Hello,
We have carried out intrusion tests to see what could be improved on our installations.
No critical points (LimeSurvey is well done
), but some weaknesses on points that can be reported to the community and which cause problems.
1. Password management for backup.
It would be necessary to plan (core or plugin or extension of the existing plugin) to put the same level of complexity for entering the password for saving the current questionnaire.
2. Questionnaires on the public page
Despite using the inheritance of a questionnaire theme template, by setting the access control to No. Users can modify and choose Yes. If we choose to hide the display of the questionnaire list page, by displaying the source code, we can see the questionnaire numbers.
We can execute an SQL query to reset the value to no for all questionnaires.
If the structure that uses LimeSurvey wants to block publication on the public page, it is currently not possible to do so without resorting to an SQL query or hiding the button (code modification), or modifying a custom theme to remove the display of the list (commenting in the twig code).
A plugin could be created, or an option in the administration part.
3. Files that should not be present on a production server
Some files that are related to tests, present in LimeSurvey, should not be present on the Production environment (even if access is prohibited with the rights on the files). There are also readme that could be removed. This is the version downloaded from the site
community.limesurvey.org/
(not the Git one) ==> I would report a bug.
Is it possible to have a list of files that should not be present in the Front Office, in the installation wiki?
Examples of files and instructions:
- limesurvey/docs/swagger/
- limesurvey/modules/admin/HelloWord
There are surely others, but I don't know them all.
4. Comfort of super admins
Depending on the context of use of LimeSurvey, to guarantee more security for its operation (Companies, State Organization, Associations, Individuals, etc.), it is sometimes necessary to block certain very useful functions, but which could not be adapted to the context (ex: Sensitive site: no external file)
More generally, certain options as superadmin to "block" some functions to avoid bad manipulation by questionnaire managers.
An example of functions:
block the possibility of depositing files (the File question)
Block the use of the image, video, network modules in KcFinder, except for a group of users.
Also to add:
A user group management, with a supervisor.
We could give the supervisor the right on the files for example, or to an entire group. Currently this is not possible.
And also to think about "mass" operations on users (eg: management of expiration dates (previous request).
So what can we do?
Feature requests?
Bug reports?
Plugins?
Topic Author
