New feature: Detailed survey permissions based on a CRUD model

Dev Checked permissions: responses Dev Work in progress git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_dev@9319 b72ed6b6-b9f8-46b5-92b4-906544132732
LimeSurvey · Oct 23, 2010 · dce6204 · dce6204
1 parent a9991bb
commit dce6204
Show file tree

Hide file tree

Showing 9 changed files with 147 additions and 183 deletions.
diff --git a/admin/admin.php b/admin/admin.php
@@ -427,7 +427,7 @@
 
     if ($action == 'dataentry')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))
+        if(bHasSurveyPermission($surveyid,'responses','create'))
         {
             include('dataentry.php');
         }
@@ -464,7 +464,7 @@
     }
     elseif ($action == 'browse')
     {
-        if(bHasSurveyPermission($surveyid,'browse_response'))
+        if(bHasSurveyPermission($surveyid,'responses','read'))
         {
             include('browse.php');
         }

diff --git a/admin/browse.php b/admin/browse.php
@@ -347,7 +347,7 @@
     }
 
     //Delete Individual answer using inrow delete buttons/links - checked
-    if (isset($_POST['deleteanswer']) && $_POST['deleteanswer'] != '' && $_POST['deleteanswer'] != 'marked' && bHasSurveyPermission($surveyid,'delete_survey'))
+    if (isset($_POST['deleteanswer']) && $_POST['deleteanswer'] != '' && $_POST['deleteanswer'] != 'marked' && bHasSurveyPermission($surveyid,'responses','delete'))
     {
         $_POST['deleteanswer']=(int) $_POST['deleteanswer']; // sanitize the value
 
@@ -384,7 +384,7 @@
         $connect->execute($query) or safe_die("Could not delete response<br />$dtquery<br />".$connect->ErrorMsg()); // checked
     }
     // Marked responses -> deal with the whole batch of marked responses
-    if (isset($_POST['markedresponses']) && count($_POST['markedresponses'])>0 && bHasSurveyPermission($surveyid,'delete_survey'))        
+    if (isset($_POST['markedresponses']) && count($_POST['markedresponses'])>0 && bHasSurveyPermission($surveyid,'responses','delete'))        
     {
         // Delete the marked responses - checked
         if (isset($_POST['deleteanswer']) && $_POST['deleteanswer'] === 'marked')
@@ -686,12 +686,12 @@
                 . "</strong></th>\n";
     }
     $tableheader .= "\t</tr></thead>\n\n";
-    if (bHasSurveyPermission($surveyid,'delete_survey'))
+    if (bHasSurveyPermission($surveyid,'responses','delete'))
     {
-    $tableheader .= "\t<tfoot><tr><td colspan=".($fncount+2).">"
-                   ."<img id='imgDeleteMarkedResponses' src='$imagefiles/token_delete.png' alt='".$clang->gT('Delete marked responses')."' />"
-                   ."<img id='imgDownloadMarkedFiles' src='$imagefiles/down.png' alt='".$clang->gT('Download Marked Files')."' />"
-                   ."</td></tr></tfoot>\n\n";
+        $tableheader .= "\t<tfoot><tr><td colspan=".($fncount+2).">"
+                       ."<img id='imgDeleteMarkedResponses' src='$imagefiles/token_delete.png' alt='".$clang->gT('Delete marked responses')."' />"
+                       ."<img id='imgDownloadMarkedFiles' src='$imagefiles/down.png' alt='".$clang->gT('Download Marked Files')."' />"
+                       ."</td></tr></tfoot>\n\n";
     }
 
     $start=returnglobal('start');
@@ -730,23 +730,17 @@
         {
             $selectedgrouptoken = $connect->getOne("SELECT token FROM $grouptokentable WHERE gtid='{$selectedgroup}'");
             $dtquery .= " AND grouptoken='{$selectedgrouptoken}'";
+        }
     }
-    if (isset($_POST['sql']) && stripcslashes($_POST['sql']) !== "" && $_POST['sql'] !== "NULL")
-    {
-        if (!empty($sql_where)) $sql_where .= " AND ";
-        $sql_where .= stripcslashes($_POST['sql']);
-    }
-    if (!empty($sql_where)) $sql_where = " WHERE " . $sql_where;
-
-    //LETS COUNT THE DATA
-    $dtquery = "SELECT count(*) FROM $sql_from $sql_where";
-    }
+
     // filter group token
     elseif (db_tables_exist($tokentable) && $selectedgroup != "")
     {
         $selectedgrouptoken = $connect->getOne("SELECT token FROM $grouptokentable WHERE gtid='{$selectedgroup}'");
         $dtquery .= " WHERE grouptoken='{$selectedgrouptoken}'";
     }
+    //LETS COUNT THE DATA
+    $dtquery = "SELECT count(*) FROM $sql_from $sql_where";
 
