=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2016-02-02 23:14:48 +0000
@@ -54,6 +54,7 @@
import org.hisp.dhis.user.UserSettingService;
import org.hisp.dhis.webapi.utils.ContextUtils;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
import java.util.ArrayList;
import java.util.HashSet;
@@ -286,8 +287,11 @@
public String execute()
throws Exception
{
- //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to add a user within managed groups.
-
+ if ( !userService.canAddOrUpdateUser( ugSelected ) )
+ {
+ throw new AccessDeniedException( "You cannot edit this user" );
+ }
+
User currentUser = currentUserService.getCurrentUser();
// ---------------------------------------------------------------------
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/SetupTreeAction.java 2016-02-02 23:14:48 +0000
@@ -33,6 +33,7 @@
import org.hisp.dhis.attribute.AttributeService;
import org.hisp.dhis.attribute.comparator.AttributeSortOrderComparator;
import org.hisp.dhis.common.DimensionalObject;
+import org.hisp.dhis.common.IdentifiableObjectUtils;
import org.hisp.dhis.i18n.I18nService;
import org.hisp.dhis.i18n.locale.LocaleManager;
import org.hisp.dhis.oust.manager.SelectionTreeManager;
@@ -47,6 +48,7 @@
import org.hisp.dhis.user.UserSettingKey;
import org.hisp.dhis.user.UserSettingService;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
import java.util.ArrayList;
import java.util.Collections;
@@ -221,6 +223,11 @@
{
user = userService.getUser( id );
+ if ( !userService.canAddOrUpdateUser( IdentifiableObjectUtils.getUids( user.getGroups() ) ) )
+ {
+ throw new AccessDeniedException( "You cannot edit this user" );
+ }
+
if ( user.hasOrganisationUnit() )
{
selectionManager.setSelectedOrganisationUnits( user.getOrganisationUnits() );
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java 2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java 2016-02-02 23:14:48 +0000
@@ -50,6 +50,7 @@
import org.hisp.dhis.user.UserSettingKey;
import org.hisp.dhis.user.UserSettingService;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.AccessDeniedException;
import java.util.ArrayList;
import java.util.HashSet;
@@ -244,8 +245,11 @@
public String execute()
throws Exception
{
- //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to update a user within managed groups.
-
+ if ( !userService.canAddOrUpdateUser( ugSelected ) )
+ {
+ throw new AccessDeniedException( "You cannot edit this user" );
+ }
+
User currentUser = currentUserService.getCurrentUser();
// ---------------------------------------------------------------------
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml 2015-01-12 18:53:15 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/struts.xml 2016-02-02 23:14:48 +0000
@@ -49,27 +49,27 @@
/main.vm
/dhis-web-maintenance-user/addUserForm.vm
../dhis-web-commons/oust/oust.js,../dhis-web-commons/ouwt/ouwt.js,javascript/user.js
- F_USER_ADD
+ F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP
user.action?currentPage=${keyCurrentPage}&key=${keyCurrentKey}
/dhis-web-commons/ajax/jsonResponseError.vm
javascript/user.js
- F_USER_ADD
+ F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP
/main.vm
/dhis-web-maintenance-user/updateUserForm.vm
../dhis-web-commons/oust/oust.js,../dhis-web-commons/ouwt/ouwt.js,javascript/user.js
- F_USER_ADD
+ F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP
user.action?currentPage=${keyCurrentPage}&key=${keyCurrentKey}
/dhis-web-commons/ajax/jsonResponseError.vm
- F_USER_ADD
+ F_USER_ADD, F_USER_ADD_WITHIN_MANAGED_GROUP