Fixed issue #7204: User without access to token table have all inform…

…ation from token table in responses
LimeSurvey · Jan 18, 2013 · a58aaab · a58aaab
1 parent e02b393
commit a58aaab
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 11 deletions.
diff --git a/application/controllers/admin/export.php b/application/controllers/admin/export.php
@@ -142,7 +142,7 @@ public function exportresults()
 
         if ( ! hasSurveyPermission($iSurveyID, 'responses', 'export') )
         {
-            exit;
+            $this->getController()->error('Access denied!');
         }
 
         Yii::app()->loadHelper("admin/exportresults");

diff --git a/application/controllers/admin/responses.php b/application/controllers/admin/responses.php
@@ -109,7 +109,7 @@ public function view($iSurveyID, $iId, $sBrowseLang = '')
             $fieldmap = createFieldMap($iSurveyID, false, false, $aData['language']);
 
             //add token to top of list if survey is not private
-            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID))
+            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID) && hasSurveyPermission($iSurveyID,'tokens','read'))
             {
                 $fnames[] = array("token", "Token", $clang->gT("Token ID"), 0);
                 $fnames[] = array("firstname", "First name", $clang->gT("First name"), 0);
@@ -184,7 +184,7 @@ public function view($iSurveyID, $iId, $sBrowseLang = '')
             if($exist)
             {
                 $oCriteria = new CDbCriteria();
-                if ($aData['surveyinfo']['anonymized'] == 'N' && tableExists("{{tokens_$iSurveyID}}}"))
+                if ($aData['surveyinfo']['anonymized'] == 'N' && tableExists("{{tokens_$iSurveyID}}}") && hasSurveyPermission($iSurveyID,'tokens','read'))
                 {
                     $oCriteria = Survey_dynamic::model($iSurveyID)->addTokenCriteria($oCriteria);
                 }
@@ -305,7 +305,7 @@ public function index($iSurveyID)
             $clang = $aData['clang'];
             $aData['num_total_answers'] = Survey_dynamic::model($iSurveyID)->count();
             $aData['num_completed_answers'] = Survey_dynamic::model($iSurveyID)->count('submitdate IS NOT NULL');
-            if (tableExists('{{tokens_' . $iSurveyID . '}}'))
+            if (tableExists('{{tokens_' . $iSurveyID . '}}') )
             {
                 $aData['with_token']= Yii::app()->db->schema->getTable('{{tokens_' . $iSurveyID . '}}');
                 $aData['tokeninfo'] = Tokens_dynamic::model($iSurveyID)->summary();
@@ -423,7 +423,7 @@ function browse($iSurveyID)
                 $aViewUrls[] = 'browseallfiltered_view';
             }
             //add token to top of list if survey is not private
-            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID)) //add token to top of list if survey is not private
+            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID) && hasSurveyPermission($iSurveyID,'tokens','read')) //add token to top of list if survey is not private
             {
                 $fnames[] = array("token", "Token", $clang->gT("Token ID"), 0);
                 $fnames[] = array("firstname", "First name", $clang->gT("First name"), 0);
@@ -480,7 +480,7 @@ function browse($iSurveyID)
             if(!$limit){$limit=50;}
             $oCriteria = new CDbCriteria;
             //Create the query
-            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists("{{tokens_{$iSurveyID}}}"))
+            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists("{{tokens_{$iSurveyID}}}") && hasSurveyPermission($iSurveyID,'tokens','read'))
             {
                 $oCriteria = Survey_dynamic::model($iSurveyID)->addTokenCriteria($oCriteria);
             }

diff --git a/application/helpers/admin/exportresults_helper.php b/application/helpers/admin/exportresults_helper.php
@@ -274,7 +274,7 @@ public function loadSurveyById($id)
              $survey->answers[$aAnswer['qid']][$aAnswer['scale_id']][$aAnswer['code']]=$aAnswer;
         }
         //Load tokens
-        if (tableExists('{{tokens_' . $intId . '}}'))
+        if (tableExists('{{tokens_' . $intId . '}}') && hasSurveyPermission($intId,'tokens','read'))
         {
             $sQuery = 'SELECT t.* FROM {{tokens_' . $intId . '}} AS t;';
             $recordSet = Yii::app()->db->createCommand($sQuery)->query()->readAll();
@@ -310,7 +310,7 @@ public function loadSurveyResults(SurveyObj $survey, $iLimit, $iOffset, $iMaximu
         $aSelectFields=Yii::app()->db->schema->getTable('{{survey_' . $survey->id . '}}')->getColumnNames();
 
         $oRecordSet = Yii::app()->db->createCommand()->from('{{survey_' . $survey->id . '}}');
-        if (tableExists('tokens_'.$survey->id) && array_key_exists ('token',Survey_dynamic::model($survey->id)->attributes))
+        if (tableExists('tokens_'.$survey->id) && array_key_exists ('token',Survey_dynamic::model($survey->id)->attributes) && hasSurveyPermission($survey->id,'tokens','read'))
         {
             $oRecordSet->leftJoin('{{tokens_' . $survey->id . '}} tokentable','tokentable.token={{survey_' . $survey->id . '}}.token');
             $aTokenFields=Yii::app()->db->schema->getTable('{{tokens_' . $survey->id . '}}')->getColumnNames();

diff --git a/application/helpers/export_helper.php b/application/helpers/export_helper.php
@@ -184,7 +184,8 @@ function SPSSFieldMap($iSurveyID, $prefix = 'V') {
     $fieldno=0;
 
     $fields=array();
-    if (isset($tokensexist) && $tokensexist == true && $surveyprivate == 'N') {
+    if (isset($tokensexist) && $tokensexist == true && $surveyprivate == 'N' && hasSurveyPermission($iSurveyID,'tokens','read'))
+    {
         $tokenattributes=getTokenFieldsAndNames($iSurveyID,false);
         foreach ($tokenattributes as $attributefield=>$attributedescription)
         {
@@ -311,7 +312,8 @@ function SPSSGetQuery($iSurveyID) {
 
 
     #See if tokens are being used
-    if (isset($tokensexist) && $tokensexist == true && !$bDataAnonymized) {
+    if (isset($tokensexist) && $tokensexist == true && !$bDataAnonymized && hasSurveyPermission($iSurveyID,'tokens','read'))
+    {
         $query="SELECT ";
         $tokenattributes=array_keys(getTokenFieldsAndNames($iSurveyID,false));
         foreach ($tokenattributes as $attributefield) {

diff --git a/application/views/admin/export/exportresults_view.php b/application/views/admin/export/exportresults_view.php
@@ -118,7 +118,7 @@
                     } ?>
                 </select>
                 <br />&nbsp;</fieldset>
-            <?php if ($thissurvey['anonymized'] == "N" && tableExists("{{tokens_$surveyid}}")) { ?>
+            <?php if ($thissurvey['anonymized'] == "N" && tableExists("{{tokens_$surveyid}}") & hasSurveyPermission($surveyid,'token','read')) { ?>
                 <fieldset><legend><?php $clang->eT("Token control");?></legend>
                     <?php $clang->eT("Choose token fields");?>:
                     <img src='<?php echo $imageurl;?>/help.gif' alt='<?php $clang->eT("Help");?>' onclick='javascript:alert("<?php $clang->gT("Your survey can export associated token data with each response. Select any additional fields you would like to export.","js");?>")' /><br />