=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java	2012-12-10 12:34:13 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java	2012-12-10 13:53:34 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.hierarchy.HierarchyViolationException;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
 import org.hisp.dhis.organisationunit.OrganisationUnitService;
+import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.web.webapi.v1.domain.Facilities;
 import org.hisp.dhis.web.webapi.v1.domain.Facility;
 import org.hisp.dhis.web.webapi.v1.utils.ValidationUtils;
@@ -46,6 +47,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.*;
@@ -66,6 +68,7 @@
  */
 @Controller( value = "facility-controller-" + FredController.PREFIX )
 @RequestMapping( FacilityController.RESOURCE_PATH )
+@PreAuthorize( "hasRole('M_dhis-web-api-fred') or hasRole('ALL')" )
 public class FacilityController
 {
     public static final String RESOURCE_PATH = "/" + FredController.PREFIX + "/facilities";
@@ -77,6 +80,9 @@
     private DataSetService dataSetService;
 
     @Autowired
+    private CurrentUserService currentUserService;
+
+    @Autowired
     private ConversionService conversionService;
 
     @Autowired
@@ -101,6 +107,8 @@
             facilities.getFacilities().add( facility );
         }
 
+        setAccessRights( model );
+
         model.addAttribute( "esc", StringEscapeUtils.class );
         model.addAttribute( "entity", facilities );
         model.addAttribute( "baseUrl", linkTo( FredController.class ).toString() );
@@ -117,6 +125,8 @@
 
         Facility facility = conversionService.convert( organisationUnit, Facility.class );
 
+        setAccessRights( model );
+
         model.addAttribute( "esc", StringEscapeUtils.class );
         model.addAttribute( "entity", facility );
         model.addAttribute( "baseUrl", linkTo( FredController.class ).toString() );
@@ -126,11 +136,22 @@
         return FredController.PREFIX + "/layout";
     }
 
+    private void setAccessRights( Model model )
+    {
+        Set<String> authorities = currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities();
+
+        model.addAttribute( "canCreate", authorities.contains( "F_FRED_CREATE" ) || currentUserService.currentUserIsSuper() );
+        model.addAttribute( "canRead", authorities.contains( "M-dhis-web-api-fred" ) || currentUserService.currentUserIsSuper() );
+        model.addAttribute( "canUpdate", authorities.contains( "F_FRED_UPDATE" ) || currentUserService.currentUserIsSuper() );
+        model.addAttribute( "canDelete", authorities.contains( "F_FRED_DELETE" ) || currentUserService.currentUserIsSuper() );
+    }
+
     //--------------------------------------------------------------------------
     // POST JSON
     //--------------------------------------------------------------------------
 
     @RequestMapping( value = "", method = RequestMethod.POST )
+    @PreAuthorize( "hasRole('F_FRED_CREATE') or hasRole('ALL')" )
     public ResponseEntity<String> createFacility( @RequestBody Facility facility ) throws IOException
     {
         Set<ConstraintViolation<Facility>> constraintViolations = validator.validate( facility, Default.class, Create.class );
@@ -164,6 +185,7 @@
     //--------------------------------------------------------------------------
 
     @RequestMapping( value = "/{id}", method = RequestMethod.PUT, consumes = MediaType.APPLICATION_JSON_VALUE )
+    @PreAuthorize( "hasRole('F_FRED_UPDATE') or hasRole('ALL')" )
     public ResponseEntity<String> updateFacility( @PathVariable String id, @RequestBody Facility facility ) throws IOException
     {
         facility.setId( id );
@@ -202,6 +224,7 @@
     //--------------------------------------------------------------------------
 
     @RequestMapping( value = "/{id}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('F_FRED_DELETE') or hasRole('ALL')" )
     public ResponseEntity<Void> deleteFacility( @PathVariable String id ) throws HierarchyViolationException
     {
         OrganisationUnit organisationUnit = organisationUnitService.getOrganisationUnit( id );

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityServiceController.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityServiceController.java	2012-12-10 12:34:13 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityServiceController.java	2012-12-10 13:53:34 +0000
@@ -34,10 +34,10 @@
 import org.hisp.dhis.web.webapi.v1.validation.group.Create;
 import org.hisp.dhis.web.webapi.v1.validation.group.Update;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -53,14 +53,14 @@
 /**
  * @author Morten Olav Hansen <mortenoh@gmail.com>
  */
-@Controller(value = "facility-service-controller-" + FredController.PREFIX)
+@Controller( value = "facility-service-controller-" + FredController.PREFIX )
 @RequestMapping(FacilityServiceController.RESOURCE_PATH)
+@PreAuthorize("hasRole('M_dhis-web-api-fred') or hasRole('ALL')")
 public class FacilityServiceController
 {
     public static final String RESOURCE_PATH = "/" + FredController.PREFIX + "/facility-service";
 
