Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Fixed issue #15224: newQuestionAttributes deprecated : need a replacer #1370

Closed
wants to merge 4 commits into from
Closed

[WIP] Fixed issue #15224: newQuestionAttributes deprecated : need a replacer #1370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
45a2f44
Fixed issue #15224: newQuestionAttributes deprecated : need a replacer
Shnoulle Jan 16, 2020
ca0a410
Fixed issue #15224: newQuestionAttributes deprecated : create getQues…
Shnoulle Jan 16, 2020
c67aedd
New feature #15693: Global setting to allow script edition
Shnoulle Jan 17, 2020
ad6b52f
Merge branch 'HEAD' of git@github.com:LimeSurvey/LimeSurvey.git into …
Shnoulle Jan 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions application/config/config-defaults.php
View file
Open in desktop
Expand Up @@ -237,6 +237,12 @@
// allow these users to be able to use Javascript etc. .
$config['filterxsshtml'] = true;

// disablescriptwithxss
// Allow update of script in question
// true : Default : follow XSS rules
// false : allowed for all
$config['disablescriptwithxss'] = true;

// usercontrolSameGroupPolicy
// If this option is set to true, then limesurvey operators will only 'see'
// users that belong to at least one of their groups
Expand Down
3 changes: 3 additions & 0 deletions application/core/LSWebUser.php
View file
Open in desktop
Expand Up @@ -133,6 +133,9 @@ public function isXssFiltered()
// Permission::model exist only after 172 DB version
return Yii::app()->getConfig('filterxsshtml');
}
if (!Yii::app()->getConfig('disablescriptwithxss')) {
return true;
}
if (Yii::app()->getConfig('filterxsshtml')) {
return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
}
Expand Down
7 changes: 4 additions & 3 deletions application/models/Question.php
View file
Open in desktop
Expand Up @@ -292,14 +292,16 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu
$aLanguages = array($sLanguage);
}
$aAttributeValues = QuestionAttribute::model()->getQuestionAttributes($iQuestionID, $sLanguage);

// TODO: move getQuestionAttributesSettings() to QuestionAttribute model to avoid code duplication
$aAttributeNames = QuestionAttribute::getQuestionAttributesSettings($sQuestionType);

// If the question has a custom template, we first check if it provides custom attributes

$oQuestion = Question::model()->find(array('condition'=>'qid=:qid', 'params'=>array(':qid'=>$iQuestionID)));
$aAttributeNames = self::getQuestionTemplateAttributes($aAttributeNames, $aAttributeValues, $oQuestion);

// Add the questions attributes by plugins
$aAttributeNames = array_merge($aAttributeNames, QuestionAttribute::getQuestionAttributesPlugins($sQuestionType));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't this line be removed if getQuestionAttributesPlugins is already called in getQuestionAttributes above?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One time for definition, one time for values …

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But getQuestionAttributes already collect values here:
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/QuestionAttribute.php#L240


uasort($aAttributeNames, 'categorySort');
foreach ($aAttributeNames as $iKey => $aAttribute) {
if ($aAttribute['i18n'] == false) {
Expand All @@ -318,7 +320,6 @@ public function getAdvancedSettingsWithValues($iQuestionID, $sQuestionType, $iSu
}
}
}

return $aAttributeNames;
}

Expand Down
31 changes: 28 additions & 3 deletions application/models/QuestionAttribute.php
View file
Open in desktop
Expand Up @@ -233,9 +233,11 @@ public function getQuestionAttributes($iQuestionID, $sLanguage = null)
if ($sType == null) {
throw new \CException("Question is corrupt: no type defined for question ".$iQuestionID);
}

/* default attributes */
$aAttributeNames = self::getQuestionAttributesSettings($sType);

/* LACK of question theme attributes */
/* plugins attributes */
$aAttributeNames = array_merge($aAttributeNames, self::getQuestionAttributesPlugins($sQuestionType));
/* Get whole existing attribute for this question in an array*/
$oAttributeValues = self::model()->findAll("qid=:qid", array('qid'=>$iQuestionID));

