Index: lams_central/src/java/org/lamsfoundation/lams/web/planner/PedagogicalPlannerAction.java
===================================================================
diff -u -r3a1ae19ae51ede32cec920fc9bb07f6787f562ff -r161f204afffd06f77a17fa45ce069d7eae00f04e
--- lams_central/src/java/org/lamsfoundation/lams/web/planner/PedagogicalPlannerAction.java	(.../PedagogicalPlannerAction.java)	(revision 3a1ae19ae51ede32cec920fc9bb07f6787f562ff)
+++ lams_central/src/java/org/lamsfoundation/lams/web/planner/PedagogicalPlannerAction.java	(.../PedagogicalPlannerAction.java)	(revision 161f204afffd06f77a17fa45ce069d7eae00f04e)
@@ -94,7 +94,6 @@
 import org.lamsfoundation.lams.learningdesign.service.ImportToolContentException;
 import org.lamsfoundation.lams.lesson.Lesson;
 import org.lamsfoundation.lams.monitoring.service.IMonitoringService;
-import org.lamsfoundation.lams.planner.PedagogicalPlannerNodeRole;
 import org.lamsfoundation.lams.planner.PedagogicalPlannerSequenceNode;
 import org.lamsfoundation.lams.planner.dao.PedagogicalPlannerDAO;
 import org.lamsfoundation.lams.planner.dto.PedagogicalPlannerActivityDTO;
@@ -103,6 +102,7 @@
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
+import org.lamsfoundation.lams.usermanagement.exception.UserAccessDeniedException;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.CentralConstants;
 import org.lamsfoundation.lams.util.CentralToolContentHandler;
@@ -652,9 +652,7 @@
 	PedagogicalPlannerAction.log.debug("Opening sequence node with UID: " + nodeUid);
 
 	// Only certain roles can open the editor
-	User user = (User) getUserManagementService().getUserByLogin(request.getRemoteUser());
-	Boolean hasRole = request.isUserInRole(Role.SYSADMIN) || getUserManagementService().isUserGlobalAuthorAdmin()
-		|| getPedagogicalPlannerDAO().canUserWriteToNode(user.getUserId(), nodeUid, Role.ROLE_AUTHOR_ADMIN);
+	Boolean hasRole = hasRole(request, nodeUid);
 	Boolean edit = WebUtil.readBooleanParam(request, CentralConstants.PARAM_EDIT, false);
 	edit &= hasRole;
 	
@@ -769,6 +767,11 @@
 	    node = getPedagogicalPlannerDAO().getByUid(nodeUid);
 	    nodeUid = node.getUid();
 	}
+	
+	if (!hasRole(request, nodeUid)) {
+	    log.debug("Unauthorised attempt to saveSequenceNode");
+	    throw new UserAccessDeniedException();
+	}
 	PedagogicalPlannerAction.log.debug("Saving sequence node with UID: " + nodeUid);
 
 	// If anything goes wrong, we need to put back these values
@@ -1082,6 +1085,11 @@
     public ActionForward importNode(ActionMapping mapping, ActionForm form, HttpServletRequest request,
 	    HttpServletResponse response) throws ServletException {
 
+	if (!hasRole(request, null)) {
+	    log.debug("Unauthorised access to importNode");
+	    throw new UserAccessDeniedException();
+	}
+	
 	PedagogicalPlannerSequenceNodeForm nodeForm = (PedagogicalPlannerSequenceNodeForm) form;
 	ActionMessages errors = validateFormFile(nodeForm);
 
@@ -1608,47 +1616,78 @@
 	return null;
     }
     
-    public ActionForward editAuthors(ActionMapping mapping, ActionForm form, HttpServletRequest request,
+    public ActionForward addRemoveEditors(ActionMapping mapping, ActionForm form, HttpServletRequest request,
 	    HttpServletResponse response) throws Exception {
 	Long nodeUid = WebUtil.readLongParam(request, CentralConstants.PARAM_UID, true);
 	
