From 45a2f4463b859ae6758bb65dd90519b16ab8a9cd Mon Sep 17 00:00:00 2001 From: Denis Chenu Date: Thu, 16 Jan 2020 18:11:05 +0100 Subject: [PATCH 1/3] Fixed issue #15224: newQuestionAttributes deprecated : need a replacer --- application/models/Question.php | 6 +++--- application/models/QuestionAttribute.php | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/application/models/Question.php b/application/models/Question.php index ed0d312baa9..4d7827637e4 100644 --- a/application/models/Question.php +++ b/application/models/Question.php @@ -296,10 +296,11 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu $aAttributeNames = QuestionAttribute::getQuestionAttributesSettings($sQuestionType); // If the question has a custom template, we first check if it provides custom attributes - $oQuestion = Question::model()->find(array('condition'=>'qid=:qid', 'params'=>array(':qid'=>$iQuestionID))); $aAttributeNames = self::getQuestionTemplateAttributes($aAttributeNames, $aAttributeValues, $oQuestion); - + // Add the questions attributes by plugins + $aAttributeNames = array_merge($aAttributeNames, QuestionAttribute::getQuestionAttributesSettings($sQuestionType)); + uasort($aAttributeNames, 'categorySort'); foreach ($aAttributeNames as $iKey => $aAttribute) { if ($aAttribute['i18n'] == false) { @@ -318,7 +319,6 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu } } } - return $aAttributeNames; } diff --git a/application/models/QuestionAttribute.php b/application/models/QuestionAttribute.php index cac3933b580..5acb995cadf 100644 --- a/application/models/QuestionAttribute.php +++ b/application/models/QuestionAttribute.php @@ -416,6 +416,29 @@ public static function getQuestionAttributesSettings($sType) return self::$questionAttributesSettings[$sType]; } + /** + * Return the question attributes definition by question type + * @param $sType: type of question + * @return array : the attribute settings for this question type + */ + public static function getQuestionAttributesPlugins($sType) + { + $event = new \LimeSurvey\PluginManager\PluginEvent('getQuestionAttributes'); + $event->set('type',$sType); + App()->getPluginManager()->dispatchEvent($event); + $questionAttributesPlugins = (array) $event->get('questionAttributes'); + + foreach ($questionAttributesPlugins as $attribute => $settings) { + $questionAttributesPlugins[$attribute] = array_merge( + QuestionAttribute::getDefaultSettings(), + array("category"=>gT("Plugins")), + $settings, + array("name"=>$attribute), + ); + } + return $questionAttributesPlugins; + } + /** * Read question attributes from XML file and convert it to array * From ca0a410701cceda7764a1e593c0b6db5b55e93fd Mon Sep 17 00:00:00 2001 From: Denis Chenu Date: Thu, 16 Jan 2020 19:15:49 +0100 Subject: [PATCH 2/3] Fixed issue #15224: newQuestionAttributes deprecated : create getQuestionAttributes Dev: still issue with options->option-> --- application/models/Question.php | 3 ++- application/models/QuestionAttribute.php | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/application/models/Question.php b/application/models/Question.php index 4d7827637e4..d913f3dc231 100644 --- a/application/models/Question.php +++ b/application/models/Question.php @@ -292,6 +292,7 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu $aLanguages = array($sLanguage); } $aAttributeValues = QuestionAttribute::model()->getQuestionAttributes($iQuestionID, $sLanguage); + // TODO: move getQuestionAttributesSettings() to QuestionAttribute model to avoid code duplication $aAttributeNames = QuestionAttribute::getQuestionAttributesSettings($sQuestionType); @@ -299,7 +300,7 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu $oQuestion = Question::model()->find(array('condition'=>'qid=:qid', 'params'=>array(':qid'=>$iQuestionID))); $aAttributeNames = self::getQuestionTemplateAttributes($aAttributeNames, $aAttributeValues, $oQuestion); // Add the questions attributes by plugins - $aAttributeNames = array_merge($aAttributeNames, QuestionAttribute::getQuestionAttributesSettings($sQuestionType)); + $aAttributeNames = array_merge($aAttributeNames, QuestionAttribute::getQuestionAttributesPlugins($sQuestionType)); uasort($aAttributeNames, 'categorySort'); foreach ($aAttributeNames as $iKey => $aAttribute) { diff --git a/application/models/QuestionAttribute.php b/application/models/QuestionAttribute.php index 5acb995cadf..52fbdd64b7b 100644 --- a/application/models/QuestionAttribute.php +++ b/application/models/QuestionAttribute.php @@ -233,9 +233,11 @@ public function getQuestionAttributes($iQuestionID, $sLanguage = null) if ($sType == null) { throw new \CException("Question is corrupt: no type defined for question ".