← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 15459: When KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, don't allow user group membership changes causing the ch...

 

------------------------------------------------------------
revno: 15459
committer: jimgrace@xxxxxxxxx
branch nick: dhis2
timestamp: Wed 2014-05-28 12:38:44 -0400
message:
  When KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, don't allow user group membership changes causing the changer to gain or loose control over another user.
modified:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml
  dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java
  dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java
  dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java	2014-05-27 02:41:16 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java	2014-05-28 16:38:44 +0000
@@ -262,13 +262,29 @@
     int getActiveUsersCount( Date since );
 
     /**
+     * Filters the given list of users based on whether the current
+     * user is allowed to update.
+     *
+     * @param users the list of users.
+     */
+    void canUpdateUsersFilter( Collection<User> users );
+
+    /**
      * Filters the given list of user credentials based on whether the current
      * user is allowed to update.
-     * 
+     *
      * @param userCredentials the list of user credentials.
      */
     void canUpdateFilter( Collection<UserCredentials> userCredentials );
-    
+
+    /**
+     * Is the current user allowed to update this user?
+     *
+     * @param userCredentials credentials to check for allowing update.
+     * @return true if current user can update this user, else false.
+     */
+    boolean canUpdate( UserCredentials userCredentials );
+
     // -------------------------------------------------------------------------
     // UserAuthorityGroup
     // -------------------------------------------------------------------------

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2014-05-27 02:41:16 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2014-05-28 16:38:44 +0000
@@ -585,6 +585,19 @@
         return userCredentialsStore.getActiveUsersCount( since );
     }
 
+    public void canUpdateUsersFilter( Collection<User> users )
+    {
+        FilterUtils.filter( users,
+            new Filter<User>()
+            {
+                public boolean retain( User object )
+                {
+                    return canUpdate( object.getUserCredentials() );
+                }
+            }
+        );
+    }
+
     public void canUpdateFilter( Collection<UserCredentials> userCredentials )
     {
         FilterUtils.filter( userCredentials,
@@ -592,12 +605,17 @@
             {
                 public boolean retain( UserCredentials object )
                 {
-                    return hasAuthorityToUpdateUser( object ) && hasGroupsToUpdateUser( object );
+                    return canUpdate( object );
                 }
             }
         );
     }
 
+    public boolean canUpdate( UserCredentials userCredentials )
+    {
+        return hasAuthorityToUpdateUser( userCredentials ) && hasGroupsToUpdateUser( userCredentials );
+    }
+
     // -------------------------------------------------------------------------
     // UserSettings
     // -------------------------------------------------------------------------

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-05-27 13:18:27 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-05-28 16:38:44 +0000
@@ -329,7 +329,7 @@
 
                 if ( group == null )
                 {
-                    throw new UpdateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() );
+                    throw new CreateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() );
                 }
 
                 if ( writeGroupRequired && securityService.canWrite( group ) )

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java	2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java	2014-05-28 16:38:44 +0000
@@ -35,11 +35,14 @@
 
 import org.apache.struts2.ServletActionContext;
 import org.hisp.dhis.paging.ActionPagingSupport;
+import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserService;
 import org.hisp.dhis.user.comparator.UserComparator;
 import org.hisp.dhis.util.ContextUtils;
 
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
 /**
  * @author mortenoh
  */
@@ -57,6 +60,13 @@
         this.userService = userService;
     }
 
+    private SystemSettingManager systemSettingManager;
+
+    public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+    {
+        this.systemSettingManager = systemSettingManager;
+    }
+
     // -------------------------------------------------------------------------
     // Input & Output
     // -------------------------------------------------------------------------
@@ -101,6 +111,13 @@
             users = users.subList( paging.getStartPos(), paging.getEndPos() );
         }
 
+        boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
+        if ( writeGroupRequired )
+        {
+            userService.canUpdateUsersFilter( users );
+        }
+
         return SUCCESS;
     }
 

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml	2014-05-26 10:55:47 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml	2014-05-28 16:38:44 +0000
@@ -304,6 +304,7 @@
 
   <bean id="org.hisp.dhis.commons.action.GetUsersAction" class="org.hisp.dhis.commons.action.GetUsersAction" scope="prototype">
     <property name="userService" ref="org.hisp.dhis.user.UserService" />
+    <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
   </bean>
 
   <bean id="org.hisp.dhis.commons.action.GetUserGroupsAction" class="org.hisp.dhis.commons.action.GetUserGroupsAction"

=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java	2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java	2014-05-28 16:38:44 +0000
@@ -31,6 +31,9 @@
 import java.util.List;
 
 import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.hibernate.exception.CreateAccessDeniedException;
+import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.util.AttributeUtils;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserGroup;
@@ -39,6 +42,8 @@
 
 import com.opensymphony.xwork2.Action;
 
