← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 14465: moved AccessControlService into its own package

 

------------------------------------------------------------
revno: 14465
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-03-27 05:40:10 +0100
message:
  moved AccessControlService into its own package
removed:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java
added:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java
modified:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java
  dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java
  dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
  dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml
  dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java
  dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java
  dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol'
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java	2014-03-27 04:40:10 +0000
@@ -0,0 +1,129 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
+import org.hisp.dhis.common.DxfNamespaces;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+@JacksonXmlRootElement( localName = "access", namespace = DxfNamespaces.DXF_2_0 )
+public class Access
+{
+    private boolean manage;
+
+    private boolean externalize;
+
+    private boolean write;
+
+    private boolean read;
+
+    private boolean update;
+
+    private boolean delete;
+
+    public Access()
+    {
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "manage", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isManage()
+    {
+        return manage;
+    }
+
+    public void setManage( boolean manage )
+    {
+        this.manage = manage;
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "externalize", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isExternalize()
+    {
+        return externalize;
+    }
+
+    public void setExternalize( boolean externalize )
+    {
+        this.externalize = externalize;
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "write", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isWrite()
+    {
+        return write;
+    }
+
+    public void setWrite( boolean write )
+    {
+        this.write = write;
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "read", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isRead()
+    {
+        return read;
+    }
+
+    public void setRead( boolean read )
+    {
+        this.read = read;
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "update", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isUpdate()
+    {
+        return update;
+    }
+
+    public void setUpdate( boolean update )
+    {
+        this.update = update;
+    }
+
+    @JsonProperty
+    @JacksonXmlProperty( localName = "delete", namespace = DxfNamespaces.DXF_2_0 )
+    public boolean isDelete()
+    {
+        return delete;
+    }
+
+    public void setDelete( boolean delete )
+    {
+        this.delete = delete;
+    }
+}

=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java	2014-03-27 04:40:10 +0000
@@ -0,0 +1,150 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.user.User;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public interface AccessControlService
+{
+    public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
+
+    boolean isSupported( String type );
+
+    boolean isSupported( Class<?> klass );
+
+    /**
+     * Can user write to this object (create)
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Is the user for the object null?
+     * 3. Is the user of the object equal to current user?
+     * 4. Is the object public write?
+     * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canWrite( User user, IdentifiableObject object );
+
+    /**
+     * Can user read this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Is the user for the object null?
+     * 3. Is the user of the object equal to current user?
+     * 4. Is the object public read?
+     * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canRead( User user, IdentifiableObject object );
+
+    /**
+     * Can user update this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canUpdate( User user, IdentifiableObject object );
+
+    /**
+     * Can user delete this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canDelete( User user, IdentifiableObject object );
+
+    /**
+     * Can user manage (make public) this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canManage( User user, IdentifiableObject object );
+
+    /**
+     * Checks if a user can create a public instance of a certain object.
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Does user have the authority to create public instances of that object
+     *
+     * @param user  User to check against
+     * @param klass Class to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
+
+    /**
+     * Checks if a user can create a private instance of a certain object.
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Does user have the authority to create private instances of that object
+     *
+     * @param user  User to check against
+     * @param klass Class to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
+
+    /**
+     * Can user make this object external? (read with no login)
+     *
+     * @param user   User to check against
+     * @param klass Type to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
+
+    <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
+
+    Class<? extends IdentifiableObject> classForType( String type );
+}

