← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 14469: minor fixes to aclService

 

------------------------------------------------------------
revno: 14469
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-03-27 07:07:15 +0100
message:
  minor fixes to aclService
removed:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java
added:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java
modified:
  dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
  dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml
  dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java
  dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java
  dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java	2014-03-27 05:13:32 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java	1970-01-01 00:00:00 +0000
@@ -1,152 +0,0 @@
-package org.hisp.dhis.acl;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.user.User;
-
-import java.util.Arrays;
-import java.util.List;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public interface AccessControlService
-{
-    public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
-
-    boolean isSupported( String type );
-
-    boolean isSupported( Class<?> klass );
-
-    boolean isShareable( Class<?> klass );
-
-    /**
-     * Can user write to this object (create)
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Is the user for the object null?
-     * 3. Is the user of the object equal to current user?
-     * 4. Is the object public write?
-     * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canWrite( User user, IdentifiableObject object );
-
-    /**
-     * Can user read this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Is the user for the object null?
-     * 3. Is the user of the object equal to current user?
-     * 4. Is the object public read?
-     * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canRead( User user, IdentifiableObject object );
-
-    /**
-     * Can user update this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canUpdate( User user, IdentifiableObject object );
-
-    /**
-     * Can user delete this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canDelete( User user, IdentifiableObject object );
-
-    /**
-     * Can user manage (make public) this object
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Can user write to this object?
-     *
-     * @param user   User to check against
-     * @param object Object to check
-     * @return Result of test
-     */
-    boolean canManage( User user, IdentifiableObject object );
-
-    /**
-     * Checks if a user can create a public instance of a certain object.
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Does user have the authority to create public instances of that object
-     *
-     * @param user  User to check against
-     * @param klass Class to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
-
-    /**
-     * Checks if a user can create a private instance of a certain object.
-     * <p/>
-     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
-     * 2. Does user have the authority to create private instances of that object
-     *
-     * @param user  User to check against
-     * @param klass Class to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
-
-    /**
-     * Can user make this object external? (read with no login)
-     *
-     * @param user  User to check against
-     * @param klass Type to check
-     * @return Result of test
-     */
-    <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
-
-    <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
-
-    Class<? extends IdentifiableObject> classForType( String type );
-}

=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java	2014-03-27 06:07:15 +0000
@@ -0,0 +1,154 @@
+package org.hisp.dhis.acl;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.user.User;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public interface AclService
+{
+    public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
+
+    boolean isSupported( String type );
+
+    boolean isSupported( Class<?> klass );
+
+    boolean isShareable( String type );
+
+    boolean isShareable( Class<?> klass );
+
+    /**
+     * Can user write to this object (create)
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Is the user for the object null?
+     * 3. Is the user of the object equal to current user?
+     * 4. Is the object public write?
+     * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canWrite( User user, IdentifiableObject object );
+
+    /**
+     * Can user read this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Is the user for the object null?
+     * 3. Is the user of the object equal to current user?
+     * 4. Is the object public read?
+     * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canRead( User user, IdentifiableObject object );
+
+    /**
+     * Can user update this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canUpdate( User user, IdentifiableObject object );
+
+    /**
+     * Can user delete this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canDelete( User user, IdentifiableObject object );
+
+    /**
+     * Can user manage (make public) this object
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Can user write to this object?
+     *
+     * @param user   User to check against
+     * @param object Object to check
+     * @return Result of test
+     */
+    boolean canManage( User user, IdentifiableObject object );
+
+    /**
+     * Checks if a user can create a public instance of a certain object.
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Does user have the authority to create public instances of that object
+     *
+     * @param user  User to check against
+     * @param klass Class to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
+
+    /**
+     * Checks if a user can create a private instance of a certain object.
+     * <p/>
+     * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+     * 2. Does user have the authority to create private instances of that object
+     *
+     * @param user  User to check against
+     * @param klass Class to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
+
+    /**
+     * Can user make this object external? (read with no login)
+     *
+     * @param user  User to check against
+     * @param klass Type to check
+     * @return Result of test
+     */
+    <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
+
+    <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
+
+    Class<? extends IdentifiableObject> classForType( String type );
+}

