dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 17784: User invites/creation. Centralized code for checking permissions.

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 23 Dec 2014 11:57:25 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 17784
committer: Lars Helge Overland <larshelge@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-12-23 12:52:48 +0100
message:
  User invites/creation. Centralized code for checking permissions.
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-22 10:31:50 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-23 11:52:48 +0000
@@ -52,7 +52,6 @@
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserAuthorityGroup;
 import org.hisp.dhis.user.UserCredentials;
-import org.hisp.dhis.user.UserGroup;
 import org.hisp.dhis.user.UserGroupService;
 import org.hisp.dhis.user.UserService;
 import org.hisp.dhis.user.Users;
@@ -258,7 +257,11 @@
 
         User parsed = renderService.fromXml( request.getInputStream(), getEntityClass() );
         parsed.setUid( uid );
-        checkUserGroups( parsed );
+
+        if ( !userService.canAddOrUpdateUser( IdentifiableObjectUtils.getUids( parsed.getGroups() ) ) )
+        {
+            throw new CreateAccessDeniedException( "You must have permissions to create user, or ability to manage at least one user group for the user." );
+        }
 
         ImportTypeSummary summary = importService.importObject( currentUserService.getCurrentUser().getUid(), parsed,
             ImportStrategy.UPDATE );
@@ -285,7 +288,11 @@
 
         User parsed = renderService.fromJson( request.getInputStream(), getEntityClass() );
         parsed.setUid( uid );
-        checkUserGroups( parsed );
+        
+        if ( !userService.canAddOrUpdateUser( IdentifiableObjectUtils.getUids( parsed.getGroups() ) ) )
+        {
+            throw new CreateAccessDeniedException( "You must have permissions to create user, or ability to manage at least one user group for the user." );
+        }
 
         ImportTypeSummary summary = importService.importObject( currentUserService.getCurrentUser().getUid(), parsed,
             ImportStrategy.UPDATE );
@@ -362,17 +369,15 @@
      */
     private void createUser( User user, HttpServletResponse response ) throws Exception
     {
-        if ( currentUserService.getCurrentUser() == null )
-        {
-            throw new CreateAccessDeniedException( "Internal error: currentUserService.getCurrentUser() returns null." );
-        }
-
         if ( !aclService.canCreate( currentUserService.getCurrentUser(), getEntityClass() ) )
         {
             throw new CreateAccessDeniedException( "You don't have the proper permissions to create this object." );
         }
 
-        checkUserGroups( user );
+        if ( !userService.canAddOrUpdateUser( IdentifiableObjectUtils.getUids( user.getGroups() ) ) )
+        {
+            throw new CreateAccessDeniedException( "You must have permissions to create user, or ability to manage at least one user group for the user." );
+        }
 
         user.getUserCredentials().getCogsDimensionConstraints().addAll(
             currentUserService.getCurrentUser().getUserCredentials().getCogsDimensionConstraints() );
@@ -386,45 +391,4 @@
         
         userGroupService.addUserToGroups( user, IdentifiableObjectUtils.getUids( user.getGroups() ) );
     }
-
-    /**
-     * Before adding or updating the user, checks to see that any specified user
-     * groups exist.
-     * <p>
-     * Also, if the current user doesn't have the F_USER_ADD authority, that
-     * means they have the weaker F_USER_ADD_WITHIN_MANAGED_GROUP authority.
-     * In this case, the new user must be added to a group that is managed
-     * by the current user.
-     *
-     * @param user user object parsed from the request
-     */
-    private void checkUserGroups( User user )
-    {
-        User currentUser = currentUserService.getCurrentUser();
-
-        if ( currentUser != null && user.getGroups() != null )
-        {
-            boolean authorizedToAdd = currentUser.getUserCredentials().isAuthorized( UserGroup.AUTH_USER_ADD );
-
-            for ( UserGroup ug : user.getGroups() )
-            {
-                UserGroup group = userGroupService.getUserGroup( ug.getUid() );
-
-                if ( group == null )
-                {
-                    throw new CreateAccessDeniedException( "Can't add/update user, can't find user group: " + ug.getUid() );
-                }
-
-                if ( !authorizedToAdd && currentUser.canManage( group ) )
-                {
-                    authorizedToAdd = true;
-                }
-            }
-
-            if ( !authorizedToAdd )
-            {
-                throw new CreateAccessDeniedException( "Can't add user, user must belong to a group that you manage." );
-            }
-        }
-    }
 }