=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java	2014-03-27 04:40:10 +0000
@@ -0,0 +1,129 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * Currently only the two first positions in the access string are used - rw.
+ *
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class AccessStringHelper
+{
+    public static final String DEFAULT_ACCESS = "--------";
+
+    public static enum Permission
+    {
+        READ( 'r', 0 ), WRITE( 'w', 1 );
+
+        private char value;
+
+        private int position;
+
+        private Permission( char value, int position )
+        {
+            this.value = value;
+            this.position = position;
+        }
+
+        public char getValue()
+        {
+            return value;
+        }
+
+        public int getPosition()
+        {
+            return position;
+        }
+    }
+
+    private char[] access = DEFAULT_ACCESS.toCharArray();
+
+    public AccessStringHelper()
+    {
+    }
+
+    public AccessStringHelper( char[] access )
+    {
+        this.access = access;
+    }
+
+    public AccessStringHelper( String access )
+    {
+        this.access = access.toCharArray();
+    }
+
+    public static AccessStringHelper newInstance()
+    {
+        return new AccessStringHelper();
+    }
+
+    public static AccessStringHelper newInstance( char[] access )
+    {
+        return new AccessStringHelper( access );
+    }
+
+    public AccessStringHelper enable( Permission permission )
+    {
+        access[permission.getPosition()] = permission.getValue();
+
+        return this;
+    }
+
+    public AccessStringHelper disable( Permission permission )
+    {
+        access[permission.getPosition()] = '-';
+
+        return this;
+    }
+
+    public String build()
+    {
+        return new String( access );
+    }
+
+    public String toString()
+    {
+        return build();
+    }
+
+    public static boolean canRead( String access )
+    {
+        return isEnabled( access, Permission.READ );
+    }
+
+    public static boolean canWrite( String access )
+    {
+        return isEnabled( access, Permission.WRITE );
+    }
+
+    public static boolean isEnabled( String access, Permission permission )
+    {
+        return access != null && access.charAt( permission.getPosition() ) == permission.getValue();
+    }
+}

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java	2014-03-27 04:40:10 +0000
@@ -40,7 +40,7 @@
 import org.hisp.dhis.common.view.SharingBasicView;
 import org.hisp.dhis.common.view.SharingDetailedView;
 import org.hisp.dhis.common.view.SharingExportView;
-import org.hisp.dhis.sharing.Access;
+import org.hisp.dhis.accesscontrol.Access;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserGroupAccess;
 

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java	2014-03-27 04:40:10 +0000
@@ -28,7 +28,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import org.hisp.dhis.sharing.Access;
+import org.hisp.dhis.accesscontrol.Access;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserGroupAccess;
 

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java	2014-03-27 04:40:10 +0000
@@ -35,7 +35,7 @@
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
 import org.hisp.dhis.chart.Chart;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
 import org.hisp.dhis.common.BaseIdentifiableObject;
 import org.hisp.dhis.common.DxfNamespaces;
 import org.hisp.dhis.common.IdentifiableObject;

=== removed directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing'
=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java	1970-01-01 00:00:00 +0000
@@ -1,129 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
-import org.hisp.dhis.common.DxfNamespaces;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-@JacksonXmlRootElement( localName = "access", namespace = DxfNamespaces.DXF_2_0 )
-public class Access
-{
-    private boolean manage;
-
-    private boolean externalize;
-
-    private boolean write;
-
-    private boolean read;
-
-    private boolean update;
-
-    private boolean delete;
-
-    public Access()
-    {
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "manage", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isManage()
-    {
-        return manage;
-    }
-
-    public void setManage( boolean manage )
-    {
-        this.manage = manage;
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "externalize", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isExternalize()
-    {
-        return externalize;
-    }
-
-    public void setExternalize( boolean externalize )
-    {
-        this.externalize = externalize;
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "write", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isWrite()
-    {
-        return write;
-    }
-
-    public void setWrite( boolean write )
-    {
-        this.write = write;
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "read", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isRead()
-    {
-        return read;
-    }
-
-    public void setRead( boolean read )
-    {
-        this.read = read;
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "update", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isUpdate()
-    {
-        return update;
-    }
-
-    public void setUpdate( boolean update )
-    {
-        this.update = update;
-    }
-
-    @JsonProperty
-    @JacksonXmlProperty( localName = "delete", namespace = DxfNamespaces.DXF_2_0 )
-    public boolean isDelete()
-    {
-        return delete;
-    }
-
-    public void setDelete( boolean delete )
-    {
-        this.delete = delete;
-    }
-}