=== modified file 'dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java'
--- dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java	2014-03-27 06:07:15 +0000
@@ -28,6 +28,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.common.BaseAnalyticalObject;
 import org.hisp.dhis.common.DimensionService;
 import org.hisp.dhis.common.DimensionType;
@@ -56,7 +57,6 @@
 import org.hisp.dhis.period.PeriodType;
 import org.hisp.dhis.period.RelativePeriodEnum;
 import org.hisp.dhis.period.RelativePeriods;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.system.util.UniqueArrayList;
 import org.hisp.dhis.trackedentity.TrackedEntityAttribute;
 import org.hisp.dhis.trackedentity.TrackedEntityAttributeDimension;
@@ -100,7 +100,7 @@
     private DataElementService dataElementService;
 
     @Autowired
-    private AccessControlService accessControlService;
+    private AclService aclService;
 
     @Autowired
     private CurrentUserService currentUserService;
@@ -169,7 +169,7 @@
 
             for ( NameableObject item : dimension.getItems() )
             {
-                boolean canRead = accessControlService.canRead( user, item );
+                boolean canRead = aclService.canRead( user, item );
 
                 if ( canRead )
                 {

=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java	2014-03-27 05:13:32 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java	1970-01-01 00:00:00 +0000
@@ -1,284 +0,0 @@
-package org.hisp.dhis.acl;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.dashboard.Dashboard;
-import org.hisp.dhis.schema.AuthorityType;
-import org.hisp.dhis.schema.Schema;
-import org.hisp.dhis.schema.SchemaService;
-import org.hisp.dhis.user.User;
-import org.hisp.dhis.user.UserGroup;
-import org.hisp.dhis.user.UserGroupAccess;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import static org.springframework.util.CollectionUtils.containsAny;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class DefaultAccessControlService implements AccessControlService
-{
-    @Autowired
-    private SchemaService schemaService;
-
-    @Override
-    public boolean isSupported( String type )
-    {
-        Schema schema = schemaService.getSchemaBySingularName( type );
-        return schema != null && schema.isShareable();
-    }
-
-    @Override
-    public boolean isSupported( Class<?> klass )
-    {
-        Schema schema = schemaService.getSchema( klass );
-        return schema != null && schema.isShareable();
-    }
-
-    @Override
-    public boolean isShareable( Class<?> klass )
-    {
-        Schema schema = schemaService.getSchema( klass );
-        return schema != null && schema.isShareable();
-    }
-
-    @Override
-    public boolean canWrite( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
-        if ( haveOverrideAuthority( user )
-            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
-            || (user != null && user.equals( object.getUser() ))
-            //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
-            || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
-            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public boolean canRead( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( haveOverrideAuthority( user )
-            || UserGroup.class.isAssignableFrom( object.getClass() )
-            || object.getUser() == null
-            || user.equals( object.getUser() )
-            || AccessStringHelper.canRead( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public boolean canUpdate( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
-        {
-            return canWrite( user, object );
-        }
-
-        return canAccess( user, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
-    }
-
-    @Override
-    public boolean canDelete( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
-        {
-            return canWrite( user, object );
-        }
-
-        return canAccess( user, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
-    }
-
-    private boolean canAccess( User user, Collection<String> requiredAuthorities )
-    {
-        Set<String> userAuthorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        return user == null || containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
-            containsAny( userAuthorities, requiredAuthorities );
-    }
-
-    @Override
-    public boolean canManage( User user, IdentifiableObject object )
-    {
-        Schema schema = schemaService.getSchema( object.getClass() );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        if ( haveOverrideAuthority( user )
-            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
-            || user.equals( object.getUser() )
-            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
-        {
-            return true;
-        }
-
-        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
-        {
-            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
-                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
-    {
-        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
-        Schema schema = schemaService.getSchema( klass );
-
-        if ( schema == null || !schema.isShareable() )
-        {
-            return false;
-        }
-
-        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
-    }
-
-    @Override
-    public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
-    {
-        // TODO this is quite nasty, should probably be added to schema
-        return !Dashboard.class.isAssignableFrom( klass );
-    }
-
-    @Override
-    @SuppressWarnings( "unchecked" )
-    public Class<? extends IdentifiableObject> classForType( String type )
-    {
-        Schema schema = schemaService.getSchemaBySingularName( type );
-
-        if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
-        {
-            return (Class<? extends IdentifiableObject>) schema.getKlass();
-        }
-
-        return null;
-    }
-
-    private boolean haveOverrideAuthority( User user )
-    {
-        return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
-    }
-}

