=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java	2016-02-02 23:14:48 +0000
@@ -54,6 +54,7 @@
 import org.hisp.dhis.user.UserSettingService;
 import org.hisp.dhis.webapi.utils.ContextUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -286,8 +287,11 @@
     public String execute()
         throws Exception
     {
-        //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to add a user within managed groups.
-
+        if ( !userService.canAddOrUpdateUser( ugSelected ) )
+        {
+            throw new AccessDeniedException( "You cannot edit this user" );
+        }
+        
         User currentUser = currentUserService.getCurrentUser();
 
         // ---------------------------------------------------------------------

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java	2016-02-02 23:14:48 +0000
@@ -33,6 +33,7 @@
 import org.hisp.dhis.attribute.AttributeService;
 import org.hisp.dhis.attribute.comparator.AttributeSortOrderComparator;
 import org.hisp.dhis.common.DimensionalObject;
+import org.hisp.dhis.common.IdentifiableObjectUtils;
 import org.hisp.dhis.i18n.I18nService;
 import org.hisp.dhis.i18n.locale.LocaleManager;
 import org.hisp.dhis.oust.manager.SelectionTreeManager;
@@ -47,6 +48,7 @@
 import org.hisp.dhis.user.UserSettingKey;
 import org.hisp.dhis.user.UserSettingService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -221,6 +223,11 @@
         {
             user = userService.getUser( id );
 
+            if ( !userService.canAddOrUpdateUser( IdentifiableObjectUtils.getUids( user.getGroups() ) ) )
+            {
+                throw new AccessDeniedException( "You cannot edit this user" );
+            }
+            
             if ( user.hasOrganisationUnit() )
             {
                 selectionManager.setSelectedOrganisationUnits( user.getOrganisationUnits() );

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java	2016-02-02 23:14:48 +0000
@@ -50,6 +50,7 @@
 import org.hisp.dhis.user.UserSettingKey;
 import org.hisp.dhis.user.UserSettingService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -244,8 +245,11 @@
     public String execute()
         throws Exception
     {
-        //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to update a user within managed groups.
-
+        if ( !userService.canAddOrUpdateUser( ugSelected ) )
+        {
+            throw new AccessDeniedException( "You cannot edit this user" );
+        }
+        
         User currentUser = currentUserService.getCurrentUser();
 
         // ---------------------------------------------------------------------

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml	2015-01-12 18:53:15 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml	2016-02-02 23:14:48 +0000
@@ -49,27 +49,27 @@
       <result name="success" type="velocity">/main.vm</result>
       <param name="page">/dhis-web-maintenance-user/addUserForm.vm</param>
       <param name="javascripts">../dhis-web-commons/oust/oust.js,../dhis-web-commons/ouwt/ouwt.js,javascript/user.js</param>
-      <param name="requiredAuthorities">F_USER_ADD</param>
+      <param name="anyAuthorities">F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP</param>
     </action>
 
     <action name="addUser" class="org.hisp.dhis.user.action.AddUserAction">
       <result name="success" type="redirect">user.action?currentPage=${keyCurrentPage}&amp;key=${keyCurrentKey}</result>
       <result name="error" type="velocity-json">/dhis-web-commons/ajax/jsonResponseError.vm</result>
       <param name="javascripts">javascript/user.js</param>
-      <param name="requiredAuthorities">F_USER_ADD</param>
+      <param name="anyAuthorities">F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP</param>
     </action>
 
     <action name="showUpdateUserForm" class="org.hisp.dhis.user.action.SetupTreeAction">
       <result name="success" type="velocity">/main.vm</result>
       <param name="page">/dhis-web-maintenance-user/updateUserForm.vm</param>
       <param name="javascripts">../dhis-web-commons/oust/oust.js,../dhis-web-commons/ouwt/ouwt.js,javascript/user.js</param>
-      <param name="requiredAuthorities">F_USER_ADD</param>
+      <param name="anyAuthorities">F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP</param>
     </action>
 
     <action name="updateUser" class="org.hisp.dhis.user.action.UpdateUserAction">
       <result name="success" type="redirect">user.action?currentPage=${keyCurrentPage}&amp;key=${keyCurrentKey}</result>
       <result name="error" type="velocity-json">/dhis-web-commons/ajax/jsonResponseError.vm</result>
-      <param name="requiredAuthorities">F_USER_ADD</param>
+      <param name="anyAuthorities">F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP</param>
     </action>
 
     <action name="validateUser" class="org.hisp.dhis.user.action.ValidateUserAction">