=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java	1970-01-01 00:00:00 +0000
@@ -1,150 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.user.User;
-
-import java.util.Arrays;
-import java.util.List;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public interface AccessControlService
-{
-    public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
-
-    boolean isSupported( String type );
-
-    boolean isSupported( Class<?> klass );
-
-    /**
-     * Can user write to this object (create)
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Is the user for the object null?
-     * 3. Is the user of the object equal to current user?
-     * 4. Is the object public write?
-     * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canWrite( User user, IdentifiableObject object );
-
-    /**
-     * Can user read this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Is the user for the object null?
-     * 3. Is the user of the object equal to current user?
-     * 4. Is the object public read?
-     * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canRead( User user, IdentifiableObject object );
-
-    /**
-     * Can user update this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canUpdate( User user, IdentifiableObject object );
-
-    /**
-     * Can user delete this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canDelete( User user, IdentifiableObject object );
-
-    /**
-     * Can user manage (make public) this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canManage( User user, IdentifiableObject object );
-
-    /**
-     * Checks if a user can create a public instance of a certain object.
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Does user have the authority to create public instances of that object
-     *
-     * @param user  User to check against
-     * @param klass Class to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
-
-    /**
-     * Checks if a user can create a private instance of a certain object.
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Does user have the authority to create private instances of that object
-     *
-     * @param user  User to check against
-     * @param klass Class to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
-
-    /**
-     * Can user make this object external? (read with no login)
-     *
-     * @param user   User to check against
-     * @param klass Type to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
-
-    <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
-
-    Class<? extends IdentifiableObject> classForType( String type );
-}

=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java	1970-01-01 00:00:00 +0000
@@ -1,129 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * Currently only the two first positions in the access string are used - rw.
- *
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class AccessStringHelper
-{
-    public static final String DEFAULT_ACCESS = "--------";
-
-    public static enum Permission
-    {
-        READ( 'r', 0 ), WRITE( 'w', 1 );
-
-        private char value;
-
-        private int position;
-
-        private Permission( char value, int position )
-        {
-            this.value = value;
-            this.position = position;
-        }
-
-        public char getValue()
-        {
-            return value;
-        }
-
-        public int getPosition()
-        {
-            return position;
-        }
-    }
-
-    private char[] access = DEFAULT_ACCESS.toCharArray();
-
-    public AccessStringHelper()
-    {
-    }
-
-    public AccessStringHelper( char[] access )
-    {
-        this.access = access;
-    }
-
-    public AccessStringHelper( String access )
-    {
-        this.access = access.toCharArray();
-    }
-
-    public static AccessStringHelper newInstance()
-    {
-        return new AccessStringHelper();
-    }
-
-    public static AccessStringHelper newInstance( char[] access )
-    {
-        return new AccessStringHelper( access );
-    }
-
-    public AccessStringHelper enable( Permission permission )
-    {
-        access[permission.getPosition()] = permission.getValue();
-
-        return this;
-    }
-
-    public AccessStringHelper disable( Permission permission )
-    {
-        access[permission.getPosition()] = '-';
-
-        return this;
-    }
-
-    public String build()
-    {
-        return new String( access );
-    }
-
-    public String toString()
-    {
-        return build();
-    }
-
-    public static boolean canRead( String access )
-    {
-        return isEnabled( access, Permission.READ );
-    }
-
-    public static boolean canWrite( String access )
-    {
-        return isEnabled( access, Permission.WRITE );
-    }
-
-    public static boolean isEnabled( String access, Permission permission )
-    {
-        return access != null && access.charAt( permission.getPosition() ) == permission.getValue();
-    }
-}

=== modified file 'dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java'
--- dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java	2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java	2014-03-27 04:40:10 +0000
@@ -28,7 +28,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
 import org.junit.Assert;
 import org.junit.Test;
 

