Merge branch 'master' into develop

LimeSurvey · Sep 21, 2021 · ab01c8c · ab01c8c
2 parents b02e7f6 + 4c580fd
commit ab01c8c
Show file tree

Hide file tree

Showing 40 changed files with 2,560 additions and 1,718 deletions.
diff --git a/application/config/version.php b/application/config/version.php
@@ -16,5 +16,5 @@
 $config['buildnumber'] = '';
 $config['updatable'] = true;
 $config['templateapiversion']  = 3;
-$config['assetsversionnumber'] = '30237';
+$config['assetsversionnumber'] = '30239';
 return $config;
diff --git a/application/controllers/SurveysGroupsPermissionController.php b/application/controllers/SurveysGroupsPermissionController.php
@@ -48,6 +48,12 @@ public function accessRules()
         ];
     }
 
+    public function filters()
+    {
+        return array(
+            'postOnly + DeleteUser'
+        );
+    }
 
     /**
      * Shown permissions list, allow to add user and group,
@@ -156,7 +162,7 @@ public function actionIndex(int $id)
         $aData['fullpagebar'] = array(
             'returnbutton' => array(
                 'text' => gT('Back'),
-                'url'  => App()->createUrl('surveyAdministration/listsurveys', array('#' => 'surveygroups')),
+                'url'  => 'surveyAdministration/listsurveys#surveygroups',
             ),
         );
         $this->aData = $aData;

diff --git a/application/controllers/UserRoleController.php b/application/controllers/UserRoleController.php
@@ -269,6 +269,8 @@ public function actionRunExport($ptid)
      */
     public function actionDelete()
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasGlobalPermission('superadmin', 'read')) {
             Yii::app()->session['flashmessage'] = gT('You have no access to the role management!');
             $this->getController()->redirect(array('/admin'));

diff --git a/application/controllers/admin/PluginManagerController.php b/application/controllers/admin/PluginManagerController.php
@@ -166,6 +166,7 @@ public function scanFiles()
 
     public function deleteFiles($plugin)
     {
+        $this->requirePostRequest();
         $this->checkUpdatePermission();
 
         // Pre supposes the plugin is in the uploads folder. Other plugins are not deletable by button.

diff --git a/application/controllers/admin/SurveysGroupsController.php b/application/controllers/admin/SurveysGroupsController.php
@@ -351,6 +351,8 @@ public function surveySettings(int $id)
      */
     public function delete($id)
     {
+        $this->requirePostRequest();
+
         $oGroupToDelete = $this->loadModel($id);
         if (!$oGroupToDelete->hasPermission('group', 'delete')) {
             throw new CHttpException(403, gT("You do not have permission to access this page."));

diff --git a/application/controllers/admin/dataentry.php b/application/controllers/admin/dataentry.php
@@ -1302,6 +1302,8 @@ public function editdata($subaction, $id, $surveyid)
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         $surveyid = '';
         if (isset($_REQUEST['surveyid']) && !empty($_REQUEST['surveyid'])) {
             $surveyid = $_REQUEST['surveyid'];

diff --git a/application/controllers/admin/labels.php b/application/controllers/admin/labels.php
@@ -402,6 +402,8 @@ public function saveNewLabelSet()
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasGlobalPermission('labelsets', 'delete')) {
             throw new CHttpException(403, gT("You are not authorized to delete label sets.", 'unescaped'));
         }

diff --git a/application/controllers/admin/participantsaction.php b/application/controllers/admin/participantsaction.php
@@ -2368,6 +2368,8 @@ public function rejectShareParticipant()
      */
     public function deleteSingleParticipantShare($participantId, $shareUid)
     {
+        $this->requirePostRequest();
+
         $participantShare = ParticipantShare::model()->findByPk(array(
             'participant_id' => $participantId,
             'share_uid' => $shareUid

diff --git a/application/controllers/admin/quotas.php b/application/controllers/admin/quotas.php
@@ -303,6 +303,8 @@ public function delans($iSurveyId)
 
     public function delquota($iSurveyId)
     {
+        $this->requirePostRequest();
+
         $iSurveyId = sanitize_int($iSurveyId);
         $this->_checkPermissions($iSurveyId, 'delete');
 

