Fixed issue #18674: Simple user can update javascript when scripts ar…

…e disabled
LimeSurvey · Mar 24, 2023 · f2fce14 · f2fce14
1 parent e4b4a76
commit f2fce14
Show file tree

Hide file tree

Showing 8 changed files with 935 additions and 9 deletions.
diff --git a/application/core/LSYii_NoUpdateValidator.php b/application/core/LSYii_NoUpdateValidator.php
@@ -26,10 +26,6 @@ class LSYii_NoUpdateValidator extends CValidator
      */
     public function validateAttribute($object, $attribute)
     {
-        if (Yii::app()->user->isScriptUpdateAllowed()) {
-            return;
-        }
-
         if ($object->isNewRecord) {
             $object->$attribute = '';
             return;

diff --git a/application/core/LSYii_Validators.php b/application/core/LSYii_Validators.php
@@ -51,7 +51,17 @@ public function __construct()
             return $this->xssfilter = ($this->xssfilter && Yii::app()->getConfig('filterxsshtml'));
         }
         // If run from console there is no user
-        $this->xssfilter = ($this->xssfilter && (($controller = Yii::app()->getController()) !== null && (get_class($controller) !== 'ConsoleApplication' )) && Yii::app()->user->isXssFiltered());
+        $this->xssfilter = (
+            $this->xssfilter && // this
+            (
+                (defined('PHP_ENV') && PHP_ENV == 'test') || // phpunit test : don't check controller
+                (
+                    ($controller = Yii::app()->getController()) !== null && // no controller
+                    (get_class($controller) !== 'ConsoleApplication') // ConsoleApplication
+                )
+            ) &&
+            Yii::app()->user->isXssFiltered() // user
+        );
         return;
     }
 

diff --git a/application/models/QuestionL10n.php b/application/models/QuestionL10n.php
@@ -76,7 +76,7 @@ public function rules()
             ['qid', 'numerical', 'integerOnly' => true],
             array('question', 'LSYii_Validators'),
             array('help', 'LSYii_Validators'),
-            array('script', 'LSYii_Validators'),
+            array('script', 'safe'),
             array('language', 'length', 'min' => 2, 'max' => 20), // in array languages ?
             /* Add rules for existing unique index : idx1_question_ls ['qid', 'language'] */
             array('qid', 'unique', 'criteria' => array(
@@ -91,6 +91,9 @@ public function rules()
                 ),
             ),
         );
+        if (!Yii::app()->user->isScriptUpdateAllowed()) {
+            $rules[] = array('script', 'LSYii_NoUpdateValidator');
+        }
         return $rules;
     }
 }
diff --git a/application/views/questionAdministration/textElements.php b/application/views/questionAdministration/textElements.php
@@ -129,7 +129,8 @@
                             'data-filetype' => 'javascript',
                             'class' => 'ace form-control',
                             'style' => 'width: 100%',
-                            'data-lang' => "$lang"
+                            'data-lang' => "$lang",
+                            'readonly' => !App()->user->isScriptUpdateAllowed()
                         ]
                     ); ?>
                     <p class="alert well">

diff --git a/tests/TestBaseClass.php b/tests/TestBaseClass.php
@@ -62,11 +62,12 @@ public static function setUpBeforeClass(): void
 
     /**
      * @param string $fileName
+     * @param integer $asuser
      * @return void
      */
-    protected static function importSurvey($fileName)
+    protected static function importSurvey($fileName, $asuser = 1)
     {
-        \Yii::app()->session['loginID'] = 1;
+        \Yii::app()->session['loginID'] = $asuser;
         $surveyFile = $fileName;
         if (!file_exists($surveyFile)) {
             throw new Exception(sprintf('Survey file %s not found', $surveyFile));