Actions

Translations

Global settings/32/en: Difference between revisions

From LimeSurvey Manual

(Importing a new version from external source)
(Importing a new version from external source)
Line 1: Line 1:
*'''Disable question script for XSS restricted user''' {{NewIn|4.1.0}}: Set to 'on' by default, this mean simple user can not add or update scripts in question editor. they can see it but don't update it. If you disable XSS protection : then this settings are not used. If you set it to 'off', then even with XSS filtering active : any user can add or update script in question.
*'''Disable question script for XSS restricted user''' {{NewIn|4.1.0}}: Set to 'on' by default, this mean simple user cannot add or update scripts in question editor. they can see it but don't update it. If you disable XSS protection, then this setting is not used. If you set it to 'off', then even with XSS filtering active, any user can add or update the script in question.
*'''Group member can only see own group''': By default, non-admin users defined in the LimeSurvey management interface will only be able to see other users only if they belong to at least one common group. If the administrator sets this to 'No', then the users can see all the users defined in the LimeSurvey [[Manage users|User Control panel]], regardless of the group they belong to
*'''Group member can only see own group''': By default, non-admin users defined in the LimeSurvey management interface will only be able to see other users if they belong to at least one common group. If the administrator sets this to 'No', then the users can see all the users defined in the LimeSurvey [[Manage users|User Control panel]], regardless of the group they belong to
*'''IFrame embedding allowed''': This option can be used to indicate whether or not a browser should be allowed to render the survey page in a <frame>, <iframe> or <object>. You can use this to avoid clickjacking attacks, by ensuring that your survey is not embedded into other sites. If you set it to 'Allow' (the default value), there is no restriction. Setting this to 'Same origin' will make the content to be loaded only if the survey runs on the same domain and port as the including <frame>, <iframe> or <object>
*'''IFrame embedding allowed''': This option can be used to indicate whether a browser should be allowed to render the survey page in a <frame>, <iframe> or <object>. You can use this to avoid clickjacking attacks, by ensuring that your survey is not embedded into other sites. If you set it to 'Allow' (the default value), there is no restriction. Setting this to 'Same origin' will make the content to be loaded only if the survey runs on the same domain and port as the including <frame>, <iframe> or <object>
{{Alert|title=Attention|text=You need to update config.php file to really allow cookies to be used in iframe. See [[Optional_settings#Allow_usage_of_session_and_Csrf_Validation_in_iFrame_.28New_in_3.24.3_.29|Allow usage of session and Csrf Validation in iFrame]]}}
{{Alert|title=Attention|text=You need to update config.php file to really allow cookies to be used in iframe. See [[Optional_settings#Allow_usage_of_session_and_Csrf_Validation_in_iFrame_.28New_in_3.24.3_.29|Allow usage of session and CSRF Validation in iFrame]]}}
{{Hint|Text=Theoretically, it is working. However, this function might not work when it is enabled because it heavily depends on the used web browser and whether it allows iframes or not.}}   
{{Hint|Text=Theoretically, it is working. However, this function might not work when it is enabled because it heavily depends on the used web browser and whether it allows iframes or not.}}   
*'''Force HTTPS''': This is set by default to "Don't force on/off". Switch the setting to "On" to force the connection to use HTTPS
*'''Force HTTPS''': This is set by default to "Don't force on/off". Switch the setting to "On" to force the connection to use HTTPS
{{Alert|title=Attention|text=If your server doesn't support HTTPS properly, you can lock yourself from the system! Therefore, click on the '''"check if this link works"''' located below the option. If the link does not work and you turn on HTTPS, LimeSurvey will break and you won't be able to access it.}}  
{{Alert|title=Attention|text=If your server doesn't support HTTPS properly, you can lock yourself from the system! Therefore, click on the '''"check if this link works"''' located below the option. If the link does not work and you turn on HTTPS, LimeSurvey will break and you won't be able to access it.}}  
{{Hint|Text=If you activate HTTPS by mistake, you can deactivate it in application/config/config.php file, changing the value of  ssl_emergency_override to 1.}}
{{Hint|Text=If you activate HTTPS mistakenly, you can deactivate it in application/config/config.php file, changing the value of  ssl_emergency_override to 1.}}
*'''IP whitelist for login or token access''': This option can be used to exclude specific IPs from "max login attempts" checks done on the login screen as well as on the token access screen, so requests from those IPs are not blocked.
*'''IP whitelist for login or token access''': This option can be used to exclude specific IPs from "max login attempts" checks done on the login screen as well as on the token access screen, so requests from those IPs are not blocked.