     $dtresult=db_execute_num($dtquery) or safe_die("Couldn't get response data<br />$dtquery<br />".$connect->ErrorMsg());
     while ($dtrow=$dtresult->FetchRow()) {$dtcount=$dtrow[0];}
@@ -996,7 +990,7 @@
         <a><img id='downloadfile_{$dtrow['id']}' src='$imagefiles/down.png' alt='".$clang->gT('Download all files in this response as a zip file')."' class='downloadfile'/></a>
         <a><img id='deleteresponse_{$dtrow['id']}' src='$imagefiles/token_delete.png' alt='".$clang->gT('Delete this response')."' class='deleteresponse'/></a></td>\n";
 
-        if (bHasSurveyPermission($surveyid,'delete_survey'))
+        if (bHasSurveyPermission($surveyid,'responses','delete'))
         {
             $browseoutput .= "<a><img id='deleteresponse_{$dtrow['id']}' src='$imagefiles/token_delete.png' alt='".$clang->gT('Delete this response')."' class='deleteresponse'/></a>\n";
         }

diff --git a/admin/dataentry.php b/admin/dataentry.php
@@ -69,10 +69,10 @@
 }
 $surveyinfo=getSurveyInfo($surveyid);
 
-if (bHasSurveyPermission($surveyid, 'browse_response'))
+if (bHasSurveyPermission($surveyid, 'responses','create'))
 {
 
-    $surveyoptions = browsemenubar($clang->gT("Browse Responses"));
+    $surveyoptions = browsemenubar($clang->gT("Data entry"));
     if (!$surveyid && !$subaction)
     {
         $dataentryoutput .= "<div class='header'>".$clang->gT("Data Entry")."</div>\n";
@@ -160,7 +160,7 @@
         }
         elseif (tableExists('tokens_'.$thissurvey['sid']) && $lastanswfortoken == 'UnknownToken')
         {
-            $errormsg="<strong><font color='red'>".$clang->gT("Error").":</font> ".$clang->gT("The token you have provided is not valid or has already been used.")."</strong>\n";
+            $errormsg="<div class='warningheader'>".$clang->gT("Error")."</div> ".$clang->gT("The token you have provided is not valid or has already been used.")."<p>\n";
         }
         elseif (tableExists('tokens_'.$thissurvey['sid']) && $lastanswfortoken != '')
         {

diff --git a/admin/export_data_r.php b/admin/export_data_r.php
@@ -73,7 +73,7 @@
 if (!isset($surveyid)) {$surveyid=returnglobal('sid');}
 $filterstate = incompleteAnsFilterstate();
 
-$headerComment = '#$Rev: 9213 $' . " $filterstate.\n";
+$headerComment = '#$Rev$' . " $filterstate.\n";
 
 if (isset($_GET['dldata'])) $subaction = "dldata";
 if (isset($_GET['dlstructure'])) $subaction = "dlstructure";

diff --git a/admin/export_data_spss.php b/admin/export_data_spss.php
@@ -92,7 +92,7 @@
 
 }
 
-$headerComment = '*$Rev: 9218 $' . " $filterstate $spssver.\n";
+$headerComment = '*$Rev$' . " $filterstate $spssver.\n";
 
 if (isset($_GET['dldata'])) $subaction = "dldata";
 if (isset($_GET['dlstructure'])) $subaction = "dlstructure";

