Index: lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java
===================================================================
diff -u -rff3bd28c7a274dd7d1bc46152ae5900166edac8c -rf2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d
--- lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java	(.../LessonConditionsAction.java)	(revision ff3bd28c7a274dd7d1bc46152ae5900166edac8c)
+++ lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java	(.../LessonConditionsAction.java)	(revision f2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d)
@@ -30,17 +30,23 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
 import org.apache.struts.action.ActionMapping;
 import org.apache.struts.actions.DispatchAction;
+import org.lamsfoundation.lams.contentrepository.InvalidParameterException;
 import org.lamsfoundation.lams.index.IndexLessonBean;
 import org.lamsfoundation.lams.lesson.Lesson;
 import org.lamsfoundation.lams.lesson.service.LessonService;
+import org.lamsfoundation.lams.tool.exception.DataMissingException;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.util.CentralConstants;
 import org.lamsfoundation.lams.util.WebUtil;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -65,13 +71,19 @@
 
     /**
      * Prepares data for thickbox displayed on Index page.
+     * 
+     * @throws InvalidParameterException
      */
     @SuppressWarnings("unchecked")
     public ActionForward getIndexLessonConditions(ActionMapping mapping, ActionForm form, HttpServletRequest request,
-	    HttpServletResponse response) {
+	    HttpServletResponse response) throws InvalidParameterException {
 
 	Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false);
 	Lesson lesson = getLessonService().getLesson(lessonId);
+	if (lesson == null) {
+	    throw new InvalidParameterException("Lesson with ID: " + lessonId + " does not exist.");
+	}
+
 	List<IndexLessonBean> precedingLessons = new ArrayList<IndexLessonBean>(lesson.getPrecedingLessons().size());
 	for (Lesson precedingLesson : lesson.getPrecedingLessons()) {
 	    IndexLessonBean precedingLessonBean = new IndexLessonBean(precedingLesson.getLessonId(),
@@ -94,19 +106,30 @@
 	}
 	request.setAttribute(LessonConditionsAction.PARAM_AVAILABLE_LESSONS, availableLessons);
 
+	request.setAttribute(CentralConstants.PARAM_EDIT, canEdit(request, lesson));
+
 	return mapping.findForward(LessonConditionsAction.FORWARD_INDEX_LESSON_CONDITION);
     }
 
     /**
      * Removes given lesson from dependecies and displays updated list in thickbox.
+     * 
+     * @throws InvalidParameterException
      */
     public ActionForward removeLessonDependency(ActionMapping mapping, ActionForm form, HttpServletRequest request,
-	    HttpServletResponse response) {
+	    HttpServletResponse response) throws InvalidParameterException {
 	Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false);
 	Long removedPrecedingLessonId = WebUtil.readLongParam(request,
 		LessonConditionsAction.PARAM_PRECEDING_LESSON_ID, false);
 
 	Lesson lesson = getLessonService().getLesson(lessonId);
+	if (lesson == null) {
+	    throw new InvalidParameterException("Lesson with ID: " + lessonId + " does not exist.");
+	}
+	if (!canEdit(request, lesson)) {
+	    throw new SecurityException("Current user can not edit lesson conditions");
+	}
+
 	Iterator<Lesson> precedingLessonIter = lesson.getPrecedingLessons().iterator();
 	while (precedingLessonIter.hasNext()) {
 	    if (precedingLessonIter.next().getLessonId().equals(removedPrecedingLessonId)) {
@@ -120,22 +143,46 @@
     }
 
     /**
-     *  Adds given lesson to dependecies and displays updated list in thickbox.
+     * Adds given lesson to dependecies and displays updated list in thickbox.
+     * 
+     * @throws InvalidParameterException
      */
     public ActionForward addLessonDependency(ActionMapping mapping, ActionForm form, HttpServletRequest request,
-	    HttpServletResponse response) {
+	    HttpServletResponse response) throws InvalidParameterException {
 	Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false);
 	Long addedPrecedingLessonId = WebUtil.readLongParam(request, LessonConditionsAction.PARAM_PRECEDING_LESSON_ID,
 		false);
 
