Merge branch 'master' into develop

.github/workflows/main.yml

@@ -104,9 +104,6 @@ jobs:
           # sed -i '60s/.*/        "debug"=>2,/' application/config/config.php
           # cat application/config/config.php
 
-      - name: Run syntax check, CodeSniffer, MessDetector, ...
-        run: composer test
-
       - name: Test the server
         run: |
           # Test server.
@@ -162,3 +159,7 @@ jobs:
           name: screenshots
           path: tests/tmp/screenshots/
           retention-days: 5
+
+      - name: Run syntax check, CodeSniffer, MessDetector, ...
+        run: composer test
+

application/config/version.php

@@ -16,5 +16,5 @@
 $config['buildnumber'] = '';
 $config['updatable'] = true;
 $config['templateapiversion']  = 3;
-$config['assetsversionnumber'] = '30323';
+$config['assetsversionnumber'] = '30327';
 return $config;

application/controllers/UserManagementController.php

@@ -812,11 +812,11 @@ public function actionExportUser(string $outputFormat, int $uid = 0)
                 fprintf($fp, chr(0xEF) . chr(0xBB) . chr(0xBF));
                 $header = array('uid', 'users_name', 'full_name', 'email', 'lang', 'password');
                 //Add csv header
-                fputcsv($fp, $header, ';');
+                fputcsv($fp, $header, ';', '"');
 
                 //add csv row datas
                 foreach ($aUsers as $fields) {
-                    fputcsv($fp, $fields, ';');
+                    fputcsv($fp, $fields, ';', '"');
                 }
                 fclose($fp);
                 header('Content-Encoding: UTF-8');

application/core/LSYii_NoUpdateValidator.php

@@ -26,10 +26,6 @@ class LSYii_NoUpdateValidator extends CValidator
      */
     public function validateAttribute($object, $attribute)
     {
-        if (Yii::app()->user->isScriptUpdateAllowed()) {
-            return;
-        }
-
         if ($object->isNewRecord) {
             $object->$attribute = '';
             return;

application/core/LSYii_Validators.php

@@ -51,7 +51,17 @@ public function __construct()
             return $this->xssfilter = ($this->xssfilter && Yii::app()->getConfig('filterxsshtml'));
         }
         // If run from console there is no user
-        $this->xssfilter = ($this->xssfilter && (($controller = Yii::app()->getController()) !== null && (get_class($controller) !== 'ConsoleApplication' )) && Yii::app()->user->isXssFiltered());
+        $this->xssfilter = (
+            $this->xssfilter && // this
+            (
+                (defined('PHP_ENV') && PHP_ENV == 'test') || // phpunit test : don't check controller
+                (
+                    ($controller = Yii::app()->getController()) !== null && // no controller
+                    (get_class($controller) !== 'ConsoleApplication') // ConsoleApplication
+                )
+            ) &&
+            Yii::app()->user->isXssFiltered() // user
+        );
         return;
     }
 

application/core/QuestionTypes/Date/RenderDate.php

@@ -118,6 +118,10 @@ public function setMaxDate()
         } else {
             $this->maxDate = '2187-12-31'; // Why 2187 ?
         }
+
+        if (!empty($this->maxDate)) {
+            $this->maxDate .= " 23:59:59.999";
+        }
     }
 
     private function getDaySelect($iCurrent)

application/helpers/admin/export/CsvWriter.php

@@ -87,8 +87,6 @@ protected function outputRecord($headers, $values, FormattingOptions $oOptions)
 
     public function close()
     {
-        // Output white line at the end, better for R import
-        echo "\r\n";
         if (!is_null($this->file)) {
             fwrite($this->file, "\r\n");
             fclose($this->file);

application/helpers/expressions/em_manager_helper.php

@@ -3941,14 +3941,8 @@ public function setVariableAndTokenMappingsForExpressionManager($surveyid, $forc
 
