=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java 2012-09-03 19:53:34 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java 2012-10-31 05:41:46 +0000 @@ -53,6 +53,11 @@ { public static final String AUTHORITY_ALL = "ALL"; + public static final String[] CRITICAL_AUTHS = { "ALL", "F_SCHEDULING_ADMIN", + "F_PERFORM_MAINTENANCE", "F_MERGE_ORGANISATION_UNITS", "F_ELIMINATE_DUPLICATE_DATA_ELEMENTS", + "F_ARCHIVE_DATA", "F_SQLVIEW_MANAGEMENT", "F_SYSTEM_SETTING", + "F_USERROLE_LIST", "F_USERROLE_DELETE", "F_USERROLE_ADD", "F_USERROLE_UPDATE" }; + /** * Required and unique. */ === modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java 2012-10-29 14:34:57 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java 2012-10-31 05:41:46 +0000 @@ -129,6 +129,19 @@ return authorities; } + + /** + * Tests whether this user credentials has any of the authorities in the + * given set. + * + * @param auths the authorities to compare with. + * @return true or false. + */ + public boolean hasAnyAuthority( Collection auths ) + { + Set all = new HashSet( getAllAuthorities() ); + return all.removeAll( auths ); + } /** * Indicates whether this user credentials is a super user, implying that the === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2012-10-30 15:04:28 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2012-10-31 05:41:46 +0000 @@ -27,6 +27,7 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +import java.util.Arrays; import java.util.Calendar; import java.util.Date; import java.util.HashMap; @@ -43,6 +44,7 @@ import org.hisp.dhis.system.util.ValidationUtils; import org.hisp.dhis.system.velocity.VelocityManager; import org.hisp.dhis.user.User; +import org.hisp.dhis.user.UserAuthorityGroup; import org.hisp.dhis.user.UserCredentials; import org.hisp.dhis.user.UserService; @@ -122,7 +124,11 @@ return false; } - // TODO deny restore if credentials contain certain authorities + if ( credentials.hasAnyAuthority( Arrays.asList( UserAuthorityGroup.CRITICAL_AUTHS ) ) ) + { + log.info( "Not allowed to recover credentials with critical authorities" ); + return false; + } String[] result = initRestore( credentials ); === modified file 'dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm' --- dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm 2012-10-30 14:13:06 +0000 +++ dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm 2012-10-31 05:41:46 +0000 @@ -40,7 +40,7 @@ === modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml' --- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml 2012-10-22 18:48:19 +0000 +++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml 2012-10-31 05:41:46 +0000 @@ -27,6 +27,7 @@ /dhis-web-commons/ajax/jsonResponseSuccess.vm plainTextError + F_SYSTEM_SETTING @@ -42,6 +43,7 @@ /dhis-web-commons/ajax/jsonResponseSuccess.vm plainTextError + F_SYSTEM_SETTING @@ -57,6 +59,7 @@ /dhis-web-commons/ajax/jsonResponseSuccess.vm plainTextError + F_SYSTEM_SETTING @@ -72,6 +75,7 @@ /dhis-web-commons/ajax/jsonResponseSuccess.vm plainTextError + F_SYSTEM_SETTING === modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java' --- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2012-10-17 19:06:30 +0000 +++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2012-10-31 05:41:46 +0000 @@ -180,6 +180,8 @@ UserCredentials currentUserCredentials = currentUserService.getCurrentUser() != null ? currentUserService .getCurrentUser().getUserCredentials() : null; + // TODO check permissions + // --------------------------------------------------------------------- // Prepare values // ---------------------------------------------------------------------