← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 6151: updated controllers to have proper authorities for CRUD operations

 

------------------------------------------------------------
revno: 6151
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Fri 2012-03-02 13:39:20 +0100
message:
  updated controllers to have proper authorities for CRUD operations
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AttributeTypeController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryComboController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryOptionController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ConstantController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupSetController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataSetController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueSetController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DocumentController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupSetController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorTypeController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupSetController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitLevelController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ReportTableController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SqlViewController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserGroupController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleGroupController.java
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-dataadmin/src/main/resources/struts.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AttributeTypeController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AttributeTypeController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AttributeTypeController.java	2012-03-02 12:39:20 +0000
@@ -36,6 +36,7 @@
 import org.hisp.dhis.attribute.Attributes;
 import org.hisp.dhis.common.Pager;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -118,6 +119,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ATTRIBUTE_ADD')" )
     public void postAttributeTypeXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         Attribute attribute = (Attribute) Jaxb2Utils.unmarshal( Attribute.class, input );
@@ -125,6 +127,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ATTRIBUTE_ADD')" )
     public void postAttributeTypeJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         Attribute attribute = JacksonUtils.readValueAs( Attribute.class, input );
@@ -165,6 +168,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ATTRIBUTE_UPDATE')" )
     public void putAttributeTypeXML( @PathVariable( "uid" ) String uid, InputStream input, HttpServletResponse response ) throws Exception
     {
         Attribute updateAttribute = (Attribute) Jaxb2Utils.unmarshal( Attribute.class, input );
@@ -173,6 +177,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ATTRIBUTE_UPDATE')" )
     public void putAttributeTypeJSON( @PathVariable( "uid" ) String uid, InputStream input, HttpServletResponse response ) throws Exception
     {
         Attribute updateAttribute = JacksonUtils.readValueAs( Attribute.class, input );
@@ -223,6 +228,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ATTRIBUTE_DELETE')" )
     public void deleteAttributeType( @PathVariable( "uid" ) String uid, HttpServletResponse response ) throws Exception
     {
         Attribute attribute = attributeService.getAttribute( uid );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryComboController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryComboController.java	2011-12-19 18:07:12 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryComboController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.dataelement.DataElementCategoryService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -120,6 +121,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postCategoryComboXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -127,6 +129,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postCategoryComboJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryComboXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryComboJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteCategoryCombo( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryController.java	2011-12-19 18:07:12 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.dataelement.DataElementCategoryService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -120,6 +121,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postCategoryXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -127,6 +129,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postCategoryJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteCategory( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryOptionController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryOptionController.java	2011-12-19 18:07:12 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/CategoryOptionController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.dataelement.DataElementCategoryService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postCategoryOptionXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postCategoryOptionJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryOptionXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putCategoryOptionJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteCategoryOption( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java	2012-01-24 14:43:36 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java	2012-03-02 12:39:20 +0000
@@ -44,6 +44,7 @@