             $token = Token::model($surveyid)->findByToken($_SESSION[$this->sessid]['token']);
             if ($token) {
-                $tokenEncryptionOptions = $survey->getTokenEncryptionOptions();
+                $token->decrypt();
                 foreach ($token as $key => $val) {
-                    // Decrypt encrypted token attributes
-                    if (isset($tokenEncryptionOptions['columns'][$key]) && $tokenEncryptionOptions['columns'][$key] === 'Y') {
-                        if (!empty($val)) {
-                            $val = $token->decrypt($val);
-                        }
-                    }
                     $this->knownVars["TOKEN:" . strtoupper((string) $key)] = [
                         'code'      => $anonymized ? '' : $val,
                         'jsName_on' => '',
@@ -5158,7 +5152,16 @@ private function _UpdateValuesInDatabase($finished = false)
                     return;
                 }
                 if ($oResponse->submitdate == null || Survey::model()->findByPk($this->sid)->alloweditaftercompletion == 'Y') {
-                    $oResponse->setAttributes($aResponseAttributes, false);
+                    try {
+                        $oResponse->setAllAttributes($aResponseAttributes, false);
+                    } catch (Exception $ex) {
+                        // This can happen if the table is missing fields. It should never happen, but somehow it does.
+                        submitfailed($ex->getMessage());
+                        if (YII_DEBUG) {
+                            throw $ex;
+                        }
+                        $this->throwFatalError();
+                    }
                     $oResponse->decrypt();
                     if (!$oResponse->encryptSave()) {
                         $message = submitfailed('', print_r($oResponse->getErrors(), true)); // $response->getErrors() is array[string[]], then can not join
@@ -9967,6 +9970,35 @@ public function getUpdatedValues(): array
     {
         return $this->updatedValues;
     }
+
+    /**
+     * Kills the survey session and throws an exception with the specified message.
+     * @param string $message If empty, a default message is used.
+     * @throws Exception
+     */
+    private function throwFatalError($message = null)
+    {
+        if (empty($message)) {
+            $surveyInfo = getSurveyInfo($this->sid, $_SESSION['LEMlang']);
+            if (!empty($surveyInfo['admin'])) {
+                $message = sprintf(
+                    $this->gT("Due to a technical problem, your response could not be saved. Please contact the survey administrator %s (%s) about this problem. You will not be able to proceed with this survey."),
+                    $surveyInfo['admin'],
+                    $surveyInfo['adminemail']
+                );
+            } elseif (!empty(Yii::app()->getConfig("siteadminname"))) {
+                $message = sprintf(
+                    $this->gT("Due to a technical problem, your response could not be saved. Please contact the survey administrator %s (%s) about this problem. You will not be able to proceed with this survey."),
+                    Yii::app()->getConfig("siteadminname"),
+                    Yii::app()->getConfig("siteadminemail")
+                );
+            } else {
+                $message = $this->gT("Due to a technical problem, your response could not be saved. You will not be able to proceed with this survey.");
+            }
+        }
+        killSurveySession($this->sid);
+        throw new Exception($message);
+    }
 }
 
 /**

application/helpers/remotecontrol/remotecontrol_handle.php

@@ -3428,7 +3428,7 @@ public function export_responses($sSessionKey, $iSurveyID, $sDocumentType, $sLan
         if (!tableExists($survey->responsesTableName)) {
             return array('status' => 'No Data, survey table does not exist.');
         }
-        if (!($maxId = SurveyDynamic::model($iSurveyID)->getMaxId())) {
+        if (!($maxId = SurveyDynamic::model($iSurveyID)->getMaxId(null, true))) {
             return array('status' => 'No Data, could not get max id.');
         }
         if (!empty($sLanguageCode) && !in_array($sLanguageCode, $survey->getAllLanguages())) {

application/models/Participant.php

@@ -1912,9 +1912,10 @@ public function copyToCentral($surveyid, $aAttributesToBeCreated, $aMapped, $ove
                 ];
                 $oParticipantAttributeNames = new ParticipantAttributeName();
                 $oParticipantAttributeNames->setAttributes($insertnames, false);
-                $oParticipantAttributeNames->save(false);
+                if (!$oParticipantAttributeNames->save()) {
+                    throw new CHttpException(500, CHtml::errorSummary($oParticipantAttributeNames));
+                }
                 $attid[$key] = $oParticipantAttributeNames->getPrimaryKey();
-
                 $insertnameslang = [
                     'attribute_id'   => $attid[$key],
                     'attribute_name' => urldecode((string) $value),

application/models/ParticipantAttributeName.php

@@ -58,6 +58,7 @@ public function rules()
     {
         // NOTE: you should only define rules for those attributes that will receive user inputs.
         return array(
+            array('core_attribute', 'default', 'value' => 'N'),
             array('defaultname', 'LSYii_FilterValidator', 'filter' => 'strip_tags', 'skipOnEmpty' => true),
             array('attribute_type, visible, encrypted, core_attribute', 'required'),
             array('attribute_type', 'length', 'max' => 4),

application/models/QuestionL10n.php

@@ -76,7 +76,7 @@ public function rules()
             ['qid', 'numerical', 'integerOnly' => true],
             array('question', 'LSYii_Validators'),
             array('help', 'LSYii_Validators'),
-            array('script', 'LSYii_Validators'),
+            array('script', 'safe'),
             array('language', 'length', 'min' => 2, 'max' => 20), // in array languages ?
             /* Add rules for existing unique index : idx1_question_ls ['qid', 'language'] */
             array('qid', 'unique', 'criteria' => array(
@@ -91,6 +91,9 @@ public function rules()
                 ),
             ),
         );
+        if (!Yii::app()->user->isScriptUpdateAllowed()) {
+            $rules[] = array('script', 'LSYii_NoUpdateValidator');
+        }
         return $rules;
     }
 }

application/models/Response.php

@@ -255,4 +255,23 @@ public static function getEncryptedAttributes($surveyid = 0)
         }
         return $aAttributes;
     }
+
+    /**
+     * Set all the specified attributes.
+     * If any attribute doesn't exist in the DB, an Exception is thrown.
+     */
+    public function setAllAttributes($values)
+    {
+        if (!is_array($values)) {
+            return;
+        }
+        $attributes = array_flip($this->attributeNames());
+        foreach ($values as $name => $value) {
+            if (isset($attributes[$name])) {
+                $this->$name = $value;
+            } else {
+                throw new Exception(sprintf("Attribute '%s' not found in the model.", $name));
+            }
+        }
+    }
 }

application/models/Survey.php

@@ -1161,8 +1161,8 @@ public function getRunning()
             $oStop  = new DateTime($sStop);
             $oStart = new DateTime($sStart);
 