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
 public class AddUserGroupAction
     implements Action
 {
@@ -67,6 +72,20 @@
         this.attributeService = attributeService;
     }
 
+    private SystemSettingManager systemSettingManager;
+
+    public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+    {
+        this.systemSettingManager = systemSettingManager;
+    }
+
+    private SecurityService securityService;
+
+    public void setSecurityService( SecurityService securityService )
+    {
+        this.securityService = securityService;
+    }
+
     // -------------------------------------------------------------------------
     // Parameters
     // -------------------------------------------------------------------------
@@ -99,12 +118,19 @@
     public String execute()
         throws Exception
     {
+        boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
         UserGroup userGroup = new UserGroup( name );
         
         for ( Integer groupMember : groupMembersList )
         {
             User user = userService.getUser( groupMember );
             userGroup.addUser( user );
+
+            if ( writeGroupRequired && !userGroup.getMembers().contains( user) && !userService.canUpdate( user.getUserCredentials() ) )
+            {
+                throw new CreateAccessDeniedException( "- You don't have permission to add all selected users to this group." );
+            }
         }
 
         if ( jsonAttributeValues != null )

=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java	2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java	2014-05-28 16:38:44 +0000
@@ -30,6 +30,9 @@
 
 import com.opensymphony.xwork2.Action;
 import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
+import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.util.AttributeUtils;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserGroup;
@@ -40,6 +43,8 @@
 import java.util.List;
 import java.util.Set;
 
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
 public class UpdateUserGroupAction
     implements Action
 {
@@ -64,6 +69,20 @@
         this.attributeService = attributeService;
     }
 
+    private SystemSettingManager systemSettingManager;
+
+    public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+    {
+        this.systemSettingManager = systemSettingManager;
+    }
+
+    private SecurityService securityService;
+
+    public void setSecurityService( SecurityService securityService )
+    {
+        this.securityService = securityService;
+    }
+
     // -------------------------------------------------------------------------
     // Parameters
     // -------------------------------------------------------------------------
@@ -103,15 +122,47 @@
     public String execute()
         throws Exception
     {
+        boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
+        UserGroup userGroup = userGroupService.getUserGroup( userGroupId );
+
         Set<User> userList = new HashSet<User>();
 
         for ( Integer groupMember : groupMembersList )
         {
             User user = userService.getUser( groupMember );
             userList.add( user );
-        }
-
-        UserGroup userGroup = userGroupService.getUserGroup( userGroupId );
+
+            if ( writeGroupRequired && !userGroup.getMembers().contains( user) && !userService.canUpdate( user.getUserCredentials() ) )
+            {
+                throw new UpdateAccessDeniedException( "- You don't have permission to add all selected users to this group." );
+            }
+        }
+
+        if ( writeGroupRequired )
+        {
+            for ( User member : userGroup.getMembers() )
+            {
+                if ( !userList.contains( member ) ) // Trying to remove member user from group.
+                {
+                    boolean otherGroupFound = false;
+
+                    for ( UserGroup ug : member.getGroups() )
+                    {
+                        if ( !userGroup.equals( ug ) && securityService.canWrite( ug ) )
+                        {
+                            otherGroupFound = true;
+                            break;
+                        }
+                    }
+
+                    if ( !otherGroupFound )
+                    {
+                        throw new UpdateAccessDeniedException( "- You can't remove member who belongs to no other user groups that you control." );
+                    }
+                }
+            }
+        }
 
         userGroup.setName( name );
         userGroup.updateUsers( userList );

=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml	2013-07-24 15:58:43 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml	2014-05-28 16:38:44 +0000
@@ -75,6 +75,8 @@
     <property name="userService" ref="org.hisp.dhis.user.UserService" />
     <property name="userGroupService" ref="org.hisp.dhis.user.UserGroupService" />
     <property name="attributeService" ref="org.hisp.dhis.attribute.AttributeService" />
+    <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
+    <property name="securityService" ref="org.hisp.dhis.security.SecurityService" />
   </bean>
 
   <bean id="org.hisp.dhis.dashboard.usergroup.action.AddUserGroupFormAction" class="org.hisp.dhis.dashboard.usergroup.action.AddUserGroupFormAction">
@@ -97,6 +99,8 @@
     <property name="userService" ref="org.hisp.dhis.user.UserService" />
     <property name="userGroupService" ref="org.hisp.dhis.user.UserGroupService" />
     <property name="attributeService" ref="org.hisp.dhis.attribute.AttributeService" />
+    <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
+    <property name="securityService" ref="org.hisp.dhis.security.SecurityService" />
   </bean>
 
   <bean id="org.hisp.dhis.dashboard.usergroup.action.RemoveUserGroupAction" class="org.hisp.dhis.dashboard.usergroup.action.RemoveUserGroupAction"