Fixed issue #10059: Error with answer table with limited user rights

Fixed issue : token still visible is user have limited right in view response id
Dev: Test update too

application/controllers/admin/dataentry.php

@@ -500,13 +500,15 @@ public function editdata($subaction, $id, $surveyid, $language='')
                 $ipaddr=$fnrow['ipaddr'];
             } // Get table output into array
 
-
             // Perform a case insensitive natural sort on group name then question title of a multidimensional array
             // $fnames = (Field Name in Survey Table, Short Title of Question, Question Type, Field Name, Question Code, Predetermined Answer if exist)
 
             $fnames['completed'] = array('fieldname'=>"completed", 'question'=>gT("Completed"), 'type'=>'completed');
 
             $fnames=array_merge($fnames,createFieldMap($surveyid,'full',false,false,$sDataEntryLanguage));
+            // Fix private if disallowed to view token
+            if(!Permission::model()->hasSurveyPermission($surveyid,'tokens','read'))
+                unset($fnames['token']);
             $nfncount = count($fnames)-1;
 
             //SHOW INDIVIDUAL RECORD
@@ -592,7 +594,6 @@ public function editdata($subaction, $id, $surveyid, $language='')
                     $nfncount--;
                 }
             }
-
             $aDataentryoutput = '';
             foreach ($results as $idrow)
             {
@@ -1279,7 +1280,15 @@ public function editdata($subaction, $id, $surveyid, $language='')
                             $fname=prev($fnames);
                             $aDataentryoutput .= "</table>\n";
                             break;
-                        default: //This really only applies to tokens for non-private surveys
+                        case "token":
+                            if(Permission::model()->hasSurveyPermission($surveyid,'tokens','update'))
+                                $aDataentryoutput .= CHtml::textField($fname['fieldname'],$idrow[$fname['fieldname']]);
+                            else
+                                $aDataentryoutput .= CHtml::textField($fname['fieldname'],$idrow[$fname['fieldname']],array('disabled'=>'disabled'));
+                            break;
+                        case "submitdate":
+                        case "startlanguage":
+                        default:
                             $aDataentryoutput .= "\t<input type='text' name='{$fname['fieldname']}' value='"
                             .$idrow[$fname['fieldname']] . "' />\n";
                             break;
@@ -1375,7 +1384,11 @@ public function update()
             $aDataentryoutput = "<div class='header ui-widget-header'>".gT("Data entry")."</div>\n";
 
             $fieldmap = createFieldMap($surveyid,'full',false,false,getBaseLanguageFromSurveyID($surveyid));
-
+            // restet token if user is not allowed to update 
+            if(!Permission::model()->hasSurveyPermission($surveyid,'tokens','update')) // If not allowed to read: remove it
+            {
+                unset($fieldmap['token']);
+            }
             // unset timings
             foreach ($fieldmap as $fname)
             {
@@ -1504,7 +1517,7 @@ public function insert()
                 $lastanswfortoken = ''; // check if a previous answer has been submitted or saved
                 $rlanguage = '';
 
-                if (isset($_POST['token']))
+                if (Yii::app()->request->getPost('token') && Permission::model()->hasSurveyPermission($surveyid,'tokens','update'))
                 {
                     $tokencompleted = "";
                     $tcquery = "SELECT completed from {{tokens_{$surveyid}}} WHERE token=".dbQuoteAll($_POST['token']);
@@ -1865,8 +1878,6 @@ public function view($surveyid, $lang=NULL)
 
         if (Permission::model()->hasSurveyPermission($surveyid, 'responses', 'create'))
         {
-
-
             $sDataEntryLanguage = Survey::model()->findByPk($surveyid)->language;
             $surveyinfo=getSurveyInfo($surveyid);
 

application/controllers/admin/responses.php

@@ -118,9 +118,14 @@ public function view($iSurveyID, $iId, $sBrowseLang = '')
 
             $fncount = 0;
             $fieldmap = createFieldMap($iSurveyID, 'full', false, false, $aData['language']);
-
+            $bHaveToken=$aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID);// Boolean : show (or not) the token
+            if(!Permission::model()->hasSurveyPermission($iSurveyID,'tokens','read')) // If not allowed to read: remove it
+            {
+                unset($fieldmap['token']);
+                $bHaveToken=false;
+            }
             //add token to top of list if survey is not private
-            if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID) && Permission::model()->hasSurveyPermission($iSurveyID,'tokens','read'))
+            if ($bHaveToken)
             {
                 $fnames[] = array("token", gT("Token ID"), 'code'=>'token');
                 $fnames[] = array("firstname", gT("First name"), 'code'=>'firstname');// or token:firstname ?
@@ -193,7 +198,7 @@ public function view($iSurveyID, $iId, $sBrowseLang = '')
                 $oPurifier=new CHtmlPurifier();
                 //SHOW INDIVIDUAL RECORD
                 $oCriteria = new CDbCriteria();
-                if ($aData['surveyinfo']['anonymized'] == 'N' && tableExists("{{tokens_$iSurveyID}}}") && Permission::model()->hasSurveyPermission($iSurveyID,'tokens','read'))
+                if ($bHaveToken)
                 {
                     $oCriteria = SurveyDynamic::model($iSurveyID)->addTokenCriteria($oCriteria);
                 }
@@ -342,6 +347,7 @@ function browse($iSurveyId)
         App()->getClientScript()->registerScriptFile(Yii::app()->getConfig('adminscripts') . "listresponse.js");
 
         $aData = $this->_getData($iSurveyId);
+        $bHaveToken=$aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyID) && Permission::model()->hasSurveyPermission($iSurveyID,'tokens','read');// Boolean : show (or not) the token
         extract($aData);
         $aViewUrls = array();
         $sBrowseLanguage = $aData['language'];
@@ -428,7 +434,7 @@ function browse($iSurveyId)
             $defaultSearch['completed']="";
         }
         //add token to top of list if survey is not private
-        if ($aData['surveyinfo']['anonymized'] == "N" && tableExists('tokens_' . $iSurveyId)) //add token to top of list if survey is not private
+        if ($bHaveToken) 
         {
             $column_model[] = array(
                 'name'=>'token',
@@ -652,7 +658,7 @@ public function getResponses_json($iSurveyID)
         // Old behaviour : ajax default request from jqgrid need sort / rows (limit) / page (start) / sidx for order by : use javacript log please ....
         $oCriteria = new CDbCriteria;
         //Create the query
-        if ($aData['surveyinfo']['anonymized'] == "N" && tableExists("{{tokens_{$iSurveyID}}}") && Permission::model()->hasSurveyPermission($iSurveyID,'tokens','read'))
+        if ($bHaveToken)
         {
             $oCriteria = SurveyDynamic::model($iSurveyID)->addTokenCriteria($oCriteria);
             $aSpecificColumns=array_merge($aSpecificColumns,TokenDynamic::model($iSurveyID)->getTableSchema()->getColumnNames());