diff --git a/application/controllers/admin/responses.php b/application/controllers/admin/responses.php
@@ -204,7 +204,7 @@ public function view($iSurveyID, $iId, $sBrowseLang = '')
             $fnames[] = array("completed", gT("Completed"), "0");
 
             foreach ($fieldmap as $field) {
-                if ($field['fieldname'] == 'lastpage' || $field['fieldname'] == 'submitdate') {
+                if ( $field['fieldname'] == 'submitdate') {
                     continue;
                 }
                 if ($field['type'] == 'interview_time') {
@@ -703,6 +703,8 @@ public function actionDelete($surveyid)
      */
     public function actionDeleteSingle($surveyid, $responseId)
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasSurveyPermission($surveyid, 'responses', 'delete')) {
             throw new CHttpException(403, gT("You do not have permission to access this page."));
         }

diff --git a/application/controllers/admin/surveypermission.php b/application/controllers/admin/surveypermission.php
@@ -130,7 +130,7 @@ public function index($iSurveyID)
                         'uid' => $PermissionRow['uid']
                     ));
                     $deleteConfirmMessage = gT("Are you sure you want to delete this entry?");
-                    $surveysecurity .= "<span data-toggle='tooltip' title='" . gT("Delete") . "'><a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-href='{$deleteUrl}' type='submit' class='btn-sm btn btn-default'>
+                    $surveysecurity .= "<span data-toggle='tooltip' title='" . gT("Delete") . "'><a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-post-url='{$deleteUrl}' type='submit' class='btn-sm btn btn-default'>
                         <span class='fa fa-trash text-danger'></span>
                         </a></span>";
                 }
@@ -499,6 +499,7 @@ function set($surveyid)
      */
     function delete($surveyid)
     {
+        $this->requirePostRequest();
 
         $aData['surveyid'] = $surveyid = sanitize_int($surveyid);
         $oSurvey = Survey::model()->findByPk($surveyid);

diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
@@ -259,6 +259,8 @@ public function deleteMultiple()
      */
     public function deleteToken()
     {
+        $this->requirePostRequest();
+
         $aTokenId = Yii::app()->getRequest()->getParam('sItem');
         $iSid = (int) Yii::app()->getRequest()->getParam('sid');
         if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {

diff --git a/application/controllers/admin/update.php b/application/controllers/admin/update.php
@@ -174,6 +174,8 @@ public function manage_submitkey()
 
     public function delete_key()
     {
+        $this->requirePostRequest();
+
         if (Permission::model()->hasGlobalPermission('superadmin')) {
             SettingGlobal::model()->deleteByPk('update_key');
             App()->setFlashMessage('Your update key has been removed');

diff --git a/application/core/Survey_Common_Action.php b/application/core/Survey_Common_Action.php
@@ -1218,4 +1218,19 @@ protected function renderJSON($aData, $success = true)
         ], true, false);
         return;
     }
+
+    /**
+     * Validates that the request method is POST.
+     *
+     * This is intended to be used on subactions. When possible (eg. when refactoring
+     * a Survey_Common_Action into an actual controller), use 'postOnly' filter instead.
+     *
+     * @throws CHttpException with 405 status if the request method is not POST.
+     */
+    protected function requirePostRequest()
+    {
+        if(!Yii::app()->getRequest()->isPostRequest) {
+            throw new CHttpException(405, gT("Invalid action"));
+        }
+    }
 }
diff --git a/application/helpers/expressions/em_core_helper.php b/application/helpers/expressions/em_core_helper.php
@@ -579,16 +579,19 @@ private function RDP_EvaluateUnary(array $token)
      * Main entry function
      * @param string $expr
      * @param boolean $onlyparse - if true, then validate the syntax without computing an answer
+     * @param boolean $resetErrorsAndWarnings - if true (default), EM errors and warnings will be cleared before evaluation
      * @return boolean - true if success, false if any error occurred
      */
-    public function RDP_Evaluate($expr, $onlyparse = false)
+    public function RDP_Evaluate($expr, $onlyparse = false, $resetErrorsAndWarnings = true)
     {
         $this->RDP_expr = $expr;
         $this->RDP_tokens = $this->RDP_Tokenize($expr);
         $this->RDP_count = count($this->RDP_tokens);
         $this->RDP_pos = -1; // starting position within array (first act will be to increment it)
-        $this->RDP_errs = array();
-        $this->RDP_warnings = array();
+        if ($resetErrorsAndWarnings) {
+            $this->RDP_errs = array();
+            $this->RDP_warnings = array();
+        }
         $this->RDP_onlyparse = $onlyparse;
         $this->RDP_stack = array();
         $this->RDP_evalStatus = false;
@@ -1975,14 +1978,15 @@ public function sProcessStringContainingExpressionsHelper($src, $questionNum, $s
         $stringParts = $this->asSplitStringOnExpressions($src);
         $resolvedParts = array();
         $prettyPrintParts = array();
+        $this->ResetErrorsAndWarnings();
         foreach ($stringParts as $stringPart) {
             if ($stringPart[2] == 'STRING') {
                 $resolvedParts[] = $stringPart[0];
                 $prettyPrintParts[] = $stringPart[0];
             } else {
                 ++$this->substitutionNum;
                 $expr = $this->ExpandThisVar(substr($stringPart[0], 1, -1));
-                if ($this->RDP_Evaluate($expr)) {
+                if ($this->RDP_Evaluate($expr, false, false)) { // We call RDP_Evaluate with $resetErrorsAndWarnings = false because, if $src has more than one expression, error information could be lost
                     $resolvedPart = $this->GetResult();
                 } else {
                     // show original and errors in-line only if user have the rigth to update survey content