diff --git a/admin/html.php b/admin/html.php
@@ -356,7 +356,7 @@
         {
             $surveysummary .= "<img src='$imagefiles/inactive.png' "
             . "alt='".$clang->gT("This survey is not currently active")."' />\n";
-            if($sumcount3>0 && bHasSurveyPermission($surveyid,'activate_survey','update'))
+            if($sumcount3>0 && bHasSurveyPermission($surveyid,'surveyactivation','update'))
             {
                 $surveysummary .= "<a href=\"#\" onclick=\"window.open('$scriptname?action=activate&amp;sid=$surveyid', '_top')\""
                 . " title=\"".$clang->gTview("Activate this Survey")."\" >"
@@ -385,7 +385,7 @@
                 $surveysummary .= "<img src='$imagefiles/active.png' title='' "
                 . "alt='".$clang->gT("This survey is currently active")."' />\n";
             }
-            if(bHasSurveyPermission($surveyid,'activate_survey','update'))
+            if(bHasSurveyPermission($surveyid,'surveyactivation','update'))
             {
                 $surveysummary .= "<a href=\"#\" onclick=\"window.open('$scriptname?action=deactivate&amp;sid=$surveyid', '_top')\""
                 . " title=\"".$clang->gTview("Deactivate this Survey")."\" >"

diff --git a/admin/html_functions.php b/admin/html_functions.php
@@ -28,61 +28,67 @@ function browsemenubar($title='')
     . "<a href='$scriptname?sid=$surveyid' title=\"".$clang->gTview("Return to survey administration")."\" >"
     . "<img name='Administration' src='$imagefiles/home.png' title='' alt='".$clang->gT("Return to survey administration")."' /></a>\n"
     . "<img src='$imagefiles/blank.gif' alt='' width='11' />\n"
-    . "<img src='$imagefiles/seperator.gif' alt='' />\n"
+    . "<img src='$imagefiles/seperator.gif' alt='' />\n";
     //Show summary information
-    . "<a href='$scriptname?action=browse&amp;sid=$surveyid' title=\"".$clang->gTview("Show summary information")."\" >"
-    . "<img name='SurveySummary' src='$imagefiles/summary.png' title='' alt='".$clang->gT("Show summary information")."' /></a>\n";
-
-    //Display responses
-    if (count(GetAdditionalLanguagesFromSurveyID($surveyid)) == 0)
-    {
-        $browsemenubar .="<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=all' title=\"".$clang->gTview("Display Responses")."\" >" .
-        "<img name='ViewAll' src='$imagefiles/document.png' title='' alt='".$clang->gT("Display Responses")."' /></a>\n";
-    }
-    else
+    if (bHasSurveyPermission($surveyid,'responses','read'))
     {
-        $browsemenubar .= "<a href=\"#\" accesskey='b' id='browseresponses'"
-        . "title=\"".$clang->gTview("Display Responses")."\" >"
-        ."<img src='$imagefiles/document.png' alt='".$clang->gT("Display Responses")."' name='ViewAll' /></a>";
+        $browsemenubar.= "<a href='$scriptname?action=browse&amp;sid=$surveyid' title=\"".$clang->gTview("Show summary information")."\" >"
+        . "<img name='SurveySummary' src='$imagefiles/summary.png' title='' alt='".$clang->gT("Show summary information")."' /></a>\n";
+        //Display responses
+        if (count(GetAdditionalLanguagesFromSurveyID($surveyid)) == 0)
+        {
+            $browsemenubar .="<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=all' title=\"".$clang->gTview("Display Responses")."\" >" .
+            "<img name='ViewAll' src='$imagefiles/document.png' title='' alt='".$clang->gT("Display Responses")."' /></a>\n";
+        }
+        else
+        {
+            $browsemenubar .= "<a href=\"#\" accesskey='b' id='browseresponses'"
+            . "title=\"".$clang->gTview("Display Responses")."\" >"
+            ."<img src='$imagefiles/document.png' alt='".$clang->gT("Display Responses")."' name='ViewAll' /></a>";
 
-        $tmp_survlangs = GetAdditionalLanguagesFromSurveyID($surveyid);
-        $baselang = GetBaseLanguageFromSurveyID($surveyid);
-        $tmp_survlangs[] = $baselang;
-        rsort($tmp_survlangs);
+            $tmp_survlangs = GetAdditionalLanguagesFromSurveyID($surveyid);
+            $baselang = GetBaseLanguageFromSurveyID($surveyid);
+            $tmp_survlangs[] = $baselang;
+            rsort($tmp_survlangs);
 
