dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #34235
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 17577: First implementation of managed user groups
------------------------------------------------------------
revno: 17577
committer: jimgrace@xxxxxxxxx
branch nick: dhis2
timestamp: Mon 2014-11-24 22:16:09 -0500
message:
First implementation of managed user groups
modified:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/schema/descriptors/UserSchemaDescriptor.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java
dhis-2/dhis-services/dhis-service-core/src/main/resources/org/hisp/dhis/user/hibernate/UserGroup.hbm.xml
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java
dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java
dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java
dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/RemoveUserAction.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java
dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/schema/descriptors/UserSchemaDescriptor.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/schema/descriptors/UserSchemaDescriptor.java 2014-05-31 13:18:51 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/schema/descriptors/UserSchemaDescriptor.java 2014-11-25 03:16:09 +0000
@@ -55,8 +55,8 @@
schema.setApiEndpoint( API_ENDPOINT );
schema.setOrder( 1290 );
- schema.getAuthorities().add( new Authority( AuthorityType.CREATE, Lists.newArrayList( "F_USER_ADD" ) ) );
- schema.getAuthorities().add( new Authority( AuthorityType.DELETE, Lists.newArrayList( "F_USER_DELETE" ) ) );
+ schema.getAuthorities().add( new Authority( AuthorityType.CREATE, Lists.newArrayList( "F_USER_ADD", "F_USER_ADD_WITHIN_MANAGED_GROUP" ) ) );
+ schema.getAuthorities().add( new Authority( AuthorityType.DELETE, Lists.newArrayList( "F_USER_DELETE", "F_USER_DELETE_WITHIN_MANAGED_GROUP" ) ) );
return schema;
}
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java 2014-10-21 16:15:25 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java 2014-11-25 03:16:09 +0000
@@ -50,6 +50,10 @@
public class UserGroup
extends BaseIdentifiableObject
{
+ public static final String AUTH_USER_ADD = "F_USER_ADD";
+ public static final String AUTH_USER_DELETE = "F_USER_DELETE";
+ public static final String AUTH_USER_VIEW = "F_USER_VIEW";
+
/**
* Determines if a de-serialized file is compatible with this class.
*/
@@ -62,6 +66,18 @@
private Set<User> members = new HashSet<>();
/**
+ * User groups (if any) that members of this user group can manage
+ * the members within.
+ */
+ private Set<UserGroup> managedGroups = new HashSet<>();
+
+ /**
+ * User groups (if any) whose members can manage the members of this
+ * user group.
+ */
+ private Set<UserGroup> managedByGroups = new HashSet<>();
+
+ /**
* Set of the dynamic attributes values that belong to this user group.
*/
private Set<AttributeValue> attributeValues = new HashSet<>();
@@ -156,6 +172,36 @@
this.members = members;
}
+ @JsonProperty(value = "managedGroups")
+ @JsonSerialize(contentAs = BaseIdentifiableObject.class)
+ @JsonView({ DetailedView.class, ExportView.class })
+ @JacksonXmlElementWrapper(localName = "managedGroups", namespace = DxfNamespaces.DXF_2_0)
+ @JacksonXmlProperty(localName = "managedGroup", namespace = DxfNamespaces.DXF_2_0)
+ public Set<UserGroup> getManagedGroups()
+ {
+ return managedGroups;
+ }
+
+ public void setManagedGroups( Set<UserGroup> managedGroups )
+ {
+ this.managedGroups = managedGroups;
+ }
+
+ @JsonProperty(value = "managedByGroups")
+ @JsonSerialize( contentAs = BaseIdentifiableObject.class )
+ @JsonView( { DetailedView.class } )
+ @JacksonXmlElementWrapper( localName = "managedByGroups", namespace = DxfNamespaces.DXF_2_0 )
+ @JacksonXmlProperty( localName = "managedByGroup", namespace = DxfNamespaces.DXF_2_0 )
+ public Set<UserGroup> getManagedByGroups()
+ {
+ return managedByGroups;
+ }
+
+ public void setManagedByGroups( Set<UserGroup> managedByGroups )
+ {
+ this.managedByGroups = managedByGroups;
+ }
+
@JsonProperty( value = "attributeValues" )
@JsonView( { DetailedView.class, ExportView.class } )
@JacksonXmlElementWrapper( localName = "attributeValues", namespace = DxfNamespaces.DXF_2_0)
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/org/hisp/dhis/user/hibernate/UserGroup.hbm.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/org/hisp/dhis/user/hibernate/UserGroup.hbm.xml 2014-10-13 13:58:43 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/org/hisp/dhis/user/hibernate/UserGroup.hbm.xml 2014-11-25 03:16:09 +0000
@@ -22,6 +22,17 @@
<many-to-many column="userid" class="org.hisp.dhis.user.User" foreign-key="fk_usergroupmembers_userid" />