     @Autowired
-    @Qualifier("org.hisp.dhis.organisationunit.OrganisationUnitService")
     private OrganisationUnitService organisationUnitService;
 
     @Autowired
@@ -70,7 +70,8 @@
     // EXTRA WEB METHODS
     //--------------------------------------------------------------------------
 
-    @RequestMapping(value = "/{id}/activate", method = RequestMethod.POST)
+    @RequestMapping( value = "/{id}/activate", method = RequestMethod.POST )
+    @PreAuthorize("hasRole('F_FRED_UPDATE') or hasRole('ALL')")
     public ResponseEntity<Void> activateFacility( @PathVariable String id )
     {
         OrganisationUnit organisationUnit = organisationUnitService.getOrganisationUnit( id );
@@ -86,7 +87,8 @@
         return new ResponseEntity<Void>( HttpStatus.NOT_FOUND );
     }
 
-    @RequestMapping(value = "/{id}/deactivate", method = RequestMethod.POST)
+    @RequestMapping( value = "/{id}/deactivate", method = RequestMethod.POST )
+    @PreAuthorize("hasRole('F_FRED_UPDATE') or hasRole('ALL')")
     public ResponseEntity<Void> deactivateFacility( @PathVariable String id )
     {
         OrganisationUnit organisationUnit = organisationUnitService.getOrganisationUnit( id );

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FredController.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FredController.java	2012-12-07 14:16:37 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FredController.java	2012-12-10 13:53:34 +0000
@@ -28,6 +28,7 @@
  */
 
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -40,6 +41,7 @@
  */
 @Controller( value = "fred-controller-" + FredController.PREFIX )
 @RequestMapping( value = FredController.PREFIX )
+@PreAuthorize( "hasRole('M_dhis-web-api-fred') or hasRole('ALL')" )
 public class FredController
 {
     public static final String PREFIX = "v1";

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/META-INF/dhis/webapi-fred.xml'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/META-INF/dhis/webapi-fred.xml	2012-12-08 16:07:13 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/META-INF/dhis/webapi-fred.xml	2012-12-10 13:53:34 +0000
@@ -2,12 +2,16 @@
 <beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://www.springframework.org/schema/beans"
   xmlns:context="http://www.springframework.org/schema/context"
+  xmlns:sec="http://www.springframework.org/schema/security"
   xmlns:mvc="http://www.springframework.org/schema/mvc"
   xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
     http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
 
+  <sec:global-method-security pre-post-annotations="enabled" />
+
   <context:component-scan base-package="org.hisp.dhis.web.webapi" />
   <context:annotation-config />
 

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/struts.xml	2012-12-06 20:06:23 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/resources/struts.xml	2012-12-10 13:53:34 +0000
@@ -1,18 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE struts PUBLIC
-    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
-    "http://struts.apache.org/dtds/struts-2.0.dtd">
+  "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
+  "http://struts.apache.org/dtds/struts-2.0.dtd">
 <struts>
   <include file="dhis-web-commons.xml" />
 
-  <package name="dhis-web-api-fred" extends="dhis-web-commons"
-      namespace="/api-fred">
+  <package name="dhis-web-api-fred" extends="dhis-web-commons" namespace="/api-fred">
 
-    <!--
-    <action name="index" class="org.hisp.dhis.commons.action.NoAction">
-      <result type="redirect">/mobile</result>
+    <action name="" class="org.hisp.dhis.commons.action.NoAction">
+      <param name="requiredAuthorities">F_FRED_CREATE, F_FRED_UPDATE, F_FRED_DELETE</param>
     </action>
-    -->
 