-        $browsemenubar .="<div class=\"langpopup\" id=\"browselangpopup\">".$clang->gT("Please select a language:")."<ul>";
-        foreach ($tmp_survlangs as $tmp_lang)
-        {
-            $browsemenubar .= "<li><a href=\"{$scriptname}?action=browse&amp;sid={$surveyid}&amp;subaction=all&amp;browselang={$tmp_lang}\" accesskey='b'>".getLanguageNameFromCode($tmp_lang,false)."</a></li>";
+            $browsemenubar .="<div class=\"langpopup\" id=\"browselangpopup\">".$clang->gT("Please select a language:")."<ul>";
+            foreach ($tmp_survlangs as $tmp_lang)
+            {
+                $browsemenubar .= "<li><a href=\"{$scriptname}?action=browse&amp;sid={$surveyid}&amp;subaction=all&amp;browselang={$tmp_lang}\" accesskey='b'>".getLanguageNameFromCode($tmp_lang,false)."</a></li>";
+            }
+            $browsemenubar .= "</ul></div>";
         }
-        $browsemenubar .= "</ul></div>";
-    }
 
-    // Display last 50 responses
-    $browsemenubar .= "<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=all&amp;limit=50&amp;order=desc'" .
-                    " title=\"".$clang->gTview("Display Last 50 Responses")."\" >" .
-                    "<img name='ViewLast' src='$imagefiles/viewlast.png' alt='".$clang->gT("Display Last 50 Responses")."' /></a>\n";
+        // Display last 50 responses
+        $browsemenubar .= "<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=all&amp;limit=50&amp;order=desc'" .
+                        " title=\"".$clang->gTview("Display Last 50 Responses")."\" >" .
+                        "<img name='ViewLast' src='$imagefiles/viewlast.png' alt='".$clang->gT("Display Last 50 Responses")."' /></a>\n";
+
+    }
     // Data entry
-    $browsemenubar .= "<a href='$scriptname?action=dataentry&amp;sid=$surveyid'".
-                    " title=\"".$clang->gTview("Dataentry Screen for Survey")."\" >" .
-                    "<img name='DataEntry' src='$imagefiles/dataentry.png' alt='".$clang->gT("Dataentry Screen for Survey")."' /></a>\n";
+    if (bHasSurveyPermission($surveyid,'responses','create'))
+    {
+        $browsemenubar .= "<a href='$scriptname?action=dataentry&amp;sid=$surveyid'".
+                        " title=\"".$clang->gTview("Dataentry Screen for Survey")."\" >" .
+                        "<img name='DataEntry' src='$imagefiles/dataentry.png' alt='".$clang->gT("Dataentry Screen for Survey")."' /></a>\n";
+    }
     // Statistics
-    $browsemenubar .= "<a href='$scriptname?action=statistics&amp;sid=$surveyid' "
-    ."title=\"".$clang->gTview("Get statistics from these responses")."\" >"
-    ."<img name='Statistics' src='$imagefiles/statistics.png' alt='".$clang->gT("Get statistics from these responses")."' /></a>\n";
-
-    // Time Statistics
-    if ($thissurvey['savetimings']=="Y")
+    if (bHasSurveyPermission($surveyid,'statistics','read'))
     {
-		$browsemenubar .= "<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=time' "
-		."title=\"".$clang->gTview("Get time statistics from these responses")."\" >"
-		."<img name='timeStatistics' src='$imagefiles/timeStatistics.png' alt='".$clang->gT("Get time statistics from these responses")."' /></a>\n";
-	}
-
-
+        $browsemenubar .= "<a href='$scriptname?action=statistics&amp;sid=$surveyid' "
+        ."title=\"".$clang->gTview("Get statistics from these responses")."\" >"
+        ."<img name='Statistics' src='$imagefiles/statistics.png' alt='".$clang->gT("Get statistics from these responses")."' /></a>\n";
+        // Time Statistics
+        if ($thissurvey['savetimings']=="Y")
+        {
+            $browsemenubar .= "<a href='$scriptname?action=browse&amp;sid=$surveyid&amp;subaction=time' "
+            ."title=\"".$clang->gTview("Get time statistics from these responses")."\" >"
+            ."<img name='timeStatistics' src='$imagefiles/timeStatistics.png' alt='".$clang->gT("Get time statistics from these responses")."' /></a>\n";
+        }    
+    }
     $browsemenubar .= "<img src='$imagefiles/seperator.gif' alt='' />\n";
 
