=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java 2014-05-27 02:41:16 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java 2014-05-28 16:38:44 +0000 @@ -262,13 +262,29 @@ int getActiveUsersCount( Date since ); /** + * Filters the given list of users based on whether the current + * user is allowed to update. + * + * @param users the list of users. + */ + void canUpdateUsersFilter( Collection users ); + + /** * Filters the given list of user credentials based on whether the current * user is allowed to update. - * + * * @param userCredentials the list of user credentials. */ void canUpdateFilter( Collection userCredentials ); - + + /** + * Is the current user allowed to update this user? + * + * @param userCredentials credentials to check for allowing update. + * @return true if current user can update this user, else false. + */ + boolean canUpdate( UserCredentials userCredentials ); + // ------------------------------------------------------------------------- // UserAuthorityGroup // ------------------------------------------------------------------------- === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java 2014-05-27 02:41:16 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java 2014-05-28 16:38:44 +0000 @@ -585,6 +585,19 @@ return userCredentialsStore.getActiveUsersCount( since ); } + public void canUpdateUsersFilter( Collection users ) + { + FilterUtils.filter( users, + new Filter() + { + public boolean retain( User object ) + { + return canUpdate( object.getUserCredentials() ); + } + } + ); + } + public void canUpdateFilter( Collection userCredentials ) { FilterUtils.filter( userCredentials, @@ -592,12 +605,17 @@ { public boolean retain( UserCredentials object ) { - return hasAuthorityToUpdateUser( object ) && hasGroupsToUpdateUser( object ); + return canUpdate( object ); } } ); } + public boolean canUpdate( UserCredentials userCredentials ) + { + return hasAuthorityToUpdateUser( userCredentials ) && hasGroupsToUpdateUser( userCredentials ); + } + // ------------------------------------------------------------------------- // UserSettings // ------------------------------------------------------------------------- === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-05-27 13:18:27 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-05-28 16:38:44 +0000 @@ -329,7 +329,7 @@ if ( group == null ) { - throw new UpdateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() ); + throw new CreateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() ); } if ( writeGroupRequired && securityService.canWrite( group ) ) === modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java' --- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-03-18 08:10:10 +0000 +++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-05-28 16:38:44 +0000 @@ -35,11 +35,14 @@ import org.apache.struts2.ServletActionContext; import org.hisp.dhis.paging.ActionPagingSupport; +import org.hisp.dhis.setting.SystemSettingManager; import org.hisp.dhis.user.User; import org.hisp.dhis.user.UserService; import org.hisp.dhis.user.comparator.UserComparator; import org.hisp.dhis.util.ContextUtils; +import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS; + /** * @author mortenoh */ @@ -57,6 +60,13 @@ this.userService = userService; } + private SystemSettingManager systemSettingManager; + + public void setSystemSettingManager( SystemSettingManager systemSettingManager ) + { + this.systemSettingManager = systemSettingManager; + } + // ------------------------------------------------------------------------- // Input & Output // ------------------------------------------------------------------------- @@ -101,6 +111,13 @@ users = users.subList( paging.getStartPos(), paging.getEndPos() ); } + boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false ); + + if ( writeGroupRequired ) + { + userService.canUpdateUsersFilter( users ); + } + return SUCCESS; } === modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml' --- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml 2014-05-26 10:55:47 +0000 +++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml 2014-05-28 16:38:44 +0000 @@ -304,6 +304,7 @@ + userList = new HashSet(); for ( Integer groupMember : groupMembersList ) { User user = userService.getUser( groupMember ); userList.add( user ); - } - - UserGroup userGroup = userGroupService.getUserGroup( userGroupId ); + + if ( writeGroupRequired && !userGroup.getMembers().contains( user) && !userService.canUpdate( user.getUserCredentials() ) ) + { + throw new UpdateAccessDeniedException( "- You don't have permission to add all selected users to this group." ); + } + } + + if ( writeGroupRequired ) + { + for ( User member : userGroup.getMembers() ) + { + if ( !userList.contains( member ) ) // Trying to remove member user from group. + { + boolean otherGroupFound = false; + + for ( UserGroup ug : member.getGroups() ) + { + if ( !userGroup.equals( ug ) && securityService.canWrite( ug ) ) + { + otherGroupFound = true; + break; + } + } + + if ( !otherGroupFound ) + { + throw new UpdateAccessDeniedException( "- You can't remove member who belongs to no other user groups that you control." ); + } + } + } + } userGroup.setName( name ); userGroup.updateUsers( userList ); === modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml' --- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2013-07-24 15:58:43 +0000 +++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2014-05-28 16:38:44 +0000 @@ -75,6 +75,8 @@ + + @@ -97,6 +99,8 @@ + +