$iQuestionID); } - + /* default attributes */ $aAttributeNames = self::getQuestionAttributesSettings($sType); - + /* LACK of question theme attributes */ + /* plugins attributes */ + $aAttributeNames = array_merge($aAttributeNames, self::getQuestionAttributesPlugins($sQuestionType)); /* Get whole existing attribute for this question in an array*/ $oAttributeValues = self::model()->findAll("qid=:qid", array('qid'=>$iQuestionID)); @@ -274,7 +276,7 @@ public function getQuestionAttributes($iQuestionID, $sLanguage = null) if (isset($aAttributeValues[$aAttribute['name']][''])) { $aQuestionAttributes[$aAttribute['name']] = $aAttributeValues[$aAttribute['name']]['']; } elseif (isset($aAttributeValues[$aAttribute['name']])) { -/* Some survey have language is set for attribute without language (see #11980). This must fix for public survey and not only for admin. */ + /* Some survey have language is set for attribute without language (see #11980). This must fix for public survey and not only for admin. */ $aQuestionAttributes[$aAttribute['name']] = reset($aAttributeValues[$aAttribute['name']]); } else { $aQuestionAttributes[$aAttribute['name']] = $aAttribute['default']; From c67aeddb1bb4d6132ea1c310df6278ba654b3912 Mon Sep 17 00:00:00 2001 From: Denis Chenu Date: Fri, 17 Jan 2020 17:40:45 +0100 Subject: [PATCH 3/3] New feature #15693: Global setting to allow script edition Dev: add and use the settings Dev: have a GUI, usage of text-success for XSS for superadmin --- application/config/config-defaults.php | 6 ++++ application/core/LSWebUser.php | 3 ++ .../views/admin/globalsettings/_security.php | 30 +++++++++++++++---- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php index 44faa16cb01..ba3da499925 100644 --- a/application/config/config-defaults.php +++ b/application/config/config-defaults.php @@ -237,6 +237,12 @@ // allow these users to be able to use Javascript etc. . $config['filterxsshtml'] = true; +// disablescriptwithxss +// Allow update of script in question +// true : Default : follow XSS rules +// false : allowed for all +$config['disablescriptwithxss'] = true; + // usercontrolSameGroupPolicy // If this option is set to true, then limesurvey operators will only 'see' // users that belong to at least one of their groups diff --git a/application/core/LSWebUser.php b/application/core/LSWebUser.php index 054022c1ff0..7ca2ef65b63 100644 --- a/application/core/LSWebUser.php +++ b/application/core/LSWebUser.php @@ -133,6 +133,9 @@ public function isXssFiltered() // Permission::model exist only after 172 DB version return Yii::app()->getConfig('filterxsshtml'); } + if (!Yii::app()->getConfig('disablescriptwithxss')) { + return true; + } if (Yii::app()->getConfig('filterxsshtml')) { return !\Permission::model()->hasGlobalPermission('superadmin', 'read'); } diff --git a/application/views/admin/globalsettings/_security.php b/application/views/admin/globalsettings/_security.php index f485a91e3c3..dd72f7480ff 100644 --- a/application/views/admin/globalsettings/_security.php +++ b/application/views/admin/globalsettings/_security.php @@ -11,7 +11,7 @@ widget('yiiwheels.widgets.switch.WhSwitch', array( 'name' => 'surveyPreview_require_Auth', 'id'=>'surveyPreview_require_Auth', - 'value' => getGlobalSetting('surveyPreview_require_Auth'), + 'value' => Yii::app()->getConfig('surveyPreview_require_Auth'), 'onLabel'=>gT('On'), 'offLabel' => gT('Off'))); ?> @@ -24,24 +24,42 @@ widget('yiiwheels.widgets.switch.WhSwitch', array( 'name' => 'filterxsshtml', 'id'=>'filterxsshtml', - 'value' => getGlobalSetting('filterxsshtml'), + 'value' => Yii::app()->getConfig('filterxsshtml'), 'onLabel'=>gT('On'), 'offLabel' => gT('Off') )); ?> +
+ +
+ + +
+
- + widget('yiiwheels.widgets.switch.WhSwitch', array( + 'name' => 'filterxsshtml', + 'id'=>'filterxsshtml', + 'value' => Yii::app()->getConfig('disablescriptwithxss'), + 'onLabel'=>gT('On'), + 'offLabel' => gT('Off') + )); + ?> +
+
+
+
widget('yiiwheels.widgets.switch.WhSwitch', array( 'name' => 'usercontrolSameGroupPolicy', 'id'=>'usercontrolSameGroupPolicy', - 'value' => getGlobalSetting('usercontrolSameGroupPolicy'), + 'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'), 'onLabel'=>gT('On'), 'offLabel' => gT('Off'))); ?> @@ -57,7 +75,7 @@
widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array( 'name' => 'x_frame_options', - 'value'=> getGlobalSetting('x_frame_options'), + 'value'=> Yii::app()->getConfig('x_frame_options'), 'selectOptions'=>array( "allow"=>gT("Allow",'unescaped'), "sameorigin"=>gT("Same origin",'unescaped') @@ -75,7 +93,7 @@
widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array( 'name' => 'force_ssl', - 'value'=> getGlobalSetting('force_ssl'), + 'value'=> Yii::app()->getConfig('force_ssl'), 'selectOptions'=>array( "on"=>gT("On",'unescaped'), "off"=>gT("Off",'unescaped')