-    if ($sumrows5['export'] == "1" || $_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
+    if (bHasSurveyPermission($surveyid,'exportresponses','read'))         
     {
         // Export to application
         $browsemenubar .= "<a href='$scriptname?action=exportresults&amp;sid=$surveyid' title=\"".$clang->gTview("Export Results to Application")."\" >"
@@ -100,34 +106,37 @@ function browsemenubar($title='')
         . "alt='". $clang->gT("Export results to a R data file")."' /></a>\n";
     }
     //Import old response table
-    $browsemenubar .= "<a href='$scriptname?action=importoldresponses&amp;sid=$surveyid' title=\"".$clang->gTview("Import answers from a deactivated survey table")."\" >"
-    . "<img name='ImportOldResponses' src='$imagefiles/importold.png' alt='".$clang->gT("Import answers from a deactivated survey table")."' /></a>\n";
+    if (bHasSurveyPermission($surveyid,'responses','create'))  
+    {
+        $browsemenubar .= "<a href='$scriptname?action=importoldresponses&amp;sid=$surveyid' title=\"".$clang->gTview("Import responses from a deactivated survey table")."\" >"
+        . "<img name='ImportOldResponses' src='$imagefiles/importold.png' alt='".$clang->gT("Import answers from a deactivated survey table")."' /></a>\n";
+    }       
 
     $browsemenubar .= "<img src='$imagefiles/seperator.gif' alt='' />\n";
 
     //browse saved responses
-    $browsemenubar .= "<a href='$scriptname?action=saved&amp;sid=$surveyid' title=\"".$clang->gTview("View Saved but not submitted Responses")."\" >"
-    . "<img src='$imagefiles/saved.png' title='' alt='".$clang->gT("View Saved but not submitted Responses")."' name='BrowseSaved' /></a>\n"
+    if (bHasSurveyPermission($surveyid,'responses','read'))  
+    {
+        $browsemenubar .= "<a href='$scriptname?action=saved&amp;sid=$surveyid' title=\"".$clang->gTview("View Saved but not submitted Responses")."\" >"
+        . "<img src='$imagefiles/saved.png' title='' alt='".$clang->gT("View Saved but not submitted Responses")."' name='BrowseSaved' /></a>\n";
+    }
 
     //Import VV
-    . "<a href='$scriptname?action=vvimport&amp;sid=$surveyid' title=\"".$clang->gTview("Import a VV survey file")."\" >"
-    . "<img src='$imagefiles/importvv.png' alt='".$clang->gT("Import a VV survey file")."' /></a>\n";
+    if (bHasSurveyPermission($surveyid,'responses','create'))  
+    {    
+        $browsemenubar . "<a href='$scriptname?action=vvimport&amp;sid=$surveyid' title=\"".$clang->gTview("Import a VV survey file")."\" >"
+        . "<img src='$imagefiles/importvv.png' alt='".$clang->gT("Import a VV survey file")."' /></a>\n";
+    }
 
     //Export VV
-    if ($sumrows5['export'] == "1" || $_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
+    if (bHasSurveyPermission($surveyid,'exportresponses','read'))   
     {
         $browsemenubar .= "<a href='$scriptname?action=vvexport&amp;sid=$surveyid' title=\"".$clang->gTview("Export a VV survey file")."\" >"
         ."<img src='$imagefiles/exportvv.png' title='' alt='".$clang->gT("Export a VV survey file")."' /></a>\n";
     }
 
     //Iterate survey
-    if (( ($surrows['browse_response'] && $surrows['activate_survey']) ||
-    $_SESSION['USER_RIGHT_SUPERADMIN'] == 1
-    ) &&
-    (
-    $thissurvey['private'] == 'N' &&
-    $thissurvey['tokenanswerspersistence'] == 'Y'
-    ))
+    if (bHasSurveyPermission($surveyid,'responses','delete') && $thissurvey['private'] == 'N' && $thissurvey['tokenanswerspersistence'] == 'Y')
     {
         $browsemenubar .= "<a href='$scriptname?action=iteratesurvey&amp;sid=$surveyid' title=\"".$clang->gTview("Iterate survey")."\" >"
         ."<img src='$imagefiles/iterate.png' title='' alt='".$clang->gT("Iterate surevey")."' /></a>\n";