=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java 2016-01-04 02:27:49 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java 2016-01-26 08:55:27 +0000 @@ -50,4 +50,6 @@ int countReportDashboardItems( Report report ); int countDocumentDashboardItems( Document document ); + + Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem ); } === modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java 2016-01-04 02:27:49 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java 2016-01-26 08:55:27 +0000 @@ -74,7 +74,9 @@ void updateDashboardItem( DashboardItem item ); DashboardItem getDashboardItem( String uid ); - + + Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem ); + void deleteDashboardItem( DashboardItem item ); int countMapDashboardItems( Map map ); === modified file 'dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java' --- dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java 2016-01-04 02:27:49 +0000 +++ dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java 2016-01-26 08:55:27 +0000 @@ -31,6 +31,7 @@ import org.hibernate.Query; import org.hisp.dhis.chart.Chart; import org.hisp.dhis.common.hibernate.HibernateIdentifiableObjectStore; +import org.hisp.dhis.dashboard.Dashboard; import org.hisp.dhis.dashboard.DashboardItem; import org.hisp.dhis.dashboard.DashboardItemStore; import org.hisp.dhis.document.Document; @@ -88,4 +89,13 @@ return ((Long) query.uniqueResult()).intValue(); } + + @Override + public Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem ) + { + Query query = getQuery( "from Dashboard d where :item in elements(d.items)" ); + query.setEntity( "item", dashboardItem ); + + return (Dashboard) query.uniqueResult(); + } } === modified file 'dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java' --- dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java 2016-01-04 02:27:49 +0000 +++ dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java 2016-01-26 08:55:27 +0000 @@ -28,11 +28,7 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids; - -import java.util.HashSet; -import java.util.Set; - +import com.google.common.collect.Sets; import org.hisp.dhis.chart.Chart; import org.hisp.dhis.common.IdentifiableObjectManager; import org.hisp.dhis.common.hibernate.HibernateIdentifiableObjectStore; @@ -54,7 +50,10 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.transaction.annotation.Transactional; -import com.google.common.collect.Sets; +import java.util.HashSet; +import java.util.Set; + +import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids; /** * Note: The remove associations methods must be altered if caching is introduced. @@ -306,6 +305,12 @@ } @Override + public Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem ) + { + return dashboardItemStore.getDashboardFromDashboardItem( dashboardItem ); + } + + @Override public void deleteDashboardItem( DashboardItem item ) { dashboardItemStore.delete( item ); === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java 2016-01-04 02:27:49 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java 2016-01-26 08:55:27 +0000 @@ -29,12 +29,13 @@ */ import com.google.common.collect.Lists; - import org.hisp.dhis.common.Pager; +import org.hisp.dhis.dashboard.Dashboard; import org.hisp.dhis.dashboard.DashboardItem; import org.hisp.dhis.dashboard.DashboardItemShape; import org.hisp.dhis.dashboard.DashboardService; import org.hisp.dhis.dxf2.webmessage.WebMessageException; +import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; import org.hisp.dhis.query.Order; import org.hisp.dhis.schema.descriptors.DashboardItemSchemaDescriptor; import org.hisp.dhis.webapi.utils.WebMessageUtils; @@ -48,7 +49,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import java.util.List; /** @@ -95,6 +95,13 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard item does not exist: " + uid ) ); } + Dashboard dashboard = dashboardService.getDashboardFromDashboardItem( item ); + + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + item.setShape( shape ); dashboardService.updateDashboardItem( item );