   </package>
 

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm	2012-12-09 19:31:01 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm	2012-12-10 13:53:34 +0000
@@ -180,15 +180,15 @@
             <td class='facility-actions' style='width: 1px;'>
                 <div class='btn-group'>
                     #if( $facility.active )
-                        <button style='width: 44px;' class='deactivateButton btn btn-mini btn-success' title='Deactivate Facility'>
+                        <button #if(!$canUpdate)disabled#end style='width: 44px;' class='deactivateButton btn btn-mini btn-success' title='Deactivate Facility'>
                             <span class='icon-white icon-ok-circle'> </span>
                         </button>
                     #else
-                        <button style='width: 44px;' class='activateButton btn btn-mini btn-inverse' title='Activate Facility'>
+                        <button #if(!$canUpdate)disabled#end style='width: 44px;' class='activateButton btn btn-mini btn-inverse' title='Activate Facility'>
                             <span class='icon-white icon-ban-circle'> </span>
                         </button>
                     #end
-                    <button disabled='disabled' style='width: 42px;' class='deleteButton btn btn-mini btn-danger' title='Delete Facility'>
+                    <button #if(true)disabled#end disabled='disabled' style='width: 42px;' class='deleteButton btn btn-mini btn-danger' title='Delete Facility'>
                         <span class='icon-white icon-trash'> </span>
                     </button>
                 </div>

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm	2012-12-09 19:31:01 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm	2012-12-10 13:53:34 +0000
@@ -65,8 +65,6 @@
 
                 data.coordinates = [ lng, lat ];
 
-                console.log(data.coordinates);
-
                 $.ajax({
                     url: '$baseUrl/facilities/${entity.id}',
                     contentType: 'application/json; charset=UTF-8',
@@ -93,7 +91,6 @@
     <div class="span6">
         <form id="facilityForm">
             #set( $inputSize = "span12")
-            #set( $canEdit = true )
 
             <fieldset>
                 <legend>Facility</legend>
@@ -102,28 +99,28 @@
                 <input id="facilityID" disabled="disabled" type="text" class="$inputSize" value="$entity.id"/>
 
                 <label for="facilityName">Name</label>
-                <input #if(!$canEdit)disabled#end id="facilityName" type="text" class="$inputSize" value="$esc.escapeHtml4($entity.name)"/>
+                <input #if(!$canUpdate)disabled#end id="facilityName" type="text" class="$inputSize" value="$esc.escapeHtml4($entity.name)"/>
 
                 <label for="facilityActive">Active</label>
 
-                <select id="facilityActive" #if(!$canEdit)disabled#end class="$inputSize">
+                <select id="facilityActive" #if(!$canUpdate)disabled#end class="$inputSize">
                     <option value="true" #if($entity.active)selected#end>Yes</option>
                     <option value="false" #if(!$entity.active)selected#end>No</option>
                 </select>
 
                 <label for="facilityLatitude">Latitude</label>
-                <input #if(!$canEdit)disabled#end id="facilityLatitude" type="text" class="$inputSize" value=""/>
+                <input #if(!$canUpdate)disabled#end id="facilityLatitude" type="text" class="$inputSize" value=""/>
 
                 <label for="facilityLongitude">Longitude</label>
-                <input #if(!$canEdit)disabled#end id="facilityLongitude" type="text" class="$inputSize" value=""/>
+                <input #if(!$canUpdate)disabled#end id="facilityLongitude" type="text" class="$inputSize" value=""/>
             </fieldset>
 
-            <button #if(!$canEdit)disabled#end type="submit" id="facilitySubmit" class="btn btn-info">Save</button>
+            <button #if(!$canUpdate)disabled#end type="submit" id="facilitySubmit" class="btn btn-info">Save</button>
         </form>
     </div>
 
     <div class="span1">
-        <button disabled="disabled" style="width: 42px;" class="deleteButton btn btn-mini btn-danger pull-right" title="Delete Facility">
+        <button #if(true)disabled#end style="width: 42px;" class="deleteButton btn btn-mini btn-danger pull-right" title="Delete Facility">
             <span class="icon-white icon-trash"> </span>
         </button>
     </div>

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties	2012-12-03 18:00:31 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties	2012-12-10 13:53:34 +0000
@@ -2,6 +2,7 @@
 #-- See module privilegies ----------------------------------------------------#
 
 M_dhis-web-api=See API Module
+M_dhis-web-api-fred=See FRED API Module
 M_dhis-web-exportdatamart=See Export Data Mart Module
 M_dhis-web-maintenance-datadictionary=See Data Dictionary Maintenance module
 M_dhis-web-maintenance-dataset=See Data Set Maintenance module
@@ -294,4 +295,9 @@
 created=Created
 disabled=Disabled
 disable=Disable
-enable=Enable
\ No newline at end of file
+enable=Enable
+
+#-- FRED API module ---------------------------------------------------------------#
+F_FRED_CREATE=Add Facility
+F_FRED_UPDATE=Update Facility
+F_FRED_DELETE=Delete Facility