=== added file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java	2014-03-27 06:07:15 +0000
@@ -0,0 +1,290 @@
+package org.hisp.dhis.acl;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.dashboard.Dashboard;
+import org.hisp.dhis.schema.AuthorityType;
+import org.hisp.dhis.schema.Schema;
+import org.hisp.dhis.schema.SchemaService;
+import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserGroup;
+import org.hisp.dhis.user.UserGroupAccess;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.springframework.util.CollectionUtils.containsAny;
+
+/**
+ * Default ACL implementation that uses SchemaDescriptors to get authorities / sharing flags.
+ *
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class DefaultAclService implements AclService
+{
+    @Autowired
+    private SchemaService schemaService;
+
+    @Override
+    public boolean isSupported( String type )
+    {
+        Schema schema = schemaService.getSchemaBySingularName( type );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean isSupported( Class<?> klass )
+    {
+        Schema schema = schemaService.getSchema( klass );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean isShareable( String type )
+    {
+        Schema schema = schemaService.getSchemaBySingularName( type );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean isShareable( Class<?> klass )
+    {
+        Schema schema = schemaService.getSchema( klass );
+        return schema != null && schema.isShareable();
+    }
+
+    @Override
+    public boolean canWrite( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
+        if ( haveOverrideAuthority( user )
+            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+            || (user != null && user.equals( object.getUser() ))
+            //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
+            || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
+            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public boolean canRead( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( haveOverrideAuthority( user )
+            || UserGroup.class.isAssignableFrom( object.getClass() )
+            || object.getUser() == null
+            || user.equals( object.getUser() )
+            || AccessStringHelper.canRead( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public boolean canUpdate( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        return canAccess( user, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
+    }
+
+    @Override
+    public boolean canDelete( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        return canAccess( user, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
+    }
+
+    @Override
+    public boolean canManage( User user, IdentifiableObject object )
+    {
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( haveOverrideAuthority( user )
+            || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+            || user.equals( object.getUser() )
+            || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+        {
+            return true;
+        }
+
+        for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+        {
+            if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+                && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
+    {
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        Schema schema = schemaService.getSchema( klass );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
+    }
+
+    @Override
+    public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
+    {
+        // TODO this is quite nasty, should probably be added to schema
+        return !Dashboard.class.isAssignableFrom( klass );
+    }
+
+    @Override
+    @SuppressWarnings( "unchecked" )
+    public Class<? extends IdentifiableObject> classForType( String type )
+    {
+        Schema schema = schemaService.getSchemaBySingularName( type );
+
+        if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
+        {
+            return (Class<? extends IdentifiableObject>) schema.getKlass();
+        }
+
+        return null;
+    }
+
+    private boolean haveOverrideAuthority( User user )
+    {
+        return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
+    }
+
+    private boolean canAccess( User user, Collection<String> requiredAuthorities )
+    {
+        return haveOverrideAuthority( user ) || containsAny( user.getUserCredentials().getAllAuthorities(), requiredAuthorities );
+    }
+}

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2014-03-27 06:07:15 +0000
@@ -30,12 +30,12 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.common.CodeGenerator;
 import org.hisp.dhis.common.IdentifiableObject;
 import org.hisp.dhis.message.MessageSender;
 import org.hisp.dhis.period.Cal;
 import org.hisp.dhis.setting.SystemSettingManager;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.system.velocity.VelocityManager;
 import org.hisp.dhis.user.CurrentUserService;
@@ -104,7 +104,7 @@
     private CurrentUserService currentUserService;
 
     @Autowired
-    private AccessControlService accessControlService;
+    private AclService aclService;
 
