Fixed issue #3588: User with survey right 'Browse responses' can dele…

…te/modify saved answers

git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey@7535 b72ed6b6-b9f8-46b5-92b4-906544132732

admin/dataentry.php

@@ -63,6 +63,7 @@
 
 $dateformatdetails=getDateFormatData($_SESSION['dateformat']);
 $language = GetBaseLanguageFromSurveyID($surveyid);
+$surveyinfo=getSurveyInfo($surveyid);
 
 $actsurquery = "SELECT browse_response FROM ".db_table_name("surveys_rights")." WHERE sid=$surveyid AND uid = ".$_SESSION['loginID']; //Getting rights for this survey
 $actsurresult = db_execute_assoc($actsurquery) or safe_die($connect->ErrorMsg());
@@ -792,8 +793,16 @@
 		."<table width='99%' align='center' style='border: 1px solid #555555' cellpadding='1' cellspacing='0'>\n"
 		."\t<tr><td colspan='2' height='4'><strong>"
 		.$clang->gT("Data Entry")."</strong></td></tr>\n"
-		."\t<tr><td style='border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #555555' colspan='2' align='center'><strong>"
-		.sprintf($clang->gT("Editing response (ID %s)"),$id)."</strong></td></tr>\n"
+		."\t<tr><td style='border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: #555555' colspan='2' align='center'><strong>";
+        if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1  || $surveyinfo['owner_id'] == $_SESSION['loginID']) 
+        {
+            $dataentryoutput .= sprintf($clang->gT("Editing response (ID %s)"),$id);
+        }      
+        else
+        {
+            $dataentryoutput .= sprintf($clang->gT("Viewing response (ID %s)"),$id);
+        }
+		$dataentryoutput .="</strong></td></tr>\n"
 		."\t<tr><td colspan='2' height='1'></td></tr>\n";
 
 		foreach ($results as $idrow)
@@ -1535,7 +1544,15 @@
 		}
 		$dataentryoutput .= "</table>\n"
 		."<table width='99%' align='center' style='border: 1px solid #555555' cellpadding='1' cellspacing='0'>\n";
-		if ($subaction == "edit")
+        if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1  && $surveyinfo['owner_id'] != $_SESSION['loginID']) 
+        { // if you are not survey owner or super admin you cannot modify responses
+            $dataentryoutput .= "    <tr>
+                        <td align='center'>
+                         <input type='button' value='".$clang->gT("Save")."' disabled='disabled'/>
+                        </td>
+                    </tr>\n";
+        }
+		elseif ($subaction == "edit")
 		{
 			$dataentryoutput .= "	<tr>
 						<td align='center'>
@@ -1613,6 +1630,11 @@ function saveshow(value)
 
 	elseif ($subaction == "update")
 	{
+         if ($_SESSION['USER_RIGHT_SUPERADMIN'] != 1  && $surveyinfo['owner_id'] != $_SESSION['loginID']) 
+         {
+             safe_die('You are not allowed to update an existing answer.');
+         }
+
 		$baselang = GetBaseLanguageFromSurveyID($surveyid);
 		$dataentryoutput .= "<table width='450' align='center' style='border: 1px solid #555555' cellpadding='1' cellspacing='0'>\n"
 		."\t<tr><td colspan='2' height='4'><strong>"

admin/html.php

@@ -695,11 +695,7 @@
 		}
 		else
 		{
-            $surveysummary .= "<a href=\"#\""
-            . "onmouseout=\"hideTooltip()\" "
-            . "title=\"".$clang->gTview("Disabled - Change Group Order")."\" "
-            . "onmouseover=\"showTooltip(event,'".$clang->gT("Change Group Order", "js")." (".$clang->gT("disabled", "js").")"."');return false\">"
-            . "<img src='$imagefiles/reorder_disabled.png' title='' alt='".$clang->gT("Change Group Order")." (".$clang->gT("disabled").")"."' name='ordergroups' /></a>";
+            $surveysummary .= "<img src='$imagefiles/blank.gif' alt='' width='40' />";
 		}
 
 		if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1 || $sumrows5['export'])

admin/saved.php

@@ -71,7 +71,7 @@
 
 function showSavedList($surveyid)
 {
-	global $dbprefix, $connect, $clang, $savedsurveyoutput, $scriptname, $surveytable;
+	global $dbprefix, $connect, $clang, $savedsurveyoutput, $scriptname, $surveytable, $surrows;
 	$query = "SELECT scid, srid, identifier, ip, saved_date, email, access_code\n"
 	."FROM {$dbprefix}saved_control\n"
 	."WHERE sid=$surveyid\n"
@@ -95,12 +95,23 @@ function showSavedList($surveyid)
 				<td>".$row['ip']."</td>
 				<td>".$row['saved_date']."</td>
 				<td><a href='mailto:".$row['email']."'>".$row['email']."</td>
-				<td align='center'>
-				[<a href='$scriptname?action=saved&amp;sid=$surveyid&amp;subaction=delete&amp;scid=".$row['scid']."&amp;srid=".$row['srid']."'"
-			." onclick='return confirm(\"".$clang->gT("Are you sure you want to delete this entry?","js")."\")'"
-			.">".$clang->gT("Delete")."</a>]
-				[<a href='".$scriptname."?action=dataentry&amp;subaction=edit&amp;id=".$row['srid']."&amp;sid={$surveyid}&amp;surveytable={$surveytable}'>".$clang->gT("Edit")."</a>]
-				</td>
+				<td align='center'>";
+
+                if (($surrows['delete_survey'] || $_SESSION['USER_RIGHT_SUPERADMIN'] == 1))
+                {
+
+                    $savedsurveyoutput .=  "[<a href='$scriptname?action=saved&amp;sid=$surveyid&amp;subaction=delete&amp;scid=".$row['scid']."&amp;srid=".$row['srid']."'"
+                                            ." onclick='return confirm(\"".$clang->gT("Are you sure you want to delete this entry?","js")."\")'"
+                                            .">".$clang->gT("Delete")."</a>]";
+                    $savedsurveyoutput .=  "[<a href='".$scriptname."?action=dataentry&amp;subaction=edit&amp;id=".$row['srid']."&amp;sid={$surveyid}&amp;surveytable={$surveytable}'>".$clang->gT("Edit")."</a>]";
+                }   
+                else
+                {
+                    $savedsurveyoutput .=  "[<a href='".$scriptname."?action=dataentry&amp;subaction=edit&amp;id=".$row['srid']."&amp;sid={$surveyid}&amp;surveytable={$surveytable}'>".$clang->gT("View")."</a>]";
+
+                }
+
+				$savedsurveyoutput .="</td>
 			   </tr>\n";
 		} // while
 		$savedsurveyoutput .= "</table><br />&nbsp\n";

qanda.php

@@ -3743,6 +3743,7 @@ function do_numerical($ia)
 // ---------------------------------------------------------------
 function do_shortfreetext($ia)
 {
+	global $clang;
 	$qidattributes=getQuestionAttributes($ia[0]);
 	if ($maxchars=arraySearchByKey('maximum_chars', $qidattributes, 'attribute', 1))
 	{
@@ -3792,7 +3793,8 @@ function do_shortfreetext($ia)
 // ---------------------------------------------------------------
 function do_longfreetext($ia)
 {
-	$qidattributes=getQuestionAttributes($ia[0]);
+	global $clang;
+   	$qidattributes=getQuestionAttributes($ia[0]);
 	if ($maxchars=arraySearchByKey('maximum_chars', $qidattributes, 'attribute', 1))
 	{
 		$maxsize=$maxchars['value'];