Expand Down Expand Up @@ -274,7 +276,7 @@ public function getQuestionAttributes($iQuestionID, $sLanguage = null)
if (isset($aAttributeValues[$aAttribute['name']][''])) {
$aQuestionAttributes[$aAttribute['name']] = $aAttributeValues[$aAttribute['name']][''];
} elseif (isset($aAttributeValues[$aAttribute['name']])) {
/* Some survey have language is set for attribute without language (see #11980). This must fix for public survey and not only for admin. */
/* Some survey have language is set for attribute without language (see #11980). This must fix for public survey and not only for admin. */
$aQuestionAttributes[$aAttribute['name']] = reset($aAttributeValues[$aAttribute['name']]);
} else {
$aQuestionAttributes[$aAttribute['name']] = $aAttribute['default'];
Expand Down Expand Up @@ -416,6 +418,29 @@ public static function getQuestionAttributesSettings($sType)
return self::$questionAttributesSettings[$sType];
}

/**
* Return the question attributes definition by question type
* @param $sType: type of question
* @return array : the attribute settings for this question type
*/
public static function getQuestionAttributesPlugins($sType)
{
$event = new \LimeSurvey\PluginManager\PluginEvent('getQuestionAttributes');
$event->set('type',$sType);
App()->getPluginManager()->dispatchEvent($event);
$questionAttributesPlugins = (array) $event->get('questionAttributes');

foreach ($questionAttributesPlugins as $attribute => $settings) {
$questionAttributesPlugins[$attribute] = array_merge(
QuestionAttribute::getDefaultSettings(),
array("category"=>gT("Plugins")),
$settings,
array("name"=>$attribute),
);
}
return $questionAttributesPlugins;
}

/**
* Read question attributes from XML file and convert it to array
*
Expand Down
30 changes: 24 additions & 6 deletions application/views/admin/globalsettings/_security.php
View file
Open in desktop
Expand Up @@ -11,7 +11,7 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'surveyPreview_require_Auth',
'id'=>'surveyPreview_require_Auth',
'value' => getGlobalSetting('surveyPreview_require_Auth'),
'value' => Yii::app()->getConfig('surveyPreview_require_Auth'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
Expand All @@ -24,24 +24,42 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => getGlobalSetting('filterxsshtml'),
'value' => Yii::app()->getConfig('filterxsshtml'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-success'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
</div>
</div>

<div class="form-group">
<label class=" control-label" for='disablescriptwithxss'><?php eT("Disable question script for XSS restricted user:"); ?></label>
<div class="">
<span class='hint'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => Yii::app()->getConfig('disablescriptwithxss'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-warning'><?php eT("If you disable this option : user with XSS restriction still can add script. This allow user to add cross-site scripting javascript system."); ?></span>
</div>
</div>


<div class="form-group">
<label class=" control-label" for='usercontrolSameGroupPolicy'><?php eT("Group member can only see own group:"); ?></label>
<div class="">
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'usercontrolSameGroupPolicy',
'id'=>'usercontrolSameGroupPolicy',
'value' => getGlobalSetting('usercontrolSameGroupPolicy'),
'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
Expand All @@ -57,7 +75,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'x_frame_options',
'value'=> getGlobalSetting('x_frame_options'),
'value'=> Yii::app()->getConfig('x_frame_options'),
'selectOptions'=>array(
"allow"=>gT("Allow",'unescaped'),
"sameorigin"=>gT("Same origin",'unescaped')
Expand All @@ -75,7 +93,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'force_ssl',
'value'=> getGlobalSetting('force_ssl'),
'value'=> Yii::app()->getConfig('force_ssl'),
'selectOptions'=>array(
"on"=>gT("On",'unescaped'),
"off"=>gT("Off",'unescaped')
Expand Down