     // -------------------------------------------------------------------------
     // SecurityService implementation
@@ -289,67 +289,67 @@
     @Override
     public boolean canCreatePublic( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() );
     }
 
     @Override
     public boolean canCreatePublic( String type )
     {
-        Class<? extends IdentifiableObject> klass = accessControlService.classForType( type );
+        Class<? extends IdentifiableObject> klass = aclService.classForType( type );
 
-        return !accessControlService.isSupported( klass )
-            || accessControlService.canCreatePublic( currentUserService.getCurrentUser(), klass );
+        return !aclService.isSupported( klass )
+            || aclService.canCreatePublic( currentUserService.getCurrentUser(), klass );
     }
 
     @Override
     public boolean canCreatePrivate( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() );
     }
 
     @Override
     public boolean canCreatePrivate( String type )
     {
-        Class<? extends IdentifiableObject> klass = accessControlService.classForType( type );
+        Class<? extends IdentifiableObject> klass = aclService.classForType( type );
 
-        return !accessControlService.isSupported( klass )
-            || accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), klass );
+        return !aclService.isSupported( klass )
+            || aclService.canCreatePrivate( currentUserService.getCurrentUser(), klass );
     }
 
     @Override
     public boolean canRead( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canRead( currentUserService.getCurrentUser(), identifiableObject );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canRead( currentUserService.getCurrentUser(), identifiableObject );
     }
 
     @Override
     public boolean canWrite( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canWrite( currentUserService.getCurrentUser(), identifiableObject );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canWrite( currentUserService.getCurrentUser(), identifiableObject );
     }
 
     @Override
     public boolean canUpdate( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canUpdate( currentUserService.getCurrentUser(), identifiableObject );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canUpdate( currentUserService.getCurrentUser(), identifiableObject );
     }
 
     @Override
     public boolean canDelete( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canDelete( currentUserService.getCurrentUser(), identifiableObject );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canDelete( currentUserService.getCurrentUser(), identifiableObject );
     }
 
     @Override
     public boolean canManage( IdentifiableObject identifiableObject )
     {
-        return !accessControlService.isSupported( identifiableObject.getClass() )
-            || accessControlService.canManage( currentUserService.getCurrentUser(), identifiableObject );
+        return !aclService.isSupported( identifiableObject.getClass() )
+            || aclService.canManage( currentUserService.getCurrentUser(), identifiableObject );
     }
 }

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml	2014-03-27 06:07:15 +0000
@@ -11,7 +11,7 @@
 
   <bean id="org.hisp.dhis.schema.PropertyIntrospectorService" class="org.hisp.dhis.schema.DefaultPropertyIntrospectorService" />
 
-  <bean id="org.hisp.dhis.acl.AccessControlService" class="org.hisp.dhis.acl.DefaultAccessControlService" />
+  <bean id="org.hisp.dhis.acl.AclService" class="org.hisp.dhis.acl.DefaultAclService" />
 
   <!-- Store definitions -->
 

=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java'
--- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java	2014-03-27 06:07:15 +0000
@@ -31,6 +31,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.hibernate.SessionFactory;
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.attribute.Attribute;
 import org.hisp.dhis.attribute.AttributeService;
 import org.hisp.dhis.attribute.AttributeValue;
@@ -55,7 +56,6 @@
 import org.hisp.dhis.period.Period;
 import org.hisp.dhis.period.PeriodService;
 import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.system.util.CollectionUtils;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.system.util.functional.Function1;
@@ -110,7 +110,7 @@
     private SessionFactory sessionFactory;
 
     @Autowired
-    private AccessControlService accessControlService;
+    private AclService aclService;
 
