dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #30470
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 15459: When KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, don't allow user group membership changes causing the ch...
------------------------------------------------------------
revno: 15459
committer: jimgrace@xxxxxxxxx
branch nick: dhis2
timestamp: Wed 2014-05-28 12:38:44 -0400
message:
When KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, don't allow user group membership changes causing the changer to gain or loose control over another user.
modified:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java
dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml
dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java
dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java
dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java 2014-05-27 02:41:16 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserService.java 2014-05-28 16:38:44 +0000
@@ -262,13 +262,29 @@
int getActiveUsersCount( Date since );
/**
+ * Filters the given list of users based on whether the current
+ * user is allowed to update.
+ *
+ * @param users the list of users.
+ */
+ void canUpdateUsersFilter( Collection<User> users );
+
+ /**
* Filters the given list of user credentials based on whether the current
* user is allowed to update.
- *
+ *
* @param userCredentials the list of user credentials.
*/
void canUpdateFilter( Collection<UserCredentials> userCredentials );
-
+
+ /**
+ * Is the current user allowed to update this user?
+ *
+ * @param userCredentials credentials to check for allowing update.
+ * @return true if current user can update this user, else false.
+ */
+ boolean canUpdate( UserCredentials userCredentials );
+
// -------------------------------------------------------------------------
// UserAuthorityGroup
// -------------------------------------------------------------------------
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java 2014-05-27 02:41:16 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java 2014-05-28 16:38:44 +0000
@@ -585,6 +585,19 @@
return userCredentialsStore.getActiveUsersCount( since );
}
+ public void canUpdateUsersFilter( Collection<User> users )
+ {
+ FilterUtils.filter( users,
+ new Filter<User>()
+ {
+ public boolean retain( User object )
+ {
+ return canUpdate( object.getUserCredentials() );
+ }
+ }
+ );
+ }
+
public void canUpdateFilter( Collection<UserCredentials> userCredentials )
{
FilterUtils.filter( userCredentials,
@@ -592,12 +605,17 @@
{
public boolean retain( UserCredentials object )
{
- return hasAuthorityToUpdateUser( object ) && hasGroupsToUpdateUser( object );
+ return canUpdate( object );
}
}
);
}
+ public boolean canUpdate( UserCredentials userCredentials )
+ {
+ return hasAuthorityToUpdateUser( userCredentials ) && hasGroupsToUpdateUser( userCredentials );
+ }
+
// -------------------------------------------------------------------------
// UserSettings
// -------------------------------------------------------------------------
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-05-27 13:18:27 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-05-28 16:38:44 +0000
@@ -329,7 +329,7 @@
if ( group == null )
{
- throw new UpdateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() );
+ throw new CreateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() );
}
if ( writeGroupRequired && securityService.canWrite( group ) )
=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-05-28 16:38:44 +0000
@@ -35,11 +35,14 @@
import org.apache.struts2.ServletActionContext;
import org.hisp.dhis.paging.ActionPagingSupport;
+import org.hisp.dhis.setting.SystemSettingManager;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserService;
import org.hisp.dhis.user.comparator.UserComparator;
import org.hisp.dhis.util.ContextUtils;
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
/**
* @author mortenoh
*/
@@ -57,6 +60,13 @@
this.userService = userService;
}
+ private SystemSettingManager systemSettingManager;
+
+ public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+ {
+ this.systemSettingManager = systemSettingManager;
+ }
+
// -------------------------------------------------------------------------
// Input & Output
// -------------------------------------------------------------------------
@@ -101,6 +111,13 @@
users = users.subList( paging.getStartPos(), paging.getEndPos() );
}
+ boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
+ if ( writeGroupRequired )
+ {
+ userService.canUpdateUsersFilter( users );
+ }
+
return SUCCESS;
}
=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml 2014-05-26 10:55:47 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml 2014-05-28 16:38:44 +0000
@@ -304,6 +304,7 @@
<bean id="org.hisp.dhis.commons.action.GetUsersAction" class="org.hisp.dhis.commons.action.GetUsersAction" scope="prototype">
<property name="userService" ref="org.hisp.dhis.user.UserService" />
+ <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
</bean>
<bean id="org.hisp.dhis.commons.action.GetUserGroupsAction" class="org.hisp.dhis.commons.action.GetUserGroupsAction"
=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java 2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/AddUserGroupAction.java 2014-05-28 16:38:44 +0000
@@ -31,6 +31,9 @@
import java.util.List;
import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.hibernate.exception.CreateAccessDeniedException;
