=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java 2015-07-16 07:26:29 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java 2015-07-16 07:53:57 +0000 @@ -37,6 +37,7 @@ import org.hisp.dhis.dxf2.common.JacksonUtils; import org.hisp.dhis.dxf2.webmessage.WebMessageException; import org.hisp.dhis.hibernate.exception.DeleteAccessDeniedException; +import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; import org.hisp.dhis.schema.descriptors.DashboardItemSchemaDescriptor; import org.hisp.dhis.schema.descriptors.DashboardSchemaDescriptor; import org.hisp.dhis.webapi.utils.WebMessageUtils; @@ -107,6 +108,11 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + uid ) ); } + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + Dashboard newDashboard = JacksonUtils.fromJson( request.getInputStream(), Dashboard.class ); dashboard.setName( newDashboard.getName() ); // TODO Name only for now @@ -148,6 +154,11 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + uid ) ); } + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + DashboardItem item = JacksonUtils.fromJson( request.getInputStream(), DashboardItem.class ); dashboardService.mergeDashboardItem( item ); @@ -164,6 +175,18 @@ public void postJsonItemContent( HttpServletResponse response, HttpServletRequest request, @PathVariable String dashboardUid, @RequestParam String type, @RequestParam( "id" ) String contentUid ) throws Exception { + Dashboard dashboard = dashboardService.getDashboard( dashboardUid ); + + if ( dashboard == null ) + { + throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid) ); + } + + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + DashboardItem item = dashboardService.addItemContent( dashboardUid, type, contentUid ); if ( item == null ) @@ -188,6 +211,11 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) ); } + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + if ( dashboard.moveItem( itemUid, position ) ) { dashboardService.updateDashboard( dashboard ); @@ -207,6 +235,11 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) ); } + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + DashboardItem item = dashboardService.getDashboardItem( itemUid ); if ( item == null ) @@ -234,6 +267,11 @@ throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) ); } + if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) ) + { + throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." ); + } + DashboardItem item = dashboard.getItemByUid( itemUid ); if ( item == null )