diff --git a/application/helpers/update/updatedb_helper.php b/application/helpers/update/updatedb_helper.php
@@ -4943,13 +4943,13 @@ function ($v) {
             // Apply integrity fix before adding unique constraint.
             // List of label set ids which contain code duplicates.
             $lids = $oDB->createCommand(
-                "SELECT lime_labels.lid AS lid
-                FROM lime_labels
-                GROUP BY lime_labels.lid
-                HAVING COUNT(DISTINCT(lime_labels.code)) < COUNT(lime_labels.id)"
+                "SELECT {{labels}}.lid AS lid
+                FROM {{labels}}
+                GROUP BY {{labels}}.lid
+                HAVING COUNT(DISTINCT({{labels}}.code)) < COUNT({{labels}}.id)"
             )->queryAll();
             foreach ($lids as $lid) {
-                regenerateLabelCodes400($lid['lid']);
+                regenerateLabelCodes400($lid['lid'], $hasLanguageColumn = false);
             }
             $oDB->createCommand()->createIndex('{{idx5_labels}}', '{{labels}}', ['lid','code'], true);
             $oDB->createCommand()->update('{{settings_global}}', array('stg_value' => 475), "stg_name='DBVersion'");
@@ -8048,9 +8048,10 @@ function runAddPrimaryKeyonAnswersTable400(&$oDB)
  * Fails silently
  *
  * @param int $lid Label set id
+ * @param bool $hasLanguageColumn Should be true before dbversion 400 is finished, false after
  * @return void
  */
-function regenerateLabelCodes400(int $lid)
+function regenerateLabelCodes400(int $lid, $hasLanguageColumn = true)
 {
     $oDB = Yii::app()->getDb();
 
@@ -8062,22 +8063,25 @@ function regenerateLabelCodes400(int $lid)
     }
 
     foreach (explode(',', $labelSet['languages']) as $lang) {
-        $labels = $oDB->createCommand(
-            sprintf(
+        if ($hasLanguageColumn) {
+            $query = sprintf(
                 "SELECT * FROM {{labels}} WHERE lid = %d AND language = %s",
                 (int) $lid,
                 $oDB->quoteValue($lang)
-            )
-        )->queryAll();
+            );
+        } else {
+            // When this function is used in update 475, the language column is already moved.
+            $query = sprintf("SELECT * FROM {{labels}} WHERE lid = %d", (int) $lid);
+        }
+        $labels = $oDB->createCommand($query)->queryAll();
         if (empty($labels)) {
             continue;
         }
         foreach ($labels as $key => $label) {
             $oDB->createCommand(
                 sprintf(
                     "UPDATE {{labels}} SET code = %s WHERE id = %d",
-                    // Use simply nr as label code
-                    $oDB->quoteValue((string) $key + 1),
+                    $oDB->quoteValue("L" . (string) $key + 1),
                     $label['id']
                 )
             )->execute();