 import org.jfree.chart.JFreeChart;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -173,6 +174,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CHART_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postChartXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -180,6 +182,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CHART_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postChartJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -191,6 +194,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CHART_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putChartXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -198,6 +202,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CHART_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putChartJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -209,6 +214,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CHART_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteChart( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ConstantController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ConstantController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ConstantController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.constant.Constants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CONSTANT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postConstantXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CONSTANT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postConstantJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CONSTANT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putConstantXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CONSTANT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putConstantJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_CONSTANT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteConstant( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementController.java	2011-12-19 17:20:37 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementController.java	2012-03-02 12:39:20 +0000
@@ -125,7 +125,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postDataElementXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         DataElement dataElement = Jaxb2Utils.unmarshal( DataElement.class, input );
@@ -133,7 +133,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_ADD')" )
     public void postDataElementJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -175,7 +175,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     public void putDataElementXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -183,7 +183,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_UPDATE')" )
     public void putDataElementJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -195,7 +195,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_DELETE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENT_DELETE')" )
     public void deleteDataElement( @PathVariable( "uid" ) String uid ) throws Exception
     {
         DataElement dataElement = dataElementService.getDataElement( uid );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupController.java	2012-03-02 12:39:20 +0000
@@ -122,7 +122,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUP_ADD')" )
     public void postDataElementGroupXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         DataElementGroup dataElementGroup = Jaxb2Utils.unmarshal( DataElementGroup.class, input );
@@ -130,7 +130,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUP_ADD')" )
     public void postDataElementGroupJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -170,7 +170,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUP_UPDATE')" )
     public void putDataElementGroupXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.DELETE.toString() );
@@ -178,7 +178,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUP_UPDATE')" )
     public void putDataElementGroupJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -190,7 +190,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_DELETE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUP_DELETE')" )
     public void deleteDataElementGroup( @PathVariable( "uid" ) String uid ) throws Exception
     {
         DataElementGroup dataElementGroup = dataElementService.getDataElementGroup( uid );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupSetController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupSetController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataElementGroupSetController.java	2012-03-02 12:39:20 +0000
@@ -125,7 +125,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUPSET_ADD')" )
     public void postDataElementGroupSetXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         DataElementGroupSet dataElementGroupSet = Jaxb2Utils.unmarshal( DataElementGroupSet.class, input );
@@ -133,7 +133,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUPSET_ADD')" )
     public void postDataElementGroupSetJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -174,7 +174,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUPSET_UPDATE')" )
     public void putDataElementGroupSetXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -182,7 +182,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_UPDATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUPSET_UPDATE')" )
     public void putDataElementGroupSetJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -194,7 +194,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_DELETE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAELEMENTGROUPSET_DELETE')" )
     public void deleteDataElementGroupSet( @PathVariable( "uid" ) String uid ) throws Exception
     {
         DataElementGroupSet dataElementGroupSet = dataElementService.getDataElementGroupSet( uid );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataSetController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataSetController.java	2011-12-19 17:20:37 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataSetController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.dataset.DataSets;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -118,6 +119,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATASET_ADD')" )
     public void postDataSetXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -125,6 +127,7 @@
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.CREATED )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATASET_ADD')" )
     public void postDataSetJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -136,6 +139,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATASET_UPDATE')" )
     public void putDataSetXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -143,6 +147,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATASET_UPDATE')" )
     public void putDataSetJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
@@ -154,6 +159,7 @@
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATASET_DELETE')" )
     public void deleteDataSet( @PathVariable( "uid" ) String uid ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.DELETE.toString() );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueSetController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueSetController.java	2012-02-16 09:03:14 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DataValueSetController.java	2012-03-02 12:39:20 +0000
@@ -33,6 +33,7 @@
 import org.hisp.dhis.importexport.dxf2.model.DataValueSet;
 import org.hisp.dhis.importexport.dxf2.service.DataValueSetService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -59,11 +60,12 @@
     }
 
