=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/test/java/org/hisp/dhis/dxf2/metadata2/objectbundle/ObjectBundleServiceTest.java' --- dhis-2/dhis-services/dhis-service-dxf2/src/test/java/org/hisp/dhis/dxf2/metadata2/objectbundle/ObjectBundleServiceTest.java 2016-03-13 04:39:47 +0000 +++ dhis-2/dhis-services/dhis-service-dxf2/src/test/java/org/hisp/dhis/dxf2/metadata2/objectbundle/ObjectBundleServiceTest.java 2016-03-13 07:52:55 +0000 @@ -62,7 +62,9 @@ import org.hisp.dhis.user.User; import org.hisp.dhis.user.UserAuthorityGroup; import org.hisp.dhis.user.UserGroup; +import org.hisp.dhis.user.UserService; import org.hisp.dhis.validation.ValidationRule; +import org.junit.Ignore; import org.junit.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.io.ClassPathResource; @@ -88,10 +90,14 @@ @Autowired private RenderService _renderService; + @Autowired + private UserService _userService; + @Override protected void setUpTest() throws Exception { renderService = _renderService; + userService = _userService; } @Test @@ -1364,6 +1370,25 @@ assertEquals( "DEDE", dataElementE.getDescription() ); } + @Test + @Ignore + public void testCreateMetadataWithSuperuserRoleInjected() throws IOException + { + createUserAndInjectSecurityContext( true ); + + Map, List> metadata = renderService.fromMetadata( + new ClassPathResource( "dxf2/metadata_superuser_bug.json" ).getInputStream(), RenderFormat.JSON ); + + ObjectBundleParams params = new ObjectBundleParams(); + params.setObjectBundleMode( ObjectBundleMode.COMMIT ); + params.setImportMode( ImportStrategy.CREATE_AND_UPDATE ); + params.setObjects( metadata ); + + ObjectBundle bundle = objectBundleService.create( params ); + assertTrue( objectBundleService.validate( bundle ).getObjectErrorReports().isEmpty() ); + objectBundleService.commit( bundle ); + } + private void defaultSetup() { DataElement de1 = createDataElement( 'A' ); === added file 'dhis-2/dhis-services/dhis-service-dxf2/src/test/resources/dxf2/metadata_superuser_bug.json' --- dhis-2/dhis-services/dhis-service-dxf2/src/test/resources/dxf2/metadata_superuser_bug.json 1970-01-01 00:00:00 +0000 +++ dhis-2/dhis-services/dhis-service-dxf2/src/test/resources/dxf2/metadata_superuser_bug.json 2016-03-13 07:52:55 +0000 @@ -0,0 +1,50 @@ +{ + "date": "2016-03-02T06:28:29.850+0000", + "userRoles": [ + { + "created": "2016-03-01T13:38:17.187+0000", + "lastUpdated": "2016-03-01T13:38:17.187+0000", + "name": "Superuser", + "id": "gETZb5SDObu", + "publicAccess": "--------", + "userGroupAccesses": [ ], + "authorities": [ + "F_TRACKED_ENTITY_INSTANCE_SEARCH_IN_ALL_ORGUNITS", + "ALL", + "F_USERGROUP_MANAGING_RELATIONSHIPS_ADD", + "F_REPORTTABLE_PUBLIC_ADD", + "F_TRACKED_ENTITY_INSTANCE_DELETE", + "F_USER_GROUPS_READ_ONLY_ADD_MEMBERS", + "F_MAP_PUBLIC_ADD", + "F_USER_ADD_WITHIN_MANAGED_GROUP", + "F_TRACKED_ENTITY_INSTANCE_SEARCH", + "F_PROGRAM_ENROLLMENT", + "F_REPORTTABLE_EXTERNAL", + "F_SQLVIEW_EXTERNAL", + "F_GIS_ADMIN", + "F_REPLICATE_USER", + "F_INSERT_CUSTOM_JS_CSS", + "F_DASHBOARD_PUBLIC_ADD", + "F_METADATA_IMPORT", + "F_CHART_PUBLIC_ADD", + "F_VIEW_UNAPPROVED_DATA", + "F_CHART_EXTERNAL", + "F_USERGROUP_MANAGING_RELATIONSHIPS_VIEW", + "F_METADATA_EXPORT", + "F_PROGRAM_UNENROLLMENT", + "F_APPROVE_DATA", + "F_ACCEPT_DATA_LOWER_LEVELS", + "F_TRACKED_ENTITY_INSTANCE_ADD", + "F_USERGROUP_PUBLIC_ADD", + "F_OAUTH2_CLIENT_MANAGE", + "F_TRACKED_ENTITY_DATAVALUE_ADD", + "F_PROGRAM_DASHBOARD_CONFIG_ADMIN", + "F_MAP_EXTERNAL", + "F_APPROVE_DATA_LOWER_LEVELS", + "F_TRACKED_ENTITY_DATAVALUE_DELETE" + ], + "dataSets": [ ], + "programs": [ ] + } + ] +} \ No newline at end of file