=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroupService.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroupService.java 2014-12-22 10:31:50 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroupService.java 2014-12-24 11:38:09 +0000 @@ -45,7 +45,7 @@ UserGroup getUserGroup( String uid ); - boolean canAddOrRemove( User user, Collection uids ); + boolean canAddOrRemove( String uid ); void addUserToGroups( User user, Collection uids ); === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserGroupService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserGroupService.java 2014-12-22 10:31:50 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserGroupService.java 2014-12-24 11:38:09 +0000 @@ -33,7 +33,6 @@ import org.hisp.dhis.acl.AclService; import org.hisp.dhis.common.GenericIdentifiableObjectStore; -import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; import org.springframework.transaction.annotation.Transactional; @Transactional @@ -106,62 +105,50 @@ } @Override - public boolean canAddOrRemove( User user, Collection uids ) + public boolean canAddOrRemove( String uid ) { User currentUser = currentUserService.getCurrentUser(); - for ( String uid : uids ) + UserGroup userGroup = getUserGroup( uid ); + + if ( userGroup == null ) { - UserGroup userGroup = getUserGroup( uid ); - - if ( userGroup == null ) - { - return false; - } - - boolean canUpdate = aclService.canUpdate( currentUser, userGroup ); - boolean canManage = currentUser.canManage( userGroup ); - - if ( !canUpdate && !canManage ) - { - return false; - } + return false; } - return true; + boolean canUpdate = aclService.canUpdate( currentUser, userGroup ); + boolean canManage = currentUser.canManage( userGroup ); + + return canUpdate || canManage; } @Override public void addUserToGroups( User user, Collection uids ) - { - if ( !canAddOrRemove( user, uids ) ) - { - throw new UpdateAccessDeniedException( user.toString() ); - } - + { for ( String uid : uids ) { - UserGroup userGroup = getUserGroup( uid ); - user.getGroups().add( userGroup ); - userGroup.getMembers().add( user ); - userGroupStore.updateNoAcl( userGroup ); + if ( canAddOrRemove( uid ) ) + { + UserGroup userGroup = getUserGroup( uid ); + user.getGroups().add( userGroup ); + userGroup.getMembers().add( user ); + userGroupStore.updateNoAcl( userGroup ); + } } } @Override public void removeUserFromGroups( User user, Collection uids ) { - if ( !canAddOrRemove( user, uids ) ) - { - throw new UpdateAccessDeniedException( user.toString() ); - } - for ( String uid : uids ) { - UserGroup userGroup = getUserGroup( uid ); - user.getGroups().remove( userGroup ); - userGroup.getMembers().remove( user ); - userGroupStore.updateNoAcl( userGroup ); + if ( canAddOrRemove( uid ) ) + { + UserGroup userGroup = getUserGroup( uid ); + user.getGroups().remove( userGroup ); + userGroup.getMembers().remove( user ); + userGroupStore.updateNoAcl( userGroup ); + } } } === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-12-23 16:19:37 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-12-24 11:38:09 +0000 @@ -40,6 +40,7 @@ import org.hisp.dhis.common.IdentifiableObjectUtils; import org.hisp.dhis.common.Pager; +import org.hisp.dhis.dxf2.importsummary.ImportSummary; import org.hisp.dhis.dxf2.metadata.ImportTypeSummary; import org.hisp.dhis.hibernate.exception.CreateAccessDeniedException; import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; @@ -167,7 +168,7 @@ { User user = renderService.fromXml( request.getInputStream(), getEntityClass() ); - createUser( user, response ); + createUser( user ); } @Override @@ -176,7 +177,7 @@ { User user = renderService.fromJson( request.getInputStream(), getEntityClass() ); - createUser( user, response ); + createUser( user ); } @RequestMapping( value = INVITE_PATH, method = RequestMethod.POST, consumes = { "application/xml", "text/xml" } ) @@ -349,16 +350,18 @@ { return; } - + RestoreOptions restoreOptions = user.getUsername() == null || user.getUsername().isEmpty() ? RestoreOptions.INVITE_WITH_USERNAME_CHOICE : RestoreOptions.INVITE_WITH_DEFINED_USERNAME; securityService.prepareUserForInvite( user ); - createUser( user, response ); + ImportSummary summary = createUser( user ); securityService.sendRestoreMessage( user.getUserCredentials(), ContextUtils.getContextPath( request ), restoreOptions ); + + renderService.toJson( response.getOutputStream(), summary ); } /** @@ -367,7 +370,7 @@ * @param user user object parsed from the POST request * @param response response for created user */ - private void createUser( User user, HttpServletResponse response ) throws Exception + private ImportSummary createUser( User user ) throws Exception { if ( !aclService.canCreate( currentUserService.getCurrentUser(), getEntityClass() ) ) { @@ -378,6 +381,16 @@ { throw new CreateAccessDeniedException( "You must have permissions to create user, or ability to manage at least one user group for the user." ); } + + List uids = IdentifiableObjectUtils.getUids( user.getGroups() ); + + for ( String uid : uids ) + { + if ( !userGroupService.canAddOrRemove( uid ) ) + { + throw new CreateAccessDeniedException( "You don't have permissions to add user to user group: " + uid ); + } + } user.getUserCredentials().getCogsDimensionConstraints().addAll( currentUserService.getCurrentUser().getUserCredentials().getCogsDimensionConstraints() ); @@ -388,7 +401,7 @@ ImportTypeSummary summary = importService.importObject( currentUserService.getCurrentUser().getUid(), user, ImportStrategy.CREATE ); userGroupService.addUserToGroups( user, IdentifiableObjectUtils.getUids( user.getGroups() ) ); - - renderService.toJson( response.getOutputStream(), summary ); + + return summary; } }