     @RequestMapping( method = RequestMethod.POST )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DATAVALUE_ADD')" )
     public void storeDataValueSet( @RequestBody DataValueSet dataValueSet )
     {
         dataValueSetService.saveDataValueSet( dataValueSet );
 
-        log.debug( "Saved data value set for data set: " + dataValueSet.getDataSetIdentifier() + 
-                ", org unit: " + dataValueSet.getOrganisationUnitIdentifier() + ", period: " + dataValueSet.getPeriodIsoDate() );
+        log.debug( "Saved data value set for data set: " + dataValueSet.getDataSetIdentifier() +
+            ", org unit: " + dataValueSet.getOrganisationUnitIdentifier() + ", period: " + dataValueSet.getPeriodIsoDate() );
     }
 }

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DocumentController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DocumentController.java	2012-01-24 14:43:36 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/DocumentController.java	2012-03-02 12:39:20 +0000
@@ -28,6 +28,7 @@
  */
 
 import org.apache.commons.io.IOUtils;
+import org.hisp.dhis.api.utils.ContextUtils;
 import org.hisp.dhis.api.utils.IdentifiableObjectParams;
 import org.hisp.dhis.api.utils.WebLinkPopulator;
 import org.hisp.dhis.common.Pager;
@@ -35,9 +36,9 @@
 import org.hisp.dhis.document.DocumentService;
 import org.hisp.dhis.document.Documents;
 import org.hisp.dhis.external.location.LocationManager;
-import org.hisp.dhis.api.utils.ContextUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -144,6 +145,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DOCUMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postDocumentXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -151,6 +153,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DOCUMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postDocumentJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -162,6 +165,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DOCUMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putDocumentXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -169,6 +173,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DOCUMENT_ADD')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putDocumentJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -180,6 +185,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_DOCUMENT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteDocument( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorController.java	2011-12-19 17:20:37 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.indicator.Indicators;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATOR_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATOR_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATOR_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATOR_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATOR_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteIndicator( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.indicator.IndicatorService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorGroupXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorGroupJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorGroupXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorGroupJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUP_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteIndicatorGroup( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupSetController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupSetController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorGroupSetController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.indicator.IndicatorService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUPSET_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorGroupSetXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUPSET_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorGroupSetJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUPSET_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorGroupSetXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUPSET_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorGroupSetJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORGROUPSET_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteIndicatorGroupSet( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorTypeController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorTypeController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndicatorTypeController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.indicator.IndicatorTypes;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORTYPE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorTypeXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORTYPE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postIndicatorTypeJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORTYPE_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorTypeXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORTYPE_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putIndicatorTypeJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_INDICATORTYPE_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteIndicatorType( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitController.java	2012-03-02 12:39:20 +0000
@@ -98,7 +98,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNIT_ADD')" )
     public void postOrganisationUnitXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         OrganisationUnit organisationUnit = Jaxb2Utils.unmarshal( OrganisationUnit.class, input );
@@ -106,7 +106,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNIT_ADD')" )
     public void postOrganisationUnitJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -146,6 +146,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNIT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -153,6 +154,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNIT_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -164,6 +166,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNIT_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteOrganisationUnit( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupController.java	2012-03-02 12:39:20 +0000
@@ -98,7 +98,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUP_ADD')" )
     public void postOrganisationUnitGroupXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         OrganisationUnitGroup organisationUnitGroup = Jaxb2Utils.unmarshal( OrganisationUnitGroup.class, input );
@@ -107,7 +107,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUP_ADD')" )
     public void postOrganisationUnitGroupJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -147,6 +147,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitGroupXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -154,6 +155,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitGroupJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -165,6 +167,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUP_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteOrganisationUnitGroup( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupSetController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupSetController.java	2012-02-21 07:42:09 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitGroupSetController.java	2012-03-02 12:39:20 +0000
@@ -125,7 +125,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUPSET_ADD')" )
     public void postOrganisationUnitGroupSetXML( HttpServletResponse response, InputStream input ) throws Exception
     {
         OrganisationUnitGroupSet organisationUnitGroupSet = Jaxb2Utils.unmarshal( OrganisationUnitGroupSet.class, input );
@@ -133,7 +133,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUPSET_ADD')" )
     public void postOrganisationUnitGroupSetJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
@@ -173,6 +173,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUPSET_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitGroupSetXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -180,6 +181,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUPSET_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitGroupSetJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -191,6 +193,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGUNITGROUPSET_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteOrganisationUnitGroupSet( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitLevelController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitLevelController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/OrganisationUnitLevelController.java	2012-03-02 12:39:20 +0000
@@ -103,57 +103,11 @@
     }
 