</set>
+ <set name="managedGroups" table="usergroupmanaged">
+ <cache usage="read-write" />
+ <key column="managedgroupid" foreign-key="fk_usergroupmanaging_managedgroupid" />
+ <many-to-many column="managedbygroupid" class="org.hisp.dhis.user.UserGroup" foreign-key="fk_usergroupmanaging_managedbygroupid" />
+ </set>
+
+ <set name="managedByGroups" table="usergroupmanaged" inverse="true">
+ <key column="managedbygroupid" />
+ <many-to-many column="managedgroupid" class="org.hisp.dhis.user.UserGroup" />
+ </set>
+
<!-- Access properties -->
<many-to-one name="user" class="org.hisp.dhis.user.User" column="userid" foreign-key="fk_usergroup_userid" />
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java 2014-11-25 03:16:09 +0000
@@ -59,6 +59,7 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
+import org.springframework.util.CollectionUtils;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@@ -94,10 +95,16 @@
@Autowired
private SystemSettingManager systemSettingManager;
+ //--------------------------------------------------------------------------
+ // GET
+ //--------------------------------------------------------------------------
+
@Override
@PreAuthorize( "hasRole('ALL') or hasRole('F_USER_VIEW')" )
public RootNode getObjectList( @RequestParam Map<String, String> parameters, HttpServletResponse response, HttpServletRequest request )
{
+ //TODO: Allow user with F_USER_VIEW_WITHIN_MANAGED_GROUP and restrict viewing to within managed groups.
+
return super.getObjectList( parameters, response, request );
}
@@ -106,6 +113,8 @@
public RootNode getObject( @PathVariable( "uid" ) String uid, @RequestParam Map<String, String> parameters,
HttpServletRequest request, HttpServletResponse response ) throws Exception
{
+ //TODO: Allow user with F_USER_VIEW_WITHIN_MANAGED_GROUP and restrict viewing to within managed groups.
+
return super.getObject( uid, parameters, request, response );
}
@@ -233,6 +242,7 @@
User parsed = renderService.fromXml( request.getInputStream(), getEntityClass() );
parsed.setUid( uid );
+ checkUserGroups( parsed );
ImportTypeSummary summary = importService.importObject( currentUserService.getCurrentUser().getUid(), parsed,
ImportStrategy.UPDATE );
@@ -259,6 +269,7 @@
User parsed = renderService.fromJson( request.getInputStream(), getEntityClass() );
parsed.setUid( uid );
+ checkUserGroups( parsed );
ImportTypeSummary summary = importService.importObject( currentUserService.getCurrentUser().getUid(), parsed,
ImportStrategy.UPDATE );
@@ -327,28 +338,48 @@
}
/**
- * Before adding the user, checks to see that any specified user groups
- * exist.
+ * Before adding or updating the user, checks to see that any specified user
+ * groups exist.
+ * <p>
+ * Also, if the current user doesn't have the F_USER_ADD authority, that
+ * means they have the weaker F_USER_ADD_WITHIN_MANAGED_GROUP authority.
+ * In this case, the new user must be added to a group that is managed
+ * by the current user.
*
- * @param user user object parsed from the POST request
+ * @param user user object parsed from the request
*/
private void checkUserGroups( User user )
{
- if ( currentUserService.getCurrentUser() != null && user.getGroups() != null )
+ User currentUser = currentUserService.getCurrentUser();
+
+ if ( currentUser != null && user.getGroups() != null )
{
+ boolean authorizedToAdd = currentUserService.currentUserIsSuper() ||
+ currentUser.getUserCredentials().isAuthorized( UserGroup.AUTH_USER_ADD );
+
for ( UserGroup ug : user.getGroups() )
{
UserGroup group = userGroupService.getUserGroup( ug.getUid() );
if ( group == null )
{
- throw new CreateAccessDeniedException( "Can't add user: Can't find user group with UID = " + ug.getUid() );
+ throw new CreateAccessDeniedException( "Can't add/update user: Can't find user group with UID = " + ug.getUid() );
}
if ( !securityService.canRead( group ) )
{
- throw new CreateAccessDeniedException( "Can't add user: Can't read the group with UID = " + ug.getUid() );
- }
+ throw new CreateAccessDeniedException( "Can't add/update user: Can't read the group with UID = " + ug.getUid() );
+ }
+
+ if ( !authorizedToAdd && CollectionUtils.containsAny( group.getManagedByGroups(), currentUser.getGroups() ) )
+ {
+ authorizedToAdd = true;
+ }
+ }
+
+ if ( !authorizedToAdd )
+ {
+ throw new CreateAccessDeniedException( "Can't add user: User must belong to a group that you manage." );
}
}
}
=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/commons/action/GetUsersAction.java 2014-11-25 03:16:09 +0000
@@ -91,6 +91,8 @@
public String execute()
throws Exception
{
+ //TODO: Allow user with F_USER_VIEW_WITHIN_MANAGED_GROUP and restrict viewing to within managed groups.
