=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2013-01-18 12:58:45 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2013-01-18 14:03:55 +0000
@@ -143,7 +143,12 @@
 
         Sharing sharing = JacksonUtils.fromJson( request.getInputStream(), Sharing.class );
 
-        object.setPublicAccess( sharing.getObject().getPublicAccess() );
+        // just ignore publicAccess if user is not allowed to make objects public, this should be hidden
+        // in the UI.
+        if ( SharingUtils.canCreatePublic( currentUserService.getCurrentUser(), object ) )
+        {
+            object.setPublicAccess( sharing.getObject().getPublicAccess() );
+        }
 
         if ( object.getUser() == null )
         {
@@ -179,7 +184,7 @@
         manager.update( object );
     }
 
-    @RequestMapping(value = "/search", produces = { "application/json", "text/*" })
+    @RequestMapping( value = "/search", produces = { "application/json", "text/*" } )
     public void searchUserGroups( @RequestParam String key, HttpServletResponse response ) throws IOException
     {
         SharingUserGroups sharingUserGroups = new SharingUserGroups();