-	// TODO only sysadmin and author admins of the given (or parent) node can edit authors
-	
-	Integer orgId = getUserManagementService().getRootOrganisation().getOrganisationId();
-	Vector potentialUsers = getUserManagementService().getUsersFromOrganisationByRole(orgId, Role.AUTHOR_ADMIN, false, true);
-	
-	List existingUsers = getPedagogicalPlannerDAO().getNodeUsers(nodeUid, Role.ROLE_AUTHOR_ADMIN);
-	
-	request.setAttribute("existingUsers", existingUsers);
-	request.setAttribute("potentialUsers", potentialUsers);
-	
-	return mapping.findForward("editAuthors");
+	if (hasRole(request, nodeUid)) {
+	    List existingUsers = getPedagogicalPlannerDAO().getNodeUsers(nodeUid, Role.ROLE_AUTHOR_ADMIN);
+
+	    Integer orgId = getUserManagementService().getRootOrganisation().getOrganisationId();
+	    Vector potentialUsersVector = getUserManagementService().getUsersFromOrganisationByRole(orgId,
+		    Role.AUTHOR_ADMIN, false, true);
+
+	    // filter existing users from list of potential users
+	    List potentialUsers = new ArrayList();
+	    for (Object o : potentialUsersVector) {
+		User u = (User) o;
+		if (existingUsers.contains(u)) {
+		    continue;   
+		}
+		// filter self
+		if (StringUtils.equals(u.getLogin(), request.getRemoteUser())) {
+		    continue;
+		}
+		potentialUsers.add(u);
+	    }
+
+	    request.setAttribute("existingUsers", existingUsers);
+	    request.setAttribute("potentialUsers", potentialUsers);
+	    
+	    return mapping.findForward("editAuthors");
+	} else {
+	    log.debug("Unauthorised attempt to access add/remove editors page.");
+	    throw new UserAccessDeniedException();
+	}
     }
     
-    public ActionForward addAuthor(ActionMapping mapping, ActionForm form, HttpServletRequest request,
+    public ActionForward addEditor(ActionMapping mapping, ActionForm form, HttpServletRequest request,
 	    HttpServletResponse response) throws Exception {
 	Integer userId = WebUtil.readIntParam(request, CentralConstants.PARAM_USER_ID, false);
 	Long nodeUid = WebUtil.readLongParam(request, CentralConstants.PARAM_UID, true);
 	
-	// TODO only sysadmin and author admin of given (or parent) node can add admin
+	if (hasRole(request, nodeUid)) {
+	    getPedagogicalPlannerDAO().saveNodeRole(userId, nodeUid, Role.ROLE_AUTHOR_ADMIN);
+	} else {
+	    log.debug("Unauthorised attempt to add editor to node.");
+	}
 	
-	getPedagogicalPlannerDAO().saveNodeRole(userId, nodeUid, Role.ROLE_AUTHOR_ADMIN);
 	return null;
     }
     
-    public ActionForward removeAuthor(ActionMapping mapping, ActionForm form, HttpServletRequest request,
+    public ActionForward removeEditor(ActionMapping mapping, ActionForm form, HttpServletRequest request,
 	    HttpServletResponse response) throws Exception {
 	Integer userId = WebUtil.readIntParam(request, CentralConstants.PARAM_USER_ID, false);
 	Long nodeUid = WebUtil.readLongParam(request, CentralConstants.PARAM_UID, false);
 	
-	// TODO only sysadmin and author admin of given (or parent) node can remove admin
+	if (hasRole(request, nodeUid)) {
+	    getPedagogicalPlannerDAO().removeNodeRole(userId, nodeUid, Role.ROLE_AUTHOR_ADMIN);
+	} else {
+	    log.debug("Unauthorised attempt to remove editor from node.");
+	}
 	
