=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/organisationunit/OrganisationUnitService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/organisationunit/OrganisationUnitService.java	2014-01-07 19:37:58 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/organisationunit/OrganisationUnitService.java	2014-02-03 11:42:39 +0000
@@ -392,6 +392,8 @@
      */
     Collection<OrganisationUnit> getWithinCoordinateArea( double longitude, double latitude, double distance );
     
+    boolean isInUserHierarchy( OrganisationUnit organisationUnit );
+    
     // -------------------------------------------------------------------------
     // OrganisationUnitHierarchy
     // -------------------------------------------------------------------------

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/organisationunit/DefaultOrganisationUnitService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/organisationunit/DefaultOrganisationUnitService.java	2013-12-12 15:26:13 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/organisationunit/DefaultOrganisationUnitService.java	2014-02-03 11:42:39 +0000
@@ -651,6 +651,36 @@
         return organisationUnitStore.getBetweenByStatusLastUpdated( status, lastUpdated, first, max );
     }
 
+    @Override
+    public boolean isInUserHierarchy( OrganisationUnit organisationUnit )
+    {
+        User user = currentUserService.getCurrentUser();
+        
+        if ( user == null )
+        {
+            return false;
+        }
+        
+        Set<OrganisationUnit> userRootUnits = user.getOrganisationUnits();
+        
+        if ( userRootUnits == null )
+        {
+            return false;
+        }
+        
+        while ( organisationUnit != null )
+        {
+            if ( userRootUnits.contains( organisationUnit ) )
+            {
+                return true;
+            }
+            
+            organisationUnit = organisationUnit.getParent();
+        }
+        
+        return false;
+    }
+
     // -------------------------------------------------------------------------
     // OrganisationUnitHierarchy
     // -------------------------------------------------------------------------
@@ -806,7 +836,8 @@
     {
         Collection<OrganisationUnit> objects = organisationUnitStore.getWithinCoordinateArea( GeoUtils.getBoxShape( longitude, latitude, distance ) );
 
-        // Go through the list and remove the ones located farther than the distance.
+        // Go through the list and remove the ones located outside radius
+        
         if ( objects != null && objects.size() > 0 )
         {
             Iterator<OrganisationUnit> iter = objects.iterator();
@@ -822,8 +853,6 @@
 
                 if ( distancebetween > distance )
                 {
-                    // Remove the orgUnits that is outside of the distance range 
-                    // - due to the 'getWithinCoordinateArea' looking at square area instead of circle.
                     iter.remove();
                 }
             }

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueController.java	2013-12-26 15:31:04 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueController.java	2014-02-03 11:42:39 +0000
@@ -149,6 +149,14 @@
             ContextUtils.conflictResponse( response, "Illegal organisation unit identifier: " + ou );
             return;
         }
+        
+        boolean isInHierarchy = organisationUnitService.isInUserHierarchy( organisationUnit );
+        
+        if ( !isInHierarchy )
+        {
+            ContextUtils.conflictResponse( response, "Organisation unit is not in the hierarchy of the current user: " + ou );
+            return;
+        }
 
         String valid = ValidationUtils.dataValueIsValid( value, dataElement );
 

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/action/RestrictOrganisationUnitsAction.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/action/RestrictOrganisationUnitsAction.java	2013-08-23 16:05:01 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/action/RestrictOrganisationUnitsAction.java	2014-02-03 11:42:39 +0000
@@ -28,7 +28,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import java.util.Collection;
+import java.util.Set;
 
 import org.hisp.dhis.organisationunit.OrganisationUnit;
 import org.hisp.dhis.oust.manager.SelectionTreeManager;
@@ -85,7 +85,7 @@
             // Initialize ouwt and selection tree
             // -----------------------------------------------------------------
 
-            Collection<OrganisationUnit> orgUnits = user.getOrganisationUnits();
+            Set<OrganisationUnit> orgUnits = user.getOrganisationUnits();
 
             if ( orgUnits.size() > 0 )
             {