=== modified file 'dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java'
--- dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java	2014-03-27 04:40:10 +0000
@@ -56,7 +56,7 @@
 import org.hisp.dhis.period.PeriodType;
 import org.hisp.dhis.period.RelativePeriodEnum;
 import org.hisp.dhis.period.RelativePeriods;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
 import org.hisp.dhis.system.util.UniqueArrayList;
 import org.hisp.dhis.trackedentity.TrackedEntityAttribute;
 import org.hisp.dhis.trackedentity.TrackedEntityAttributeDimension;

=== added directory 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol'
=== added file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java	2014-03-27 04:40:10 +0000
@@ -0,0 +1,279 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.dashboard.Dashboard;
+import org.hisp.dhis.schema.AuthorityType;
+import org.hisp.dhis.schema.Schema;
+import org.hisp.dhis.schema.SchemaService;
+import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserGroup;
+import org.hisp.dhis.user.UserGroupAccess;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.springframework.util.CollectionUtils.containsAny;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class DefaultAccessControlService implements AccessControlService
+{
+    @Autowired
+    private SchemaService schemaService;
+
+    @Override
+    public boolean isSupported( String type )
+    {
+        Schema schema = schemaService.getSchemaBySingularName( type );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean isSupported( Class<?> klass )
+    {
+        Schema schema = schemaService.getSchema( klass );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean canWrite( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
+        if ( haveOverrideAuthority( user )
+            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+            || (user != null && user.equals( object.getUser() ))
+            //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
+            || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
+            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public boolean canRead( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( haveOverrideAuthority( user )
+            || UserGroup.class.isAssignableFrom( object.getClass() )
+            || object.getUser() == null
+            || user.equals( object.getUser() )
+            || AccessStringHelper.canRead( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public boolean canUpdate( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
+    }
+
+    @Override
+    public boolean canDelete( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
+    }
+
+    private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
+    {
+        return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
+            containsAny( userAuthorities, requiredAuthorities );
+    }
+
+    @Override
+    public boolean canManage( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( haveOverrideAuthority( user )
+            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+            || user.equals( object.getUser() )
+            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
+    {
+        // TODO this is quite nasty, should probably be added to schema
+        return !Dashboard.class.isAssignableFrom( klass );
+    }
+
+    @Override
+    @SuppressWarnings( "unchecked" )
+    public Class<? extends IdentifiableObject> classForType( String type )
+    {
+        Schema schema = schemaService.getSchemaBySingularName( type );
+
+        if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
+        {
+            return (Class<? extends IdentifiableObject>) schema.getKlass();
+        }
+
+        return null;
+    }
+
+    private boolean haveOverrideAuthority( User user )
+    {
+        return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
+    }
+}

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-03-27 04:40:10 +0000
@@ -35,7 +35,7 @@
 import org.hisp.dhis.message.MessageSender;
 import org.hisp.dhis.period.Cal;
 import org.hisp.dhis.setting.SystemSettingManager;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.system.velocity.VelocityManager;
 import org.hisp.dhis.user.CurrentUserService;

