=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 10:14:49 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 11:10:42 +0000 @@ -43,7 +43,9 @@ import org.hisp.dhis.dxf2.metadata.ExchangeClasses; import org.hisp.dhis.dxf2.render.RenderService; import org.hisp.dhis.dxf2.utils.JacksonUtils; +import org.hisp.dhis.hibernate.exception.CreateAccessDeniedException; import org.hisp.dhis.hibernate.exception.DeleteAccessDeniedException; +import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; import org.hisp.dhis.schema.Schema; import org.hisp.dhis.schema.SchemaService; import org.hisp.dhis.system.util.ReflectionUtils; @@ -53,7 +55,6 @@ import org.springframework.http.MediaType; import org.springframework.ui.Model; import org.springframework.util.StringUtils; -import org.springframework.web.HttpRequestMethodNotSupportedException; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -255,14 +256,23 @@ @RequestMapping( method = RequestMethod.POST, consumes = { "application/xml", "text/xml" } ) public void postXmlObject( HttpServletResponse response, HttpServletRequest request, InputStream input ) throws Exception { - throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() ); + if ( !aclService.canCreatePublic( currentUserService.getCurrentUser(), getEntityClass() ) + && !aclService.canCreatePrivate( currentUserService.getCurrentUser(), getEntityClass() ) ) + { + throw new CreateAccessDeniedException( "You don't have the proper permissions to create this object." ); + } } @RequestMapping( method = RequestMethod.POST, consumes = "application/json" ) public void postJsonObject( HttpServletResponse response, HttpServletRequest request, InputStream input ) throws Exception { - throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() ); + if ( !aclService.canCreatePublic( currentUserService.getCurrentUser(), getEntityClass() ) + && !aclService.canCreatePrivate( currentUserService.getCurrentUser(), getEntityClass() ) ) + { + throw new CreateAccessDeniedException( "You don't have the proper permissions to create this object." ); + } } + //-------------------------------------------------------------------------- // PUT //-------------------------------------------------------------------------- @@ -272,7 +282,12 @@ public void putXmlObject( HttpServletResponse response, HttpServletRequest request, @PathVariable( "uid" ) String uid, InputStream input ) throws Exception { - throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() ); + T object = getEntity( uid ); + + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), object ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this object." ); + } } @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, consumes = "application/json" ) @@ -280,7 +295,12 @@ public void putJsonObject( HttpServletResponse response, HttpServletRequest request, @PathVariable( "uid" ) String uid, InputStream input ) throws Exception { - throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() ); + T object = getEntity( uid ); + + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), object ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this object." ); + } } //--------------------------------------------------------------------------