Fixed issue #18978: User is able to change survey group's code that i…

…s by default unchangeable (#3401)

Co-authored-by: lapiudevgit <devgit@lapiu.biz>

application/controllers/admin/SurveysGroupsController.php

@@ -118,6 +118,8 @@ public function update(int $id)
                 throw new CHttpException(403, gT("You do not have permission to access this page."));
             }
             $postSurveysGroups = App()->getRequest()->getPost('SurveysGroups');
+            // Remove name from post data, as it shouldn't be updated
+            unset($postSurveysGroups['name']);
             /* Mimic survey system : only owner and superadmin can update owner … */
             /* After update : potential loose of rights on SurveysGroups */
             if (

application/models/SurveysGroups.php

@@ -69,6 +69,7 @@ public function rules()
             // The following rule is used by search().
             // @todo Please remove those attributes that should not be searched.
             array('gsid, name, title, description, owner_id, parent_id, created, modified, created_by', 'safe', 'on' => 'search'),
+            array('name', 'unsafe' , 'on' => ['update']),
         );
     }