     //-------------------------------------------------------------------------------------------------------
-    // POST
-    //-------------------------------------------------------------------------------------------------------
-
-    @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
-    public void postOrganisationUnitLevelXML( HttpServletResponse response, InputStream input ) throws Exception
-    {
-        OrganisationUnitLevel organisationUnitLevel = Jaxb2Utils.unmarshal( OrganisationUnitLevel.class, input );
-        postOrganisationUnitLevel( organisationUnitLevel, response );
-    }
-
-    @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
-    @PreAuthorize( "hasRole('ALL') or hasRole('F_WEBAPI_CREATE')" )
-    public void postOrganisationUnitLevelJSON( HttpServletResponse response, InputStream input ) throws Exception
-    {
-        throw new HttpRequestMethodNotSupportedException( RequestMethod.POST.toString() );
-    }
-
-    public void postOrganisationUnitLevel( OrganisationUnitLevel organisationUnitLevel, HttpServletResponse response )
-    {
-        if ( organisationUnitLevel == null )
-        {
-            response.setStatus( HttpServletResponse.SC_NOT_IMPLEMENTED );
-        }
-        else
-        {
-            try
-            {
-                organisationUnitLevel = objectPersister.persistOrganisationUnitLevel( organisationUnitLevel );
-
-                if ( organisationUnitLevel.getUid() == null )
-                {
-                    response.setStatus( HttpServletResponse.SC_INTERNAL_SERVER_ERROR );
-                }
-                else
-                {
-                    response.setStatus( HttpServletResponse.SC_CREATED );
-                    response.setHeader( "Location", DataElementController.RESOURCE_PATH + "/" + organisationUnitLevel.getUid() );
-                }
-            } catch ( Exception e )
-            {
-                response.setStatus( HttpServletResponse.SC_CONFLICT );
-            }
-        }
-    }
-
-    //-------------------------------------------------------------------------------------------------------
     // PUT
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNITLEVEL_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitLevelXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -161,20 +115,10 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_ORGANISATIONUNITLEVEL_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putOrganisationUnitLevelJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
         throw new HttpRequestMethodNotSupportedException( RequestMethod.PUT.toString() );
     }
-
-    //-------------------------------------------------------------------------------------------------------
-    // DELETE
-    //-------------------------------------------------------------------------------------------------------
-
-    @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
-    @ResponseStatus( value = HttpStatus.NO_CONTENT )
-    public void deleteOrganisationUnitLevel( @PathVariable( "uid" ) String uid ) throws Exception
-    {
-        throw new HttpRequestMethodNotSupportedException( RequestMethod.DELETE.toString() );
-    }
 }

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ReportTableController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ReportTableController.java	2012-01-24 14:43:36 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ReportTableController.java	2012-03-02 12:39:20 +0000
@@ -42,6 +42,7 @@
 import org.hisp.dhis.api.utils.ContextUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -221,6 +222,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_REPORTTABLE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postReportTableXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -228,6 +230,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_REPORTTABLE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postReportTableJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -239,6 +242,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_REPORTTABLE_ADD')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putReportTableXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -246,6 +250,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_REPORTTABLE_ADD')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putReportTableJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -257,6 +262,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_REPORTTABLE_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteReportTable( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SqlViewController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SqlViewController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SqlViewController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.sqlview.SqlViews;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SQLVIEW_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postSqlViewXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SQLVIEW_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postSqlViewJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SQLVIEW_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putSqlViewXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SQLVIEW_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putSqlViewJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SQLVIEW_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteSqlView( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserController.java	2012-01-05 21:51:00 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserController.java	2012-03-02 12:39:20 +0000
@@ -40,6 +40,7 @@
 import org.hisp.dhis.user.Users;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -102,6 +103,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postUserXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -109,6 +111,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postUserJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -120,6 +123,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putUserXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -127,6 +131,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putUserJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -138,6 +143,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteUser( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserGroupController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserGroupController.java	2011-12-21 11:37:17 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/UserGroupController.java	2012-03-02 12:39:20 +0000
@@ -34,6 +34,7 @@
 import org.hisp.dhis.user.UserGroups;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -101,6 +102,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_GRUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postUserGroupXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -108,6 +110,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_GRUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postUserGroupJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -119,6 +122,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_GRUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putUserGroupXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -126,6 +130,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_GRUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putUserGroupJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -137,6 +142,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_USER_GRUP_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteUserGroup( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.validation.ValidationRules;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postValidationRuleXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULE_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postValidationRuleJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULE_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putValidationRuleXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULE_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putValidationRuleJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULE_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteValidationRule( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleGroupController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleGroupController.java	2011-12-19 19:45:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ValidationRuleGroupController.java	2012-03-02 12:39:20 +0000
@@ -35,6 +35,7 @@
 import org.hisp.dhis.validation.ValidationRuleService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
@@ -119,6 +120,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULEGROUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postValidationRuleGroupXML( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -126,6 +128,7 @@
     }
 