-	getPedagogicalPlannerDAO().removeNodeRole(userId, nodeUid, Role.ROLE_AUTHOR_ADMIN);
 	return null;
     }
 
     /*------------------------ COMMON METHODS --------------------*/
 
+    // only these roles can edit nodes and give this role on this node to others
+    private Boolean hasRole(HttpServletRequest request, Long nodeUid) {
+	User user = (User) getUserManagementService().getUserByLogin(request.getRemoteUser());
+	return request.isUserInRole(Role.SYSADMIN) 
+		|| getPedagogicalPlannerDAO().isEditor(user.getUserId(), nodeUid, Role.ROLE_AUTHOR_ADMIN);
+    }
+    
     private IExportToolContentService getExportService() {
 	if (PedagogicalPlannerAction.exportService == null) {
 	    WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet()
Index: lams_common/src/java/org/lamsfoundation/lams/planner/dao/PedagogicalPlannerDAO.java
===================================================================
diff -u -r3a1ae19ae51ede32cec920fc9bb07f6787f562ff -r161f204afffd06f77a17fa45ce069d7eae00f04e
--- lams_common/src/java/org/lamsfoundation/lams/planner/dao/PedagogicalPlannerDAO.java	(.../PedagogicalPlannerDAO.java)	(revision 3a1ae19ae51ede32cec920fc9bb07f6787f562ff)
+++ lams_common/src/java/org/lamsfoundation/lams/planner/dao/PedagogicalPlannerDAO.java	(.../PedagogicalPlannerDAO.java)	(revision 161f204afffd06f77a17fa45ce069d7eae00f04e)
@@ -42,7 +42,7 @@
 
     PedagogicalPlannerSequenceNode getNeighbourNode(PedagogicalPlannerSequenceNode node, Integer orderDelta);
     
-    Boolean canUserWriteToNode(Integer userId, Long nodeUid, Integer roleId);
+    Boolean isEditor(Integer userId, Long nodeUid, Integer roleId);
     
     List getNodeUsers(Long nodeUid, Integer roleId);
     
Index: lams_common/src/java/org/lamsfoundation/lams/planner/dao/hibernate/PedagogicalPlannerDAOHibernate.java
===================================================================
diff -u -r3a1ae19ae51ede32cec920fc9bb07f6787f562ff -r161f204afffd06f77a17fa45ce069d7eae00f04e
--- lams_common/src/java/org/lamsfoundation/lams/planner/dao/hibernate/PedagogicalPlannerDAOHibernate.java	(.../PedagogicalPlannerDAOHibernate.java)	(revision 3a1ae19ae51ede32cec920fc9bb07f6787f562ff)
+++ lams_common/src/java/org/lamsfoundation/lams/planner/dao/hibernate/PedagogicalPlannerDAOHibernate.java	(.../PedagogicalPlannerDAOHibernate.java)	(revision 161f204afffd06f77a17fa45ce069d7eae00f04e)
@@ -129,10 +129,21 @@
 		new Object[] { userId, nodeUid, roleId });
     }
     
-    // TODO check parent nodes for inherited role
-    public Boolean canUserWriteToNode(Integer userId, Long nodeUid, Integer roleId) {
+    public Boolean isEditor(Integer userId, Long nodeUid, Integer roleId) {
 	List l = getPlannerNodeRoles(userId, nodeUid, roleId);
-	return (l != null && l.size() > 0 ? true : false);
+	if (l != null && l.size() > 0) {
+	    return true;
+	} else {
+	    // check parent nodes for 'inherited' role
+	    if (nodeUid != null) {
+		PedagogicalPlannerSequenceNode node = getByUid(nodeUid);
+		if (node != null) {
+		    PedagogicalPlannerSequenceNode parent = node.getParent();
+		    return isEditor(userId, (parent != null ? parent.getUid() : null), roleId);
+		}
+	    }
+	}
+	return false;
     }
     
     public List getNodeUsers(Long nodeUid, Integer roleId) {