+import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.setting.SystemSettingManager;
import org.hisp.dhis.system.util.AttributeUtils;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserGroup;
@@ -39,6 +42,8 @@
import com.opensymphony.xwork2.Action;
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
public class AddUserGroupAction
implements Action
{
@@ -67,6 +72,20 @@
this.attributeService = attributeService;
}
+ private SystemSettingManager systemSettingManager;
+
+ public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+ {
+ this.systemSettingManager = systemSettingManager;
+ }
+
+ private SecurityService securityService;
+
+ public void setSecurityService( SecurityService securityService )
+ {
+ this.securityService = securityService;
+ }
+
// -------------------------------------------------------------------------
// Parameters
// -------------------------------------------------------------------------
@@ -99,12 +118,19 @@
public String execute()
throws Exception
{
+ boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
UserGroup userGroup = new UserGroup( name );
for ( Integer groupMember : groupMembersList )
{
User user = userService.getUser( groupMember );
userGroup.addUser( user );
+
+ if ( writeGroupRequired && !userGroup.getMembers().contains( user) && !userService.canUpdate( user.getUserCredentials() ) )
+ {
+ throw new CreateAccessDeniedException( "- You don't have permission to add all selected users to this group." );
+ }
}
if ( jsonAttributeValues != null )
=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java 2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java 2014-05-28 16:38:44 +0000
@@ -30,6 +30,9 @@
import com.opensymphony.xwork2.Action;
import org.hisp.dhis.attribute.AttributeService;
+import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
+import org.hisp.dhis.security.SecurityService;
+import org.hisp.dhis.setting.SystemSettingManager;
import org.hisp.dhis.system.util.AttributeUtils;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserGroup;
@@ -40,6 +43,8 @@
import java.util.List;
import java.util.Set;
+import static org.hisp.dhis.setting.SystemSettingManager.KEY_ONLY_MANAGE_WITHIN_USER_GROUPS;
+
public class UpdateUserGroupAction
implements Action
{
@@ -64,6 +69,20 @@
this.attributeService = attributeService;
}
+ private SystemSettingManager systemSettingManager;
+
+ public void setSystemSettingManager( SystemSettingManager systemSettingManager )
+ {
+ this.systemSettingManager = systemSettingManager;
+ }
+
+ private SecurityService securityService;
+
+ public void setSecurityService( SecurityService securityService )
+ {
+ this.securityService = securityService;
+ }
+
// -------------------------------------------------------------------------
// Parameters
// -------------------------------------------------------------------------
@@ -103,15 +122,47 @@
public String execute()
throws Exception
{
+ boolean writeGroupRequired = (Boolean) systemSettingManager.getSystemSetting( KEY_ONLY_MANAGE_WITHIN_USER_GROUPS, false );
+
+ UserGroup userGroup = userGroupService.getUserGroup( userGroupId );
+
Set<User> userList = new HashSet<User>();
for ( Integer groupMember : groupMembersList )
{
User user = userService.getUser( groupMember );
userList.add( user );
- }
-
- UserGroup userGroup = userGroupService.getUserGroup( userGroupId );
+
+ if ( writeGroupRequired && !userGroup.getMembers().contains( user) && !userService.canUpdate( user.getUserCredentials() ) )
+ {
+ throw new UpdateAccessDeniedException( "- You don't have permission to add all selected users to this group." );
+ }
+ }
+
+ if ( writeGroupRequired )
+ {
+ for ( User member : userGroup.getMembers() )
+ {
+ if ( !userList.contains( member ) ) // Trying to remove member user from group.
+ {
+ boolean otherGroupFound = false;
+
+ for ( UserGroup ug : member.getGroups() )
+ {
+ if ( !userGroup.equals( ug ) && securityService.canWrite( ug ) )
+ {
+ otherGroupFound = true;
+ break;
+ }
+ }
+
+ if ( !otherGroupFound )
+ {
+ throw new UpdateAccessDeniedException( "- You can't remove member who belongs to no other user groups that you control." );
+ }
+ }
+ }
+ }
userGroup.setName( name );
userGroup.updateUsers( userList );
=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2013-07-24 15:58:43 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2014-05-28 16:38:44 +0000
@@ -75,6 +75,8 @@
<property name="userService" ref="org.hisp.dhis.user.UserService" />
<property name="userGroupService" ref="org.hisp.dhis.user.UserGroupService" />
<property name="attributeService" ref="org.hisp.dhis.attribute.AttributeService" />
+ <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
+ <property name="securityService" ref="org.hisp.dhis.security.SecurityService" />
</bean>
<bean id="org.hisp.dhis.dashboard.usergroup.action.AddUserGroupFormAction" class="org.hisp.dhis.dashboard.usergroup.action.AddUserGroupFormAction">
@@ -97,6 +99,8 @@
<property name="userService" ref="org.hisp.dhis.user.UserService" />
<property name="userGroupService" ref="org.hisp.dhis.user.UserGroupService" />
<property name="attributeService" ref="org.hisp.dhis.attribute.AttributeService" />
+ <property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
+ <property name="securityService" ref="org.hisp.dhis.security.SecurityService" />
</bean>
<bean id="org.hisp.dhis.dashboard.usergroup.action.RemoveUserGroupAction" class="org.hisp.dhis.dashboard.usergroup.action.RemoveUserGroupAction"