     @RequestMapping( method = RequestMethod.POST, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULEGROUP_ADD')" )
     @ResponseStatus( value = HttpStatus.CREATED )
     public void postValidationRuleGroupJSON( HttpServletResponse response, InputStream input ) throws Exception
     {
@@ -137,6 +140,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/xml, text/xml"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULEGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putValidationRuleGroupXML( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -144,6 +148,7 @@
     }
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.PUT, headers = {"Content-Type=application/json"} )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULEGROUP_UPDATE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void putValidationRuleGroupJSON( @PathVariable( "uid" ) String uid, InputStream input ) throws Exception
     {
@@ -155,6 +160,7 @@
     //-------------------------------------------------------------------------------------------------------
 
     @RequestMapping( value = "/{uid}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_VALIDATIONRULEGROUP_DELETE')" )
     @ResponseStatus( value = HttpStatus.NO_CONTENT )
     public void deleteValidationGroupRule( @PathVariable( "uid" ) String uid ) throws Exception
     {

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-dataadmin/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-dataadmin/src/main/resources/struts.xml	2012-02-29 09:21:50 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-dataadmin/src/main/resources/struts.xml	2012-03-02 12:39:20 +0000
@@ -468,14 +468,14 @@
       <result name="success" type="velocity">/main.vm</result>
       <param name="menu">/dhis-web-maintenance-dataadmin/menu.vm</param>
       <param name="page">/dhis-web-maintenance-dataadmin/addAttributeForm.vm</param>
-      <param name="requiredAuthorities">F_DATAELEMENT_ADD</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_ADD</param>
     </action>
 
     <action name="showUpdateAttributeForm" class="org.hisp.dhis.dataadmin.action.attribute.GetAttributeAction">
       <result name="success" type="velocity">/main.vm</result>
       <param name="menu">/dhis-web-maintenance-dataadmin/menu.vm</param>
       <param name="page">/dhis-web-maintenance-dataadmin/updateAttributeForm.vm</param>
-      <param name="requiredAuthorities">F_DATAELEMENT_UPDATE</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_UPDATE</param>
     </action>
 
     <action name="showSortAttributeForm" class="org.hisp.dhis.dataadmin.action.attribute.GetAttributeListSortOrderAction">
@@ -486,18 +486,18 @@
     <action name="addAttribute" class="org.hisp.dhis.dataadmin.action.attribute.AddAttributeAction">
       <result name="success" type="redirect">attribute.action</result>
       <result name="error" type="redirect">index.action</result>
-      <param name="requiredAuthorities">F_DATAELEMENT_ADD</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_ADD</param>
     </action>
 
     <action name="saveAttributeSortOrder" class="org.hisp.dhis.dataadmin.action.attribute.SaveAttributeSortOrderAction">
       <result name="success" type="redirect">attribute.action</result>
-      <param name="requiredAuthorities">F_DATAELEMENT_UPDATE</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_UPDATE</param>
     </action>
 
     <action name="updateAttribute" class="org.hisp.dhis.dataadmin.action.attribute.UpdateAttributeAction">
       <result name="success" type="redirect">attribute.action</result>
       <result name="error" type="redirect">index.action</result>
-      <param name="requiredAuthorities">F_DATAELEMENT_UPDATE</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_UPDATE</param>
     </action>
 
     <action name="removeAttribute" class="org.hisp.dhis.dataadmin.action.attribute.RemoveAttributeAction">
@@ -508,7 +508,7 @@
         /dhis-web-commons/ajax/jsonResponseError.vm
       </result>
       <param name="onExceptionReturn">plainTextError</param>
-      <param name="requiredAuthorities">F_DATAELEMENT_DELETE</param>
+      <param name="requiredAuthorities">F_ATTRIBUTE_DELETE</param>
     </action>
 
     <action name="getAttribute" class="org.hisp.dhis.dataadmin.action.attribute.GetAttributeAction">