Fixed issue: On group/question preview a PHP error is thrown if the q…

…id/gid is invalid
LimeSurvey · May 15, 2024 · 6a4b289 · 6a4b289
1 parent 8e8dde9
commit 6a4b289
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/application/controllers/SurveysController.php b/application/controllers/SurveysController.php
@@ -126,7 +126,7 @@ public function spitOutHtmlError(array $error, $surveyId)
                 /* CRSF issue */
                 $title = gT('400: Bad Request');
                 $message = gT('The request could not be understood by the server due to malformed syntax.')
-                    . gT('Please do not repeat the request without modifications.');
+                    . ' ' . gT('Please do not repeat the request without modifications.');
                 break;
             case '401':
                 $title = gT('401: Unauthorized');
@@ -156,7 +156,9 @@ public function spitOutHtmlError(array $error, $surveyId)
         }
         $aError['type'] = $error['code'];
         $aError['error'] = $title;
-        $aError['title'] = nl2br(CHtml::encode($error['message']) ?? '');
+        if (!empty($error['message'])) {
+            $aError['title'] = ' - ' . nl2br(CHtml::encode($error['message']) ?? '');   
+        }
         $aError['message'] = $message;
         $aError['contact'] = $contact;
 

diff --git a/application/controllers/survey/SurveyIndex.php b/application/controllers/survey/SurveyIndex.php
@@ -106,8 +106,18 @@ public function action()
                 throw new CHttpException(401, $message);
             } else {
                 killSurveySession($surveyid);
-                if ((intval($param['qid']) && $param['action'] == 'previewquestion')) {
+                // Check if group exists
+                $arGroup = QuestionGroup::model()->findByPk(intval($param['gid']));
+                if (empty($arGroup)) {
+                    throw new CHttpException(400, gT("Invalid group ID"));
+                }
+                if ($param['action'] == 'previewquestion') {
                     $previewmode = 'question';
+                    // Check if question exists
+                    $arQuestion = Question::model()->findByPk(intval($param['qid']));
+                    if (empty($arQuestion)) {
+                        throw new CHttpException(400, gT("Invalid question ID"));
+                    }
                 }
                 if ((intval($param['gid']) && $param['action'] == 'previewgroup')) {
                     $previewmode = 'group';
@@ -649,7 +659,7 @@ public function action()
     private function getParameters($args = array(), $post = array())
     {
         $param = array();
-        if (@$args[0] == __CLASS__) {
+        if (isset($args[0]) && $args[0] == __CLASS__) {
             array_shift($args);
         }
         $iArgCount = count($args);

diff --git a/application/core/SurveyCommonAction.php b/application/core/SurveyCommonAction.php
@@ -162,7 +162,7 @@ private function addPseudoParams($params)
         if (!empty($params['iGroupId'])) {
             if ((string) (int) $params['iGroupId'] !== (string) $params['iGroupId']) {
                 // pgsql need filtering before find
-                throw new CHttpException(403, gT("Invalid group id"));
+                throw new CHttpException(403, gT("Invalid group ID"));
             }
             $oGroup = QuestionGroup::model()->find("gid=:gid", array(":gid" => $params['iGroupId'])); //Move this in model to use cache
             if (!$oGroup) {