 	Lesson lesson = getLessonService().getLesson(lessonId);
+	if (lesson == null) {
+	    throw new InvalidParameterException("Lesson with ID: " + lessonId + " does not exist.");
+	}
+	if (!canEdit(request, lesson)) {
+	    throw new SecurityException("Current user can not edit lesson conditions");
+	}
 	Lesson addedPrecedingLesson = getLessonService().getLesson(addedPrecedingLessonId);
+	if (addedPrecedingLesson == null) {
+	    throw new InvalidParameterException("Preceding lesson with ID: " + lessonId + " does not exist.");
+	}
+
 	lesson.getPrecedingLessons().add(addedPrecedingLesson);
 
 	// after operation, display contents again
 	return getIndexLessonConditions(mapping, form, request, response);
     }
 
+    /**
+     * Checks if user is allowed to edit lesson conditions.
+     */
+    private boolean canEdit(HttpServletRequest request, Lesson lesson) {
+	HttpSession session = SessionManager.getSession();
+	UserDTO currentUser = (UserDTO) session.getAttribute(AttributeNames.USER);
+	if (currentUser == null) {
+	    throw new DataMissingException("User DTO missing from session.");
+	}
+	return currentUser.getUserID().equals(lesson.getUser().getUserId());
+    }
+
     private LessonService getLessonService() {
 	if (LessonConditionsAction.lessonService == null) {
 	    WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet()
Index: lams_central/web/includes/javascript/thickbox.patched.js
===================================================================
diff -u -r2f5473044ec01bd94a2ea8e5262b2a200f1e6da6 -rf2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d
--- lams_central/web/includes/javascript/thickbox.patched.js	(.../thickbox.patched.js)	(revision 2f5473044ec01bd94a2ea8e5262b2a200f1e6da6)
+++ lams_central/web/includes/javascript/thickbox.patched.js	(.../thickbox.patched.js)	(revision f2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d)
@@ -283,6 +283,12 @@
 	}
 	document.onkeydown = "";
 	document.onkeyup = "";
+	
+	// refresh parent window if certain attribute is set
+	if ($("#TB_window").attr("TB_refreshParentOnClose") == 'true'){
+		parent.location.reload(1);
+	}
+	
 	return false;
 }
 
Index: lams_central/web/indexLessonConditions.jsp
===================================================================
diff -u -rff3bd28c7a274dd7d1bc46152ae5900166edac8c -rf2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d
--- lams_central/web/indexLessonConditions.jsp	(.../indexLessonConditions.jsp)	(revision ff3bd28c7a274dd7d1bc46152ae5900166edac8c)
+++ lams_central/web/indexLessonConditions.jsp	(.../indexLessonConditions.jsp)	(revision f2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d)
@@ -22,13 +22,22 @@
 		}
 	</style>
 	
+	<script type="text/javascript" src="includes/javascript/jquery-latest.pack.js"></script>
 	<script type="text/javascript">
 		var lessonId="${lsId}";
+		var edit="${edit}";
 		
 		function removePrecedingLesson(precedingLessonId){
 			document.location.href="<lams:LAMSURL/>lessonConditions.do?method=removeLessonDependency&lsId=" + lessonId
 						  + "&precedingLessonId=" + precedingLessonId;
 		}
+
+		$(document).ready(function(){
+			if (edit == 'true'){
+				// refresh Index page after editable conditions thickbox is closed
+				$('#TB_window',window.parent.document).attr('TB_refreshParentOnClose','true');
+			}
+		});
 	</script>
 </lams:head>
     
@@ -61,50 +70,53 @@
 						<c:out value="${precedingLesson.name}" />
 					</td>
 					<td>
-						<img src="<lams:LAMSURL/>images/icons/cross.png"
-							 style="cursor: pointer;"
-							 title="<fmt:message key="label.conditions.box.remove.dependency" />"
-							 onclick="javascript:removePrecedingLesson(${precedingLesson.id})" />
+						<c:if test="${edit}">
+							<img src="<lams:LAMSURL/>images/icons/cross.png"
+								 style="cursor: pointer;"
+								 title="<fmt:message key="label.conditions.box.remove.dependency" />"
+								 onclick="javascript:removePrecedingLesson(${precedingLesson.id})" />
+						</c:if>
 					</td>
 				</tr>
 			</c:forEach>
 		</c:otherwise>
 	</c:choose>
 	
