Fixed issue #10829: Survey admins presented with inappropriate control

buttons

Dev: Add permission check for edit question.

application/controllers/admin/questiongroups.php

@@ -391,7 +391,7 @@ public function edit($surveyid, $gid)
         $gid = sanitize_int($gid);
         $aViewUrls = $aData = array();
 
-        if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'read'))
+        if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'update'))
         {
             Yii::app()->session['FileManagerContext'] = "edit:group:{$surveyid}";
 

application/controllers/admin/questions.php

@@ -861,6 +861,12 @@ public function _editsubquestion($surveyid, $gid, $qid)
      */
     public function newquestion($surveyid)
     {
+        if (!Permission::model()->hasSurveyPermission($surveyid,'surveycontent','create'))
+        {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(Yii::app()->request->urlReferrer);
+        }
+
         Yii::app()->loadHelper('admin/htmleditor');
         $surveyid = $iSurveyID = $aData['surveyid'] = sanitize_int($surveyid);
         App()->getClientScript()->registerPackage('qTip2');
@@ -1031,6 +1037,13 @@ public function index($sa, $surveyid, $gid, $qid=null)
             // Prepare selector Mode TODO: with and without image
             if (!$adding)
             {
+                // Abort if user lacks edit permission
+                if (!Permission::model()->hasSurveyPermission($surveyid,'surveycontent','edit'))
+                {
+                    Yii::app()->user->setFlash('error', gT("Access denied"));
+                    $this->getController()->redirect(Yii::app()->request->urlReferrer);
+                }
+
                 Yii::app()->session['FileManagerContext'] = "edit:question:{$surveyid}";
                 $aData['display']['menu_bars']['qid_action'] = 'editquestion';