Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java
===================================================================
diff -u -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f -rd6a45ade64643d31d0fe81db40be010c04d2057e
--- lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java	(.../SecurityService.java)	(revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f)
+++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java	(.../SecurityService.java)	(revision d6a45ade64643d31d0fe81db40be010c04d2057e)
@@ -89,9 +89,10 @@
 	    }
 	}
 
-	Integer orgId = lesson.getOrganisation().getOrganisationId();
+	Organisation org = lesson.getOrganisation();
+	Integer orgId = org == null ? null : org.getOrganisationId();
 	boolean hasSysadminRole = securityDAO.isSysadmin(userId);
-	boolean hasOrgRole = securityDAO.hasOrgRole(orgId, userId, Role.LEARNER);
+	boolean hasOrgRole = orgId == null || securityDAO.hasOrgRole(orgId, userId, Role.LEARNER);
 
 	if (!hasSysadminRole && !(hasOrgRole && securityDAO.isLessonLearner(lessonId, userId))) {
 	    String error = "User " + userId + " is not learner in lesson " + lessonId + " and can not \"" + action
@@ -145,10 +146,13 @@
 	    }
 	}
 
-	Integer orgId = lesson.getOrganisation().getOrganisationId();
+
+	Organisation org = lesson.getOrganisation();
+	Integer orgId = org == null ? null : org.getOrganisationId();
 	boolean hasSysadminRole = securityDAO.isSysadmin(userId);
-	boolean hasGroupManagerRole = hasSysadminRole || securityDAO.isGroupManager(orgId, userId);
-	boolean hasMonitorRole = hasGroupManagerRole || securityDAO.hasOrgRole(orgId, userId, Role.MONITOR);
+	boolean hasGroupManagerRole = hasSysadminRole || (orgId != null && securityDAO.isGroupManager(orgId, userId));
+	boolean hasMonitorRole = hasGroupManagerRole || orgId == null
+		|| securityDAO.hasOrgRole(orgId, userId, Role.MONITOR);
 
 	if (!hasGroupManagerRole && !(hasMonitorRole && securityDAO.isLessonMonitor(lessonId, userId, true))) {
 	    String error = "User " + userId + " is not monitor in lesson " + lessonId + " and can not \"" + action
@@ -253,10 +257,12 @@
 	    }
 	}
 
-	Integer orgId = lesson.getOrganisation().getOrganisationId();
+	Organisation org = lesson.getOrganisation();
+	Integer orgId = org == null ? null : org.getOrganisationId();
 	boolean hasSysadminRole = securityDAO.isSysadmin(userId);
-	boolean hasGroupManagerRole = hasSysadminRole || securityDAO.isGroupManager(orgId, userId);
-	boolean hasRole = hasGroupManagerRole || securityDAO.hasOrgRole(orgId, userId, Role.LEARNER, Role.MONITOR);
+	boolean hasGroupManagerRole = hasSysadminRole || (orgId != null && securityDAO.isGroupManager(orgId, userId));
+	boolean hasRole = hasGroupManagerRole || orgId == null
+		|| securityDAO.hasOrgRole(orgId, userId, Role.LEARNER, Role.MONITOR);
 
 	if (!hasGroupManagerRole
 		&& !(hasRole && (securityDAO.isLessonLearner(lessonId, userId) || securityDAO.isLessonMonitor(lessonId,