From ec54b9f36973f18d4d8753ef024c41c8fc71b3f8 Mon Sep 17 00:00:00 2001
From: Olle Haerstedt <olle.haerstedt@limesurvey.org>
Date: Fri, 15 Apr 2016 11:48:47 +0200
Subject: [PATCH] Fixed issue #10829: Survey admins presented with
 inappropriate control buttons

Dev: Add permission check for edit question.
---
 application/controllers/admin/questiongroups.php |  2 +-
 application/controllers/admin/questions.php      | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/application/controllers/admin/questiongroups.php b/application/controllers/admin/questiongroups.php
index 495da541260..974c56d2515 100644
--- a/application/controllers/admin/questiongroups.php
+++ b/application/controllers/admin/questiongroups.php
@@ -391,7 +391,7 @@ public function edit($surveyid, $gid)
         $gid = sanitize_int($gid);
         $aViewUrls = $aData = array();
 
-        if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'read'))
+        if (Permission::model()->hasSurveyPermission($surveyid, 'surveycontent', 'update'))
         {
             Yii::app()->session['FileManagerContext'] = "edit:group:{$surveyid}";
 
diff --git a/application/controllers/admin/questions.php b/application/controllers/admin/questions.php
index c05ed2a1d75..73dd6e556a7 100644
--- a/application/controllers/admin/questions.php
+++ b/application/controllers/admin/questions.php
@@ -861,6 +861,12 @@ public function _editsubquestion($surveyid, $gid, $qid)
      */
     public function newquestion($surveyid)
     {
+        if (!Permission::model()->hasSurveyPermission($surveyid,'surveycontent','create'))
+        {
+            Yii::app()->user->setFlash('error', gT("Access denied"));
+            $this->getController()->redirect(Yii::app()->request->urlReferrer);
+        }
+
         Yii::app()->loadHelper('admin/htmleditor');
         $surveyid = $iSurveyID = $aData['surveyid'] = sanitize_int($surveyid);
         App()->getClientScript()->registerPackage('qTip2');
@@ -1031,6 +1037,13 @@ public function index($sa, $surveyid, $gid, $qid=null)
             // Prepare selector Mode TODO: with and without image
             if (!$adding)
             {
+                // Abort if user lacks edit permission
+                if (!Permission::model()->hasSurveyPermission($surveyid,'surveycontent','edit'))
+                {
+                    Yii::app()->user->setFlash('error', gT("Access denied"));
+                    $this->getController()->redirect(Yii::app()->request->urlReferrer);
+                }
+
                 Yii::app()->session['FileManagerContext'] = "edit:question:{$surveyid}";
                 $aData['display']['menu_bars']['qid_action'] = 'editquestion';