Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/LogEventController.java =================================================================== diff -u -r1fb317e9f6db7094ec64f77782bf0be389012e43 -r1713042dda0682a11a40bd58cb3bbb8b30238786 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/LogEventController.java (.../LogEventController.java) (revision 1fb317e9f6db7094ec64f77782bf0be389012e43) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/LogEventController.java (.../LogEventController.java) (revision 1713042dda0682a11a40bd58cb3bbb8b30238786) @@ -71,7 +71,7 @@ public String unspecified(HttpServletRequest request) throws Exception { // check permission - if (!request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN)) { + if (!request.isUserInRole(Role.APPADMIN) && !request.isUserInRole(Role.SYSADMIN)) { request.setAttribute("errorName", "EventLogAdmin"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; @@ -103,7 +103,7 @@ throws ServletException, IOException { // check permission - if (!request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN)) { + if (!request.isUserInRole(Role.APPADMIN) && !request.isUserInRole(Role.SYSADMIN)) { request.setAttribute("errorName", "EventLogAdmin"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/StatisticsController.java =================================================================== diff -u -r1fb317e9f6db7094ec64f77782bf0be389012e43 -r1713042dda0682a11a40bd58cb3bbb8b30238786 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/StatisticsController.java (.../StatisticsController.java) (revision 1fb317e9f6db7094ec64f77782bf0be389012e43) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/StatisticsController.java (.../StatisticsController.java) (revision 1713042dda0682a11a40bd58cb3bbb8b30238786) @@ -59,7 +59,7 @@ public String unspecified(HttpServletRequest request) throws Exception { // check permission - if (!request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN)) { + if (!request.isUserInRole(Role.APPADMIN) && !request.isUserInRole(Role.SYSADMIN)) { request.setAttribute("errorName", "StatisticsAction"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; @@ -80,7 +80,7 @@ Integer orgId = WebUtil.readIntParam(request, "orgId"); // check permission - if (!request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN)) { + if (!request.isUserInRole(Role.APPADMIN) && !request.isUserInRole(Role.SYSADMIN)) { request.setAttribute("errorName", "StatisticsAction"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/ThemeManagementController.java =================================================================== diff -u -r1fb317e9f6db7094ec64f77782bf0be389012e43 -r1713042dda0682a11a40bd58cb3bbb8b30238786 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/ThemeManagementController.java (.../ThemeManagementController.java) (revision 1fb317e9f6db7094ec64f77782bf0be389012e43) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/ThemeManagementController.java (.../ThemeManagementController.java) (revision 1713042dda0682a11a40bd58cb3bbb8b30238786) @@ -64,7 +64,7 @@ public String unspecified(@ModelAttribute ThemeForm themeForm, HttpServletRequest request) throws Exception { // check permission - if (!request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN)) { + if (!request.isUserInRole(Role.APPADMIN) && !request.isUserInRole(Role.SYSADMIN)) { request.setAttribute("errorName", "ThemeManagementAction"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java =================================================================== diff -u -r1fb317e9f6db7094ec64f77782bf0be389012e43 -r1713042dda0682a11a40bd58cb3bbb8b30238786 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java (.../UserController.java) (revision 1fb317e9f6db7094ec64f77782bf0be389012e43) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java (.../UserController.java) (revision 1713042dda0682a11a40bd58cb3bbb8b30238786) @@ -342,7 +342,7 @@ @RequestMapping(path = "/delete", method = RequestMethod.POST) public String delete(HttpServletRequest request) throws Exception { if (!(request.isUserInRole(Role.APPADMIN) || request.isUserInRole(Role.SYSADMIN) - || request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager())) { + || userManagementService.isUserGlobalGroupManager())) { request.setAttribute("errorName", "UserAction"); request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java =================================================================== diff -u -r1fb317e9f6db7094ec64f77782bf0be389012e43 -r1713042dda0682a11a40bd58cb3bbb8b30238786 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java (.../UserManageController.java) (revision 1fb317e9f6db7094ec64f77782bf0be389012e43) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java (.../UserManageController.java) (revision 1713042dda0682a11a40bd58cb3bbb8b30238786) @@ -99,7 +99,7 @@ // check permission Integer rootOrgId = userManagementService.getRootOrganisation().getOrganisationId(); if (request.isUserInRole(Role.SYSADMIN) - || ((request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager()) + || ((request.isUserInRole(Role.APPADMIN) || userManagementService.isUserGlobalGroupManager()) && !orgId.equals(rootOrgId))) { userManageForm.setCourseAdminCanAddNewUsers(true); userManageForm.setCourseAdminCanBrowseAllUsers(true);