasSurveyPermission($surveyid, 'question','delete'))     
+    elseif ($action == "delquestion" && bHasSurveyPermission($surveyid, 'surveycontent','delete'))     
     {
         if (!isset($qid)) {$qid=returnglobal('qid');}
         //check if any other questions have conditions which rely on this question. Don't delete if there are.
@@ -837,7 +837,7 @@ function get_max_question_order($gid)
         }
     }
 
-    elseif ($action == "updateansweroptions" && bHasSurveyPermission($surveyid, 'question','update'))     
+    elseif ($action == "updateansweroptions" && bHasSurveyPermission($surveyid, 'surveycontent','update'))     
     {
 
         $anslangs = GetAdditionalLanguagesFromSurveyID($surveyid);
@@ -910,7 +910,7 @@ function get_max_question_order($gid)
 
             }
 
-    elseif ($action == "updatesubquestions" && bHasSurveyPermission($surveyid, 'question','update'))     
+    elseif ($action == "updatesubquestions" && bHasSurveyPermission($surveyid, 'surveycontent','update'))     
     {
 
         $anslangs = GetAdditionalLanguagesFromSurveyID($surveyid);

diff --git a/admin/dumpgroup.php b/admin/dumpgroup.php
@@ -24,7 +24,7 @@
 if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
 include_once("login_check.php");
 require_once("export_data_functions.php");      
-if(!bHasSurveyPermission($surveyid,'export')) safe_die("You are not allowed to export question groups."); 
+if(!bHasSurveyPermission($surveyid,'surveycontent','export')) safe_die("You are not allowed to export question groups."); 
 
 $gid = returnglobal('gid');
 $surveyid = returnglobal('sid');

diff --git a/admin/dumpquestion.php b/admin/dumpquestion.php
@@ -26,7 +26,7 @@
 if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
 include_once("login_check.php");
 require_once("export_data_functions.php");      
-if(!bHasSurveyPermission($surveyid,'exportstructure','read')) safe_die("You are not allowed to export questions.");
+if(!bHasSurveyPermission($surveyid,'surveycontent','export')) safe_die("You are not allowed to export questions.");
 
 
 $qid = returnglobal('qid');