+
users = new ArrayList<>( userService.getAllUsers() );
ContextUtils.clearIfNotModified( ServletActionContext.getRequest(), ServletActionContext.getResponse(), users );
=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/java/org/hisp/dhis/dashboard/usergroup/action/UpdateUserGroupAction.java 2014-11-25 03:16:09 +0000
@@ -33,6 +33,7 @@
import org.hisp.dhis.security.SecurityService;
import org.hisp.dhis.setting.SystemSettingManager;
import org.hisp.dhis.system.util.AttributeUtils;
+import org.hisp.dhis.user.CurrentUserService;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserGroup;
import org.hisp.dhis.user.UserGroupService;
@@ -53,6 +54,13 @@
this.userService = userService;
}
+ private CurrentUserService currentUserService;
+
+ public void setCurrentUserService( CurrentUserService currentUserService )
+ {
+ this.currentUserService = currentUserService;
+ }
+
private UserGroupService userGroupService;
public void setUserGroupService( UserGroupService userGroupService )
@@ -128,13 +136,21 @@
UserGroup userGroup = userGroupService.getUserGroup( userGroupId );
+ if ( !userGroup.getManagedByGroups().isEmpty() && !currentUserService.currentUserIsSuper() )
+ {
+ //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to modify their managed groups
+ //as long as they are not loosing or gaining users to manage.
+
+ return ERROR;
+ }
+
Set<User> users = new HashSet<>();
for ( String userUid : usersSelected )
{
User user = userService.getUser( userUid );
- if( user == null)
+ if ( user == null )
{
continue;
}
=== modified file 'dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2014-10-21 16:15:25 +0000
+++ dhis-2/dhis-web/dhis-web-dashboard-integration/src/main/resources/META-INF/dhis/beans.xml 2014-11-25 03:16:09 +0000
@@ -97,6 +97,7 @@
<bean id="org.hisp.dhis.dashboard.usergroup.action.UpdateUserGroupAction" class="org.hisp.dhis.dashboard.usergroup.action.UpdateUserGroupAction"
scope="prototype">
<property name="userService" ref="org.hisp.dhis.user.UserService" />
+ <property name="currentUserService" ref="org.hisp.dhis.user.CurrentUserService" />
<property name="userGroupService" ref="org.hisp.dhis.user.UserGroupService" />
<property name="attributeService" ref="org.hisp.dhis.attribute.AttributeService" />
<property name="systemSettingManager" ref="org.hisp.dhis.setting.SystemSettingManager" />
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java 2014-11-25 03:16:09 +0000
@@ -290,6 +290,8 @@
public String execute()
throws Exception
{
+ //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to add a user within managed groups.
+
if ( email != null && email.trim().length() == 0 )
{
email = null;
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/RemoveUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/RemoveUserAction.java 2014-10-16 06:17:19 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/RemoveUserAction.java 2014-11-25 03:16:09 +0000
@@ -93,6 +93,8 @@
public String execute()
throws Exception
{
+ //TODO: Allow user with F_USER_DELETE_WITHIN_MANAGED_GROUP to delete a user within managed groups.
+
User user = userService.getUser( id );
User currentUser = currentUserService.getCurrentUser();
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/UpdateUserAction.java 2014-11-25 03:16:09 +0000
@@ -256,6 +256,8 @@
public String execute()
throws Exception
{
+ //TODO: Allow user with F_USER_ADD_WITHIN_MANAGED_GROUP to update a user within managed groups.
+
if ( email != null && email.trim().length() == 0 )
{
email = null;
=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties 2014-11-24 18:14:38 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/resources/org/hisp/dhis/user/i18n_module.properties 2014-11-25 03:16:09 +0000
@@ -116,6 +116,9 @@
F_USER_ADD=Add/Update User
F_USER_DELETE=Delete User
F_USER_VIEW=View User
+F_USER_ADD_WITHIN_MANAGED_GROUP=Add/Update User Within Managed Group
+F_USER_DELETE_WITHIN_MANAGED_GROUP=Delete User
+F_USER_VIEW_WITHIN_MANAGED_GROUP=View User
F_VALIDATIONRULE_ADD=Add/Update Validation Rule
F_VALIDATIONRULE_DELETE=Delete Validation Rule
F_VALIDATIONRULEGROUP_PUBLIC_ADD=Add/Update Public Validation Rule Group