-            $bExpired = ($oStop < $oNow);
-            $bWillRun = ($oStart > $oNow);
+            $bExpired = (!is_null($sStop) && $oStop < $oNow);
+            $bWillRun = (!is_null($sStart) && $oStart > $oNow);
 
             $sStop = $sStop != null ? convertToGlobalSettingFormat($sStop) : null;
             $sStart = convertToGlobalSettingFormat($sStart);
@@ -1178,7 +1178,7 @@ public function getRunning()
                 // Expire prior to will start
                 $running = ($bExpired) ? $sIconExpired : $sIconFuture;
             } else {
-                if ($sStop == null) {
+                if (is_null($sStop)) {
                     $running = $sIconRunNoEx;
                 } else {
                     $running = $sIconRunning;

application/models/User.php

@@ -436,8 +436,12 @@ public function getSuperAdmins()
     {
         // TODO should be static
         $criteria = new CDbCriteria();
-        $criteria->join = ' JOIN {{permissions}} AS p ON p.uid = t.uid';
-        $criteria->addCondition('p.permission = \'superadmin\'');
+        /* have read superadmin permissions */
+        $criteria->with = array('permissions');
+        $criteria->compare('permissions.permission', 'superadmin');
+        $criteria->compare('permissions.read_p', '1');
+        /* OR are inside forcedsuperadmin config */
+        $criteria->addInCondition('t.uid', App()->getConfig('forcedsuperadmin'), 'OR');
         /** @var User[] $users */
         $users = $this->findAll($criteria);
         return $users;

application/views/questionAdministration/subquestionRow.twig

@@ -129,21 +129,18 @@
         </div>
     </td>
 
-    {% set relevanceTooltip = supportsRelevance ? gT("Click to expand") : gT("Relevance is not currently supported for columns") %}
-
     <!-- Relevance equation -->
     {% if first and scale_id == 0 %}
         <td class="relevance-equation">
             <input
                 data-bs-toggle="tooltip"
-                data-title="{{ relevanceTooltip }}"
+                data-title="{{ gT("Click to expand") }}"
                 type='text'
                 class='relevance form-control input'
                 id='subquestions[{{ subquestion.qid }}][{{ scale_id }}][relevance]'
                 name='subquestions[{{ subquestion.qid }}][{{ scale_id }}][relevance]'
                 value="{{ subquestion.relevance|escape('html_attr') }}"
                 onkeypress=" if(event.keyCode==13) { if (event && event.preventDefault) event.preventDefault(); document.getElementById('save-button').click(); return false;}"
-                {{ supportsRelevance ? '' : 'readonly="readonly"' }}
             />
         </td>
     {%  else %}

application/views/questionAdministration/subquestions.twig

@@ -3,6 +3,8 @@
 
 {% set first = true %}
 {% set scale_id = 0 %}
+{# TODO: Add question type attribute to indicate if the type supports relevance on subquestions #}
+{% set supportsRelevance = question.questionType.code != 'H' %}
 
 <!-- Loop all language, and then hide all but the current selected one with JS. -->
 {% for lang in allLanguages %}
@@ -28,7 +30,7 @@
             <!-- NB: Both questions and answer options uses class "answertable". -->
             <div class="subquestions-table-wrapper" style="max-height: 414px;">
                 <table
-                    class='answertable subquestions-table table table-responsive'
+                    class='answertable subquestions-table table table-responsive  {{ supportsRelevance ? '' : 'hide-relevance' }}'
                     id='subquestions_{{lang}}_{{scale_id}}'
                     data-scaleid='{{ scale_id }}'
                     data-input-data-id='add-subquestion-input-javascript-datas'
@@ -69,7 +71,6 @@
                                 'subquestionl10n': subquestion.questionl10ns[lang],
                                 'language'  : lang,
                                 'oldCode'   : true,
-                                'supportsRelevance' : question.questionType.code != 'H',
                             } %}
 
                             {% set position = position + 1 %}

application/views/questionAdministration/textElements.php

@@ -135,7 +135,8 @@
                             'data-filetype' => 'javascript',
                             'class' => 'ace form-control',
                             'style' => 'width: 100%',
-                            'data-lang' => "$lang"
+                            'data-lang' => "$lang",
+                            'readonly' => !App()->user->isScriptUpdateAllowed()
                         ]
                     ); ?>
                     <p class="alert well">

assets/admin_themes/adminbasics_temporary/000-lime-admin-common.scss

@@ -3406,3 +3406,9 @@ html[dir="rtl"] th {
     overflow-x: visible;
 }
 
+/** Hide Relevance Equation column for subquestions when not supported */
+.subquestions-table.hide-relevance {
+    #rel-eq-th, td.relevance-equation {
+        display: none;
+    }
+}