=== removed directory 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing'
=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java	1970-01-01 00:00:00 +0000
@@ -1,279 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.dashboard.Dashboard;
-import org.hisp.dhis.schema.AuthorityType;
-import org.hisp.dhis.schema.Schema;
-import org.hisp.dhis.schema.SchemaService;
-import org.hisp.dhis.user.User;
-import org.hisp.dhis.user.UserGroup;
-import org.hisp.dhis.user.UserGroupAccess;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import static org.springframework.util.CollectionUtils.containsAny;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class DefaultAccessControlService implements AccessControlService
-{
-    @Autowired
-    private SchemaService schemaService;
-
-    @Override
-    public boolean isSupported( String type )
-    {
-        Schema schema = schemaService.getSchemaBySingularName( type );
-        return schema != null && schema.isShareable();
-    }
-
-    @Override
-    public boolean isSupported( Class<?> klass )
-    {
-        Schema schema = schemaService.getSchema( klass );
-        return schema != null && schema.isShareable();
-    }
-
-    @Override
-    public boolean canWrite( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
-        if ( haveOverrideAuthority( user )
-            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
-            || (user != null && user.equals( object.getUser() ))
-            //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
-            || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
-            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public boolean canRead( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( haveOverrideAuthority( user )
-            || UserGroup.class.isAssignableFrom( object.getClass() )
-            || object.getUser() == null
-            || user.equals( object.getUser() )
-            || AccessStringHelper.canRead( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public boolean canUpdate( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
-        {
-            return canWrite( user, object );
-        }
-
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
-    }
-
-    @Override
-    public boolean canDelete( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
-        {
-            return canWrite( user, object );
-        }
-
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
-    }
-
-    private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
-    {
-        return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
-            containsAny( userAuthorities, requiredAuthorities );
-    }
-
-    @Override
-    public boolean canManage( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( haveOverrideAuthority( user )
-            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
-            || user.equals( object.getUser() )
-            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
-    {
-        // TODO this is quite nasty, should probably be added to schema
-        return !Dashboard.class.isAssignableFrom( klass );
-    }
-
-    @Override
-    @SuppressWarnings( "unchecked" )
-    public Class<? extends IdentifiableObject> classForType( String type )
-    {
-        Schema schema = schemaService.getSchemaBySingularName( type );
-
-        if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
-        {
-            return (Class<? extends IdentifiableObject>) schema.getKlass();
-        }
-
-        return null;
-    }
-
-    private boolean haveOverrideAuthority( User user )
-    {
-        return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
-    }
-}

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-03-27 04:40:10 +0000
@@ -11,7 +11,7 @@
 
   <bean id="org.hisp.dhis.schema.PropertyIntrospectorService" class="org.hisp.dhis.schema.DefaultPropertyIntrospectorService" />
 
-  <bean id="org.hisp.dhis.sharing.AccessControlService" class="org.hisp.dhis.sharing.DefaultAccessControlService" />
+  <bean id="org.hisp.dhis.sharing.AccessControlService" class="org.hisp.dhis.accesscontrol.DefaultAccessControlService" />
 
   <!-- Store definitions -->
 

=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java'
--- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java	2014-03-27 04:40:10 +0000
@@ -55,7 +55,7 @@
 import org.hisp.dhis.period.Period;
 import org.hisp.dhis.period.PeriodService;
 import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
 import org.hisp.dhis.system.util.CollectionUtils;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.system.util.functional.Function1;

=== modified file 'dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java'
--- dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java	2014-03-27 04:40:10 +0000
@@ -46,8 +46,8 @@
 import org.hisp.dhis.hibernate.exception.ReadAccessDeniedException;
 import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
 import org.hisp.dhis.interpretation.Interpretation;
-import org.hisp.dhis.sharing.AccessControlService;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.UserGroupAccess;
 import org.springframework.beans.factory.annotation.Autowired;

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java	2014-03-27 04:40:10 +0000
@@ -51,8 +51,8 @@
 import org.hisp.dhis.dxf2.utils.JacksonUtils;
 import org.hisp.dhis.schema.Schema;
 import org.hisp.dhis.schema.SchemaService;
-import org.hisp.dhis.sharing.Access;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.Access;
+import org.hisp.dhis.accesscontrol.AccessControlService;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.user.CurrentUserService;
 import org.springframework.beans.factory.annotation.Autowired;

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2014-03-27 04:40:10 +0000
@@ -38,8 +38,8 @@
 import org.hisp.dhis.common.IdentifiableObject;
 import org.hisp.dhis.common.IdentifiableObjectManager;
 import org.hisp.dhis.dxf2.utils.JacksonUtils;
-import org.hisp.dhis.sharing.AccessControlService;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.UserGroup;
 import org.hisp.dhis.user.UserGroupAccess;

=== modified file 'dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java'
--- dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java	2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java	2014-03-27 04:40:10 +0000
@@ -44,7 +44,7 @@
 import org.hisp.dhis.indicator.IndicatorService;
 import org.hisp.dhis.organisationunit.OrganisationUnitDataSetAssociationSet;
 import org.hisp.dhis.organisationunit.OrganisationUnitService;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.User;
 import org.springframework.beans.factory.annotation.Autowired;