Revision as of 01:13, 31 January 2023

Message definition (Global settings)
*'''Disable question script for XSS restricted user''' {{NewIn|4.1.0}}: Set to 'on' by default, this mean simple user cannot add or update scripts in question editor. they can see it but don't update it. If you disable XSS protection, then this setting is not used. If you set it to 'off', then even with XSS filtering active, any user can add or update the script in question.
*'''Group member can only see own group''': By default, non-admin users defined in the LimeSurvey management interface will only be able to see other users if they belong to at least one common group. If the administrator sets this to 'No', then the users can see all the users defined in the LimeSurvey [[Manage users|User Control panel]], regardless of the group they belong to
*'''IFrame embedding allowed''': This option can be used to indicate whether a browser should be allowed to render the survey page in a <frame>, <iframe> or <object>. You can use this to avoid clickjacking attacks, by ensuring that your survey is not embedded into other sites. If you set it to 'Allow' (the default value), there is no restriction. Setting this to 'Same origin' will make the content to be loaded only if the survey runs on the same domain and port as the including <frame>, <iframe> or <object>
{{Alert|title=Attention|text=You need to update config.php file to really allow cookies to be used in iframe. See [[Optional_settings#Allow_usage_of_session_and_Csrf_Validation_in_iFrame_.28New_in_3.24.3_.29|Allow usage of session and CSRF Validation in iFrame]]}}
{{Hint|Text=When set to Same Origin : LimeSurvey add header<code>X-Frame-Options: SAMEORIGIN</code>, else LimeSurvey don't add any X-Frame-Options. You can restrict yourself X-Frame-Options with server settings. [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options More information on X-Frame-Options] }}
{{Hint|Text=Theoretically, it is working. However, this function might not work when it is enabled because it heavily depends on the used web browser and whether it allows iframes or not. Some server configuration restrict iframe embedded by default. }}  
*'''Force HTTPS''': This is set by default to "Don't force on/off". Switch the setting to "On" to force the connection to use HTTPS
{{Alert|title=Attention|text=If your server doesn't support HTTPS properly, you can lock yourself from the system! Therefore, click on the '''"check if this link works"''' located below the option. If the link does not work and you turn on HTTPS, LimeSurvey will break and you won't be able to access it.}} 
{{Hint|Text=If you activate HTTPS mistakenly, you can deactivate it in application/config/config.php file, changing the value of  ssl_emergency_override to 1.}}
*'''IP whitelist for login or token access''': This option can be used to exclude specific IPs from "max login attempts" checks done on the login screen as well as on the token access screen, so requests from those IPs are not blocked.
  • Disable question script for XSS restricted user (New in 4.1.0 ): Set to 'on' by default, this mean simple user cannot add or update scripts in question editor. they can see it but don't update it. If you disable XSS protection, then this setting is not used. If you set it to 'off', then even with XSS filtering active, any user can add or update the script in question.
  • Group member can only see own group: By default, non-admin users defined in the LimeSurvey management interface will only be able to see other users if they belong to at least one common group. If the administrator sets this to 'No', then the users can see all the users defined in the LimeSurvey User Control panel, regardless of the group they belong to
  • IFrame embedding allowed: This option can be used to indicate whether a browser should be allowed to render the survey page in a <frame>, <iframe> or <object>. You can use this to avoid clickjacking attacks, by ensuring that your survey is not embedded into other sites. If you set it to 'Allow' (the default value), there is no restriction. Setting this to 'Same origin' will make the content to be loaded only if the survey runs on the same domain and port as the including <frame>, <iframe> or <object>
  Attention : You need to update config.php file to really allow cookies to be used in iframe. See Allow usage of session and CSRF Validation in iFrame


 Hint: Theoretically, it is working. However, this function might not work when it is enabled because it heavily depends on the used web browser and whether it allows iframes or not.
  • Force HTTPS: This is set by default to "Don't force on/off". Switch the setting to "On" to force the connection to use HTTPS
  Attention : If your server doesn't support HTTPS properly, you can lock yourself from the system! Therefore, click on the "check if this link works" located below the option. If the link does not work and you turn on HTTPS, LimeSurvey will break and you won't be able to access it.


 Hint: If you activate HTTPS mistakenly, you can deactivate it in application/config/config.php file, changing the value of ssl_emergency_override to 1.
  • IP whitelist for login or token access: This option can be used to exclude specific IPs from "max login attempts" checks done on the login screen as well as on the token access screen, so requests from those IPs are not blocked.
Retrieved from "http://manual.limesurvey.org/index.php?title=Translations:Global_settings/32/en&oldid=175674"