diff --git a/application/models/LabelSet.php b/application/models/LabelSet.php
@@ -148,7 +148,7 @@ public function getbuttons()
             $button .= '<span data-toggle="tooltip" data-placement="top" title="' . gT('Delete label set') . '"><a 
             class="btn btn-default btn-sm"  
             data-toggle="modal"
-            data-href ="' . $url . '"
+            data-post-url ="' . $url . '"
             data-message="' . $message . '"
             data-target="#confirmation-modal" 
             title="' . gT("Delete") . '" 

diff --git a/application/models/Permissiontemplates.php b/application/models/Permissiontemplates.php
@@ -209,7 +209,7 @@ class='btn btn-sm btn-default'
                 data-toggle='modal' 
                 data-title='" . gt('Delete user role') . "'
                 data-target='#confirmation-modal'
-                data-url='" . $deleteUrl . "' 
+                data-post-url ='" . $deleteUrl . "' 
                 data-ptid='" . $this->ptid . "'
                 data-action='delrole'         
                 data-onclick='LS.RoleControl.triggerRunAction(\"#RoleControl--delete-" . $this->ptid . "\")'

diff --git a/application/models/SurveyDynamic.php b/application/models/SurveyDynamic.php
@@ -353,8 +353,8 @@ public function getGridButtons()
                 'data-target' => '#confirmation-modal',
                 'data-btnclass' => 'btn-danger',
                 'data-btntext' => gt('Delete'),
-                'data-href' => 'App()->createUrl("admin/responses/sa/actionDeleteSingle",array("surveyid"=>' . self::$sid . ',"responseId"=>$data->id));',
-                'evaluateOptions' => array('data-href'),
+                'data-post-url' => 'App()->createUrl("admin/responses/sa/actionDeleteSingle",array("surveyid"=>' . self::$sid . ',"responseId"=>$data->id));',
+                'evaluateOptions' => array('data-post-url'),
                 'title' => gT("Delete this response"),
                 'data-message' => gT('Do you want to delete this response?')
                 . '<br/>'

diff --git a/application/models/SurveyTimingDynamic.php b/application/models/SurveyTimingDynamic.php
@@ -198,7 +198,7 @@ public function getButtons()
         // Delete
         if (Permission::model()->hasSurveyPermission(self::$sid, 'responses', 'delete')) {
             $deleteUrl = App()->createUrl("admin/dataentry/sa/delete/subaction/edit/surveyid/" . self::$sid . "/id/" . $this->id);
-            $buttons .= '<a class="btn btn-sm btn-default" data-target="#confirmation-modal" data-href="' . $deleteUrl . '" role="button" data-toggle="modal" data-tooltip="true" title="' . gT('Delete this response') . '"><span class="fa fa-trash text-danger" ></span></a>';
+            $buttons .= '<a class="btn btn-sm btn-default" data-target="#confirmation-modal" data-post-url="' . $deleteUrl . '" role="button" data-toggle="modal" data-tooltip="true" title="' . gT('Delete this response') . '"><span class="fa fa-trash text-danger" ></span></a>';
         }
         $buttons .= '</div>';
         return $buttons;

diff --git a/application/models/SurveysGroups.php b/application/models/SurveysGroups.php
@@ -125,7 +125,7 @@ public function getColumns()
                     'type' => 'raw',
                     'value' => '$data->buttons',
                     'headerHtmlOptions' => array('class' => 'hidden-xs'),
-                    'htmlOptions' => array('class' => 'hidden-xs'),
+                    'htmlOptions' => array('class' => 'hidden-xs button-column'),   // Cells that include buttons need the 'button-column' class to avoid triggering the 'selectionChanged' event
                 ),
                 array(
                     'header' => gT('Survey group ID'),
@@ -315,7 +315,7 @@ public function getButtons()
         }
         /* Can not delete group #1 + with survey (or move it to hasPermission function ?) */
         if ($this->gsid != 1 && !$this->hasSurveys && $this->hasPermission('group', 'delete')) {
-            $button .= '<span data-toggle="tooltip" title="' . gT('Delete survey group') . '"><a class="btn btn-sm btn-default" href="#" data-href="' . $sDeleteUrl . '" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="' . gT('Do you want to continue?') . '"><i class="fa fa-trash text-danger " aria-hidden="true"></i></a></span>';
+            $button .= '<span data-toggle="tooltip" title="' . gT('Delete survey group') . '"><a class="btn btn-sm btn-default" href="#" data-post-url="' . $sDeleteUrl . '" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="' . gT('Do you want to continue?') . '"><i class="fa fa-trash text-danger " aria-hidden="true"></i></a></span>';
         }
         $button .= "</div>";
         return $button;