     @Autowired( required = false )
     private List<ObjectHandler<T>> objectHandlers;
@@ -414,7 +414,7 @@
      */
     protected boolean deleteObject( User user, T persistedObject )
     {
-        if ( !accessControlService.canDelete( user, persistedObject ) )
+        if ( !aclService.canDelete( user, persistedObject ) )
         {
             summaryType.getImportConflicts().add(
                 new ImportConflict( ImportUtils.getDisplayName( persistedObject ), "You do not have delete access to class type." ) );
@@ -452,7 +452,7 @@
      */
     protected boolean newObject( User user, T object )
     {
-        if ( !accessControlService.canCreatePublic( user, object.getClass() ) && !accessControlService.canCreatePrivate( user, object.getClass() ) )
+        if ( !aclService.canCreatePublic( user, object.getClass() ) && !aclService.canCreatePrivate( user, object.getClass() ) )
         {
             summaryType.getImportConflicts().add(
                 new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have create access to class type." ) );
@@ -536,7 +536,7 @@
      */
     protected boolean updateObject( User user, T object, T persistedObject )
     {
-        if ( !accessControlService.canUpdate( user, persistedObject ) )
+        if ( !aclService.canUpdate( user, persistedObject ) )
         {
             summaryType.getImportConflicts().add(
                 new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have update access to object." ) );

=== modified file 'dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java'
--- dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java	2014-03-27 06:07:15 +0000
@@ -36,6 +36,7 @@
 import org.hibernate.Session;
 import org.hibernate.SessionFactory;
 import org.hibernate.criterion.Criterion;
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.common.AuditLogUtil;
 import org.hisp.dhis.common.BaseIdentifiableObject;
 import org.hisp.dhis.common.GenericStore;
@@ -46,7 +47,6 @@
 import org.hisp.dhis.hibernate.exception.ReadAccessDeniedException;
 import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
 import org.hisp.dhis.interpretation.Interpretation;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.acl.AccessStringHelper;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.UserGroupAccess;
@@ -85,7 +85,7 @@
     protected CurrentUserService currentUserService;
 
     @Autowired
-    protected AccessControlService accessControlService;
+    protected AclService aclService;
 
     protected Class<T> clazz;
 
@@ -227,7 +227,7 @@
     @Override
     public int save( T object )
     {
-        if ( !Interpretation.class.isAssignableFrom( clazz ) && currentUserService.getCurrentUser() != null && accessControlService.isSupported( clazz ) )
+        if ( !Interpretation.class.isAssignableFrom( clazz ) && currentUserService.getCurrentUser() != null && aclService.isSupported( clazz ) )
         {
             BaseIdentifiableObject identifiableObject = (BaseIdentifiableObject) object;
 
@@ -240,9 +240,9 @@
                 identifiableObject.setUser( currentUserService.getCurrentUser() );
             }
 
-            if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ) )
+            if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ) )
             {
-                if ( accessControlService.defaultPublic( identifiableObject.getClass() ) )
+                if ( aclService.defaultPublic( identifiableObject.getClass() ) )
                 {
                     String build = AccessStringHelper.newInstance()
                         .enable( AccessStringHelper.Permission.READ )
@@ -257,7 +257,7 @@
                     identifiableObject.setPublicAccess( build );
                 }
             }
-            else if ( accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ) )
+            else if ( aclService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ) )
             {
                 identifiableObject.setPublicAccess( AccessStringHelper.newInstance().build() );
             }
@@ -400,8 +400,8 @@
 
     protected boolean sharingEnabled()
     {
-        boolean enabled = forceAcl() || (accessControlService.isSupported( clazz ) && !(currentUserService.getCurrentUser() == null ||
-            CollectionUtils.containsAny( currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities(), AccessControlService.SHARING_OVERRIDE_AUTHORITIES )));
+        boolean enabled = forceAcl() || (aclService.isSupported( clazz ) && !(currentUserService.getCurrentUser() == null ||
+            CollectionUtils.containsAny( currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities(), AclService.SHARING_OVERRIDE_AUTHORITIES )));
 
         return enabled;
     }
@@ -414,7 +414,7 @@
 
             if ( sharingEnabled() )
             {
-                return accessControlService.canRead( currentUserService.getCurrentUser(), idObject );
+                return aclService.canRead( currentUserService.getCurrentUser(), idObject );
             }
         }
 
@@ -429,7 +429,7 @@
 
             if ( sharingEnabled() )
             {
-                return accessControlService.canWrite( currentUserService.getCurrentUser(), idObject );
+                return aclService.canWrite( currentUserService.getCurrentUser(), idObject );
             }
         }
 
