=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserController.java 2012-03-22 14:59:55 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserController.java 2012-03-28 07:18:05 +0000 @@ -27,12 +27,6 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -import java.io.InputStream; -import java.util.ArrayList; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - import org.hisp.dhis.api.utils.IdentifiableObjectParams; import org.hisp.dhis.api.utils.WebLinkPopulator; import org.hisp.dhis.user.User; @@ -49,6 +43,11 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseStatus; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.InputStream; +import java.util.ArrayList; + /** * @author Morten Olav Hansen */ @@ -66,6 +65,7 @@ //------------------------------------------------------------------------------------------------------- @RequestMapping( method = RequestMethod.GET ) + @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-user')" ) public String getUsers( IdentifiableObjectParams params, Model model, HttpServletRequest request ) { Users users = new Users(); @@ -83,6 +83,7 @@ } @RequestMapping( value = "/{uid}", method = RequestMethod.GET ) + @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-user')" ) public String getUser( @PathVariable( "uid" ) String uid, IdentifiableObjectParams params, Model model, HttpServletRequest request ) { User user = userService.getUser( uid ); === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserGroupController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserGroupController.java 2012-03-22 14:59:55 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/user/UserGroupController.java 2012-03-28 07:18:05 +0000 @@ -65,6 +65,7 @@ //------------------------------------------------------------------------------------------------------- @RequestMapping( method = RequestMethod.GET ) + @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-user')" ) public String getUserGroups( IdentifiableObjectParams params, Model model, HttpServletRequest request ) { UserGroups userGroups = new UserGroups(); @@ -82,6 +83,7 @@ } @RequestMapping( value = "/{uid}", method = RequestMethod.GET ) + @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-user')" ) public String getUserGroup( @PathVariable( "uid" ) String uid, IdentifiableObjectParams params, Model model, HttpServletRequest request ) { UserGroup userGroup = userGroupService.getUserGroup( uid );