-	
-	<tr>
-		<td colspan="2">
-			<h4>
-				<fmt:message key="label.conditions.box.add.dependency" />
-			</h4>
-		</td>
-	</tr>
-	
-	<c:choose>
-		<c:when test="${empty availableLessons}">
-			<tr>
-				<td colspan="2" class="lessonList emptyList">
-					<fmt:message key="label.conditions.box.no.dependency" />
-				</td>
-			</tr>
-		</c:when>
-		<c:otherwise>
-			<form action="${addLessonDependencyUrl}" method="post">
-			<tr>
-				<td class="lessonList" style="width: 70%">
-					<select name="precedingLessonId">
-						<c:forEach var="availableLesson" items="${availableLessons}">
-							<option value="${availableLesson.id}">${availableLesson.name}</option>
-						</c:forEach>
-					</select>
-				</td>
-				<td>
-					<input class="button" type="submit" value="<fmt:message key="index.addlesson"/>" />
-				</td>
-			</tr>	
-			</form>
-		</c:otherwise>
-	</c:choose>
+	<c:if test="${edit}">
+		<tr>
+			<td colspan="2">
+				<h4>
+					<fmt:message key="label.conditions.box.add.dependency" />
+				</h4>
+			</td>
+		</tr>
+		
+		<c:choose>
+			<c:when test="${empty availableLessons}">
+				<tr>
+					<td colspan="2" class="lessonList emptyList">
+						<fmt:message key="label.conditions.box.no.dependency" />
+					</td>
+				</tr>
+			</c:when>
+			<c:otherwise>
+				<form action="${addLessonDependencyUrl}" method="post">
+				<tr>
+					<td class="lessonList" style="width: 70%">
+						<select name="precedingLessonId">
+							<c:forEach var="availableLesson" items="${availableLessons}">
+								<option value="${availableLesson.id}">${availableLesson.name}</option>
+							</c:forEach>
+						</select>
+					</td>
+					<td>
+						<input class="button" type="submit" value="<fmt:message key="index.addlesson"/>" />
+					</td>
+				</tr>	
+				</form>
+			</c:otherwise>
+		</c:choose>
+	</c:if>
 </table>
 </div>
 </div>
Index: lams_common/src/java/org/lamsfoundation/lams/web/filter/AccessPermissionFilter.java
===================================================================
diff -u -r21f66321c25a83471311554bff290b3ab862ad06 -rf2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d
--- lams_common/src/java/org/lamsfoundation/lams/web/filter/AccessPermissionFilter.java	(.../AccessPermissionFilter.java)	(revision 21f66321c25a83471311554bff290b3ab862ad06)
+++ lams_common/src/java/org/lamsfoundation/lams/web/filter/AccessPermissionFilter.java	(.../AccessPermissionFilter.java)	(revision f2cb56ddf4b6c4256e0fb0cb2be42510f4ee430d)
@@ -125,15 +125,22 @@
 		    checkPerformed = true;
 		    String lessonIDParam = request.getParameter(AttributeNames.PARAM_LESSON_ID);
 		    if (lessonIDParam != null) {
-			Long lessonID = Long.valueOf(lessonIDParam);
-			Lesson lesson = getLessonService().getLesson(lessonID);
+			Long lessonId = Long.valueOf(lessonIDParam);
+			Lesson lesson = getLessonService().getLesson(lessonId);
 			if (lesson != null) {
 			    User user = getUser();
 			    if ((lesson.getLessonClass() != null)
 				    && lesson.getLessonClass().getLearners().contains(user)) {
-				if (AccessPermissionFilter.log.isTraceEnabled()) {
-				    AccessPermissionFilter.log.trace("OK, user " + user.getLogin()
-					    + " is a learner in the requested lesson. Lesson ID: "
+				// check if preceding lessons are complete
+				if (getLessonService().checkLessonReleaseConditions(lessonId, user.getUserId())) {
+				    if (AccessPermissionFilter.log.isTraceEnabled()) {
+					AccessPermissionFilter.log.trace("OK, user " + user.getLogin()
+						+ " is a learner in the requested lesson. Lesson ID: "
+						+ lesson.getLessonId() + ", name: " + lesson.getLessonName());
+				    }
+				} else {
+				    throw new SecurityException("User " + user.getLogin()
+					    + " has not finished required preceding lessons. Lesson ID: "
 					    + lesson.getLessonId() + ", name: " + lesson.getLessonName());
 				}
 			    } else {