diff --git a/application/models/TokenDynamic.php b/application/models/TokenDynamic.php
@@ -921,8 +921,8 @@ public function getGridButtons()
                 'data-toggle' => "modal",
                 'data-target' => '#confirmation-modal',
                 'data-message' => gt('Do you really want to delete this participant') . '?',
-                'data-href' => 'App()->createUrl("/admin/tokens/sa/deleteToken",array("sid"=>' . self::$sid . ',"sItem"=>$data->tid));',
-                'evaluateOptions' => array('data-href'),
+                'data-post-url' => 'App()->createUrl("/admin/tokens/sa/deleteToken",array("sid"=>' . self::$sid . ',"sItem"=>$data->tid));',
+                'evaluateOptions' => array('data-post-url'),
                 'data-btntext' => gt('Delete'),
                 'title' => gT('Delete survey participant'),
             ),

diff --git a/application/views/SurveysGroupsPermission/subviews/currentUsersList.php b/application/views/SurveysGroupsPermission/subviews/currentUsersList.php
@@ -35,7 +35,7 @@
                                 <a class="btn btn-default btn-sm" role="button"
                                    data-target='#confirmation-modal' data-toggle='modal'
                                    data-message='<?= gT("Are you sure you want to remove all permissions for this user?") ?>'
-                                   data-href='<?= $deleteUrl ?>'
+                                   data-post-url='<?= $deleteUrl ?>'
                                 ><span class="fa fa-trash text-danger" aria-hidden="true" title="<?= gT("Delete") ?>"><span>
                             <span class="sr-only"><?= gT("Delete") ?></span>
                                 </a>

diff --git a/application/views/admin/pluginmanager/scanFilesResult.php b/application/views/admin/pluginmanager/scanFilesResult.php
@@ -35,7 +35,7 @@
                 <?php endif; ?>
 
                 <?php if (isset($scannedPlugin['deleteUrl'])) : ?>
-                    <a href='#' class='btn btn-default' data-target='#confirmation-modal' data-toggle='modal' data-href='<?= $scannedPlugin['deleteUrl'] ?>' data-message='<?php eT('Are you sure you want to delete this plugin from the file system?'); ?>' type='submit'>
+                    <a href='#' class='btn btn-default' data-target='#confirmation-modal' data-toggle='modal' data-post-url='<?= $scannedPlugin['deleteUrl'] ?>' data-message='<?php eT('Are you sure you want to delete this plugin from the file system?'); ?>' type='submit'>
                         <i class='fa fa-trash text-danger'></i>&nbsp;
                         <span data-toggle='tooltip' title='<?php eT('Delete this plugin from the file system'); ?>'>Delete files</span>
                     </a>

diff --git a/application/views/admin/quotas/viewquotas_quota_actions.php b/application/views/admin/quotas/viewquotas_quota_actions.php
@@ -15,7 +15,7 @@
 <?php } ?>
 <?php if (Permission::model()->hasSurveyPermission($oSurvey->getPrimaryKey(), 'quotas','delete')) { ?>
     <a
-            data-href="<?php echo $deleteUrl; ?>"
+            data-post-url="<?php echo $deleteUrl; ?>"
             class="btn btn-default"
             data-toggle="modal"
             data-target="#confirmation-modal"

diff --git a/application/views/admin/update/manage/manage_key.php b/application/views/admin/update/manage/manage_key.php
@@ -44,7 +44,7 @@
                             <?php echo $updateKeyInfos->remaining_updates; ?>
                         </td>
                         <td>
-                            <a data-href="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
+                            <a data-post-url="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
                                 <span class="fa fa-trash text-danger"></span>
                             </a>
                         </td>