@@ -442,9 +442,9 @@
         {
             IdentifiableObject idObject = (IdentifiableObject) object;
 
-            if ( accessControlService.isSupported( clazz ) )
+            if ( aclService.isSupported( clazz ) )
             {
-                return accessControlService.canUpdate( currentUserService.getCurrentUser(), idObject );
+                return aclService.canUpdate( currentUserService.getCurrentUser(), idObject );
             }
         }
 
@@ -457,9 +457,9 @@
         {
             IdentifiableObject idObject = (IdentifiableObject) object;
 
-            if ( accessControlService.isSupported( clazz ) )
+            if ( aclService.isSupported( clazz ) )
             {
-                return accessControlService.canDelete( currentUserService.getCurrentUser(), idObject );
+                return aclService.canDelete( currentUserService.getCurrentUser(), idObject );
             }
         }
 

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java	2014-03-27 06:07:15 +0000
@@ -38,6 +38,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.api.controller.exception.NotFoundException;
 import org.hisp.dhis.api.utils.WebUtils;
 import org.hisp.dhis.common.BaseIdentifiableObject;
@@ -52,7 +53,6 @@
 import org.hisp.dhis.schema.Schema;
 import org.hisp.dhis.schema.SchemaService;
 import org.hisp.dhis.acl.Access;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.user.CurrentUserService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -89,7 +89,7 @@
     protected FilterService filterService;
 
     @Autowired
-    protected AccessControlService accessControlService;
+    protected AclService aclService;
 
     @Autowired
     protected SchemaService schemaService;
@@ -233,7 +233,7 @@
             WebUtils.generateLinks( entity );
         }
 
-        if ( accessControlService.isSupported( getEntityClass() ) )
+        if ( aclService.isSupported( getEntityClass() ) )
         {
             addAccessProperties( entity );
         }
@@ -372,12 +372,12 @@
     protected void addAccessProperties( T object )
     {
         Access access = new Access();
-        access.setManage( accessControlService.canManage( currentUserService.getCurrentUser(), object ) );
-        access.setExternalize( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) );
-        access.setWrite( accessControlService.canWrite( currentUserService.getCurrentUser(), object ) );
-        access.setRead( accessControlService.canRead( currentUserService.getCurrentUser(), object ) );
-        access.setUpdate( accessControlService.canUpdate( currentUserService.getCurrentUser(), object ) );
-        access.setDelete( accessControlService.canDelete( currentUserService.getCurrentUser(), object ) );
+        access.setManage( aclService.canManage( currentUserService.getCurrentUser(), object ) );
+        access.setExternalize( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) );
+        access.setWrite( aclService.canWrite( currentUserService.getCurrentUser(), object ) );
+        access.setRead( aclService.canRead( currentUserService.getCurrentUser(), object ) );
+        access.setUpdate( aclService.canUpdate( currentUserService.getCurrentUser(), object ) );
+        access.setDelete( aclService.canDelete( currentUserService.getCurrentUser(), object ) );
 
         ((BaseIdentifiableObject) object).setAccess( access );
     }
@@ -394,7 +394,7 @@
             return;
         }
 
-        if ( entityList != null && accessControlService.isSupported( getEntityClass() ) )
+        if ( entityList != null && aclService.isSupported( getEntityClass() ) )
         {
             for ( T object : entityList )
             {

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java	2014-03-27 06:07:15 +0000
@@ -30,6 +30,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.api.utils.ContextUtils;
 import org.hisp.dhis.api.webdomain.sharing.Sharing;
 import org.hisp.dhis.api.webdomain.sharing.SharingUserGroupAccess;
@@ -38,7 +39,6 @@
 import org.hisp.dhis.common.IdentifiableObject;
 import org.hisp.dhis.common.IdentifiableObjectManager;
 import org.hisp.dhis.dxf2.utils.JacksonUtils;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.acl.AccessStringHelper;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.UserGroup;
@@ -81,18 +81,18 @@
     private UserGroupAccessService userGroupAccessService;
 
     @Autowired
-    private AccessControlService accessControlService;
+    private AclService aclService;
 
