Fixed issue #14216: Users without rights to delete tokens can still d…

…elete them Dev: disable action , hide button come after Dev: deleteToken must use POST : db update => must be post
LimeSurvey · Nov 6, 2018 · dfa62ac · dfa62ac
1 parent 38c9154
commit dfa62ac
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
@@ -241,9 +241,11 @@ public function bounceprocessing($iSurveyId)
      */
     public function deleteMultiple()
     {
-        // TODO: permission checks
         $aTokenIds = json_decode(Yii::app()->getRequest()->getPost('sItems'));
         $iSid = Yii::app()->getRequest()->getPost('sid');
+        if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {
+            throw new CHttpException(403, gT("You do not have permission to access this page."));
+        }
         TokenDynamic::model($iSid)->deleteRecords($aTokenIds);
         return true;
     }
@@ -253,9 +255,11 @@ public function deleteMultiple()
      */
     public function deleteToken()
     {
-        // TODO: permission checks
         $aTokenId = Yii::app()->getRequest()->getParam('sItem');
         $iSid = Yii::app()->getRequest()->getParam('sid');
+        if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {
+            throw new CHttpException(403, gT("You do not have permission to access this page."));
+        }
         TokenDynamic::model($iSid)->deleteRecords(array($aTokenId));
         return true;
     }