fix: Validate search scope when scheduled event created [DHIS2-17335] (…

…#19457)

* fix: Validate search scope when scheduled event created [DHIS2-17335]

* fix: Remove unused method & test [DHIS2-17335]

* fix: Add PR suggestions [DHIS2-17335]

dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/imports/validation/validator/event/SecurityOwnershipValidator.java

@@ -66,9 +66,6 @@
 @Slf4j
 class SecurityOwnershipValidator implements Validator<org.hisp.dhis.tracker.imports.domain.Event> {
 
-  private static final String ORG_UNIT_NO_USER_ASSIGNED =
-      "Event {} has no organisation unit assigned, so we skip user validation";
-
   @Nonnull private final AclService aclService;
   @Nonnull private final TrackerOwnershipManager ownershipAccessManager;
 
@@ -93,10 +90,15 @@ public void validate(
       organisationUnit = bundle.getPreheat().getOrganisationUnit(event.getOrgUnit());
     }
 
-    // If event is newly created, or going to be deleted, capture scope
-    // has to be checked
     if (program.isWithoutRegistration() || strategy.isCreate() || strategy.isDelete()) {
-      checkOrgUnitInCaptureScope(reporter, event, organisationUnit, bundle.getUser());
+      checkEventOrgUnitWriteAccess(
+          reporter,
+          event,
+          organisationUnit,
+          strategy.isCreate()
+              ? event.isCreatableInSearchScope()
+              : preheatEvent.isCreatableInSearchScope(),
+          bundle.getUser());
     }
 
     UID teUid = getTeUidFromEvent(bundle, event, program);
@@ -228,13 +230,6 @@ public boolean needsToRun(TrackerImportStrategy strategy) {
     return true;
   }
 
-  private void checkOrgUnitInCaptureScope(
-      Reporter reporter, TrackerDto dto, OrganisationUnit orgUnit, UserDetails user) {
-    if (!user.isInUserHierarchy(orgUnit.getPath())) {
-      reporter.addError(dto, ValidationCode.E1000, user, orgUnit);
-    }
-  }
-
   private void checkTeTypeAndTeProgramAccess(
       Reporter reporter,
       TrackerDto dto,

dhis-2/dhis-test-integration/src/test/java/org/hisp/dhis/tracker/imports/validation/EventSecurityImportValidationTest.java

@@ -27,6 +27,7 @@
  */
 package org.hisp.dhis.tracker.imports.validation;
 
+import static org.hisp.dhis.tracker.Assertions.assertHasError;
 import static org.hisp.dhis.tracker.Assertions.assertHasOnlyErrors;
 import static org.hisp.dhis.tracker.Assertions.assertNoErrors;
 import static org.hisp.dhis.tracker.imports.validation.Users.USER_3;
@@ -37,6 +38,7 @@
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashSet;
+import java.util.Set;
 import org.hisp.dhis.common.IdentifiableObjectManager;
 import org.hisp.dhis.common.ValueType;
 import org.hisp.dhis.dataelement.DataElement;
@@ -207,15 +209,11 @@ void setUp() throws IOException {
     trackedEntityProgramOwnerService.updateTrackedEntityProgramOwner(
         maleA, programA, organisationUnitA);
     manager.update(programA);
-    User user = userService.getUser(USER_5);
     OrganisationUnit qfUVllTs6cS = organisationUnitService.getOrganisationUnit("QfUVllTs6cS");
-    user.addOrganisationUnit(qfUVllTs6cS);
-    user.addOrganisationUnit(organisationUnitA);
     importUser.addOrganisationUnit(organisationUnitA);
     Program p = programService.getProgram("prabcdefghA");
     p.addOrganisationUnit(qfUVllTs6cS);
     programService.updateProgram(p);
-    manager.update(user);
     manager.update(importUser);
   }
 
@@ -269,4 +267,32 @@ void testNoUncompleteEventAuth() throws IOException {
     importReport = trackerImportService.importTracker(params, trackerObjects);
     assertHasOnlyErrors(importReport, ValidationCode.E1083);
   }
+
+  @Test
+  void shouldSucceedWhenCreatingScheduledEventFromInsideSearchOrgUnit() throws IOException {
+    TrackerObjects trackerObjects =
+        fromJson("tracker/validations/events-scheduled-with-registration.json");
+    TrackerImportParams params = TrackerImportParams.builder().build();
+    params.setImportStrategy(TrackerImportStrategy.CREATE);
+    OrganisationUnit orgUnit = organisationUnitService.getOrganisationUnit("QfUVllTs6cS");
+    User user = userService.getUser(USER_5);
+    user.setTeiSearchOrganisationUnits(Set.of(orgUnit));
+    manager.update(user);
+    injectSecurityContextUser(user);
+    ImportReport importReport = trackerImportService.importTracker(params, trackerObjects);
+
+    assertNoErrors(importReport);
+  }
+
+  @Test
+  void shouldFailWhenCreatingScheduledEventFromOutsideSearchOrgUnit() throws IOException {
+    TrackerObjects trackerObjects =
+        fromJson("tracker/validations/events-scheduled-with-registration.json");
+    TrackerImportParams params = TrackerImportParams.builder().build();
+    params.setImportStrategy(TrackerImportStrategy.CREATE);
+    injectSecurityContextUser(userService.getUser(USER_5));
+    ImportReport importReport = trackerImportService.importTracker(params, trackerObjects);
+
+    assertHasError(importReport, ValidationCode.E1000);
+  }
 }

dhis-2/dhis-test-integration/src/test/resources/tracker/validations/events-scheduled-with-registration.json

@@ -0,0 +1,29 @@
+{
+    "events": [
+    {
+      "event": "ZwwuwNp6gVd",
+      "status": "SCHEDULE",
+      "program": {
+        "idScheme": "UID",
+        "identifier": "E8o1E9tAppy"
+      },
+      "programStage": {
+        "idScheme": "UID",
+        "identifier": "Qmqxq907VNz"
+      },
+      "enrollment": "MNWZ6hnuhSw",
+      "orgUnit": {
+        "idScheme": "UID",
+        "identifier": "QfUVllTs6cS"
+      },
+      "orgUnitName": "TA org_unit lvl2",
+      "scheduledAt": "2019-08-19T13:59:13.688",
+      "storedBy": "admin",
+      "deleted": false,
+      "attributeOptionCombo": {
+        "idScheme": "UID",
+        "identifier": "HllvX50cXC0"
+      }
+    }
+  ]
+}