     @RequestMapping( value = "", produces = { "application/json", "text/*" } )
     public void getSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response ) throws IOException
     {
-        if ( !accessControlService.isSupported( type ) )
+        if ( !aclService.isShareable( type ) )
         {
             ContextUtils.notFoundResponse( response, "Type " + type + " is not supported." );
             return;
         }
 
-        Class<? extends IdentifiableObject> klass = accessControlService.classForType( type );
+        Class<? extends IdentifiableObject> klass = aclService.classForType( type );
         IdentifiableObject object = manager.get( klass, id );
 
         if ( object == null )
@@ -101,15 +101,15 @@
             return;
         }
 
-        if ( !accessControlService.canManage( currentUserService.getCurrentUser(), object ) )
+        if ( !aclService.canManage( currentUserService.getCurrentUser(), object ) )
         {
             throw new AccessDeniedException( "You do not have manage access to this object." );
         }
 
         Sharing sharing = new Sharing();
 
-        sharing.getMeta().setAllowPublicAccess( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) );
-        sharing.getMeta().setAllowExternalAccess( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) );
+        sharing.getMeta().setAllowPublicAccess( aclService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) );
+        sharing.getMeta().setAllowExternalAccess( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) );
 
         sharing.getObject().setId( object.getUid() );
         sharing.getObject().setName( object.getDisplayName() );
@@ -119,7 +119,7 @@
         {
             String access;
 
-            if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), klass ) )
+            if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), klass ) )
             {
                 access = AccessStringHelper.newInstance().enable( AccessStringHelper.Permission.READ ).enable( AccessStringHelper.Permission.WRITE ).build();
             }
@@ -157,7 +157,7 @@
     @RequestMapping( value = "", method = { RequestMethod.POST, RequestMethod.PUT }, consumes = "application/json" )
     public void setSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response, HttpServletRequest request ) throws IOException
     {
-        BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( accessControlService.classForType( type ), id );
+        BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( aclService.classForType( type ), id );
 
         if ( object == null )
         {
@@ -165,7 +165,7 @@
             return;
         }
 
-        if ( !accessControlService.canManage( currentUserService.getCurrentUser(), object ) )
+        if ( !aclService.canManage( currentUserService.getCurrentUser(), object ) )
         {
             throw new AccessDeniedException( "You do not have manage access to this object." );
         }
@@ -173,13 +173,13 @@
         Sharing sharing = JacksonUtils.fromJson( request.getInputStream(), Sharing.class );
 
         // Ignore externalAccess if user is not allowed to make objects external
-        if ( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) )
+        if ( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) )
         {
             object.setExternalAccess( sharing.getObject().hasExternalAccess() );
         }
 
         // Ignore publicAccess if user is not allowed to make objects public
-        if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) )
+        if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) )
         {
             object.setPublicAccess( sharing.getObject().getPublicAccess() );
         }

=== modified file 'dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java'
--- dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java	2014-03-27 04:44:41 +0000
+++ dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java	2014-03-27 06:07:15 +0000
@@ -29,6 +29,7 @@
  */
 
 import com.opensymphony.xwork2.Action;
+import org.hisp.dhis.acl.AclService;
 import org.hisp.dhis.common.ListMap;
 import org.hisp.dhis.common.comparator.IdentifiableObjectNameComparator;
 import org.hisp.dhis.dataelement.DataElement;
@@ -44,7 +45,6 @@
 import org.hisp.dhis.indicator.IndicatorService;
 import org.hisp.dhis.organisationunit.OrganisationUnitDataSetAssociationSet;
 import org.hisp.dhis.organisationunit.OrganisationUnitService;
-import org.hisp.dhis.acl.AccessControlService;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.User;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -117,7 +117,7 @@
     }
 
     @Autowired
-    protected AccessControlService accessControlService;
+    protected AclService aclService;
 
     // -------------------------------------------------------------------------
     // Output
@@ -272,7 +272,7 @@
         {
             for ( DataElementCategoryOption categoryOption : category.getCategoryOptions() )
             {
-                if ( accessControlService.canRead( user, categoryOption ) )
+                if ( aclService.canRead( user, categoryOption ) )
                 {
                     categoryOptionMap.putValue( category.getUid(), categoryOption );
                 }