fix: Validate search scope when scheduled event [DHIS2-17335][2.40] (#…

…19459)

dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/validation/validator/event/SecurityOwnershipValidator.java

@@ -111,13 +111,18 @@ public void validate(Reporter reporter, TrackerBundle bundle, Event event) {
       organisationUnit = bundle.getPreheat().getOrganisationUnit(event.getOrgUnit());
     }
 
-    // If event is newly created, or going to be deleted, capture scope
-    // has to be checked
     if (program.isWithoutRegistration() || strategy.isCreate() || strategy.isDelete()) {
       if (organisationUnit == null) {
         log.warn(ORG_UNIT_NO_USER_ASSIGNED, event.getEvent());
       } else {
-        checkOrgUnitInCaptureScope(reporter, bundle, event, organisationUnit);
+        checkEventOrgUnitWriteAccess(
+            reporter,
+            event,
+            organisationUnit,
+            strategy.isCreate()
+                ? event.isCreatableInSearchScope()
+                : bundle.getPreheat().getEvent(event.getUid()).isCreatableInSearchScope(),
+            bundle.getUser());
       }
     }
     String teUid = getTeUidFromEvent(bundle, event, program);
@@ -253,18 +258,6 @@ public boolean needsToRun(TrackerImportStrategy strategy) {
     return true;
   }
 
-  private void checkOrgUnitInCaptureScope(
-      Reporter reporter, TrackerBundle bundle, TrackerDto dto, OrganisationUnit orgUnit) {
-    User user = bundle.getUser();
-
-    checkNotNull(user, USER_CANT_BE_NULL);
-    checkNotNull(orgUnit, ORGANISATION_UNIT_CANT_BE_NULL);
-
-    if (!organisationUnitService.isInUserHierarchyCached(user, orgUnit)) {
-      reporter.addError(dto, ValidationCode.E1000, user, orgUnit);
-    }
-  }
-
   private void checkTeiTypeAndTeiProgramAccess(
       Reporter reporter,
       TrackerDto dto,

dhis-2/dhis-test-integration/src/test/java/org/hisp/dhis/tracker/validation/EventSecurityImportValidationTest.java

@@ -27,6 +27,7 @@
  */
 package org.hisp.dhis.tracker.validation;
 
+import static org.hisp.dhis.tracker.Assertions.assertHasError;
 import static org.hisp.dhis.tracker.Assertions.assertHasOnlyErrors;
 import static org.hisp.dhis.tracker.Assertions.assertNoErrors;
 import static org.hisp.dhis.tracker.validation.Users.USER_3;
@@ -37,6 +38,7 @@
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashSet;
+import java.util.Set;
 import org.hisp.dhis.common.IdentifiableObjectManager;
 import org.hisp.dhis.common.ValueType;
 import org.hisp.dhis.dataelement.DataElement;
@@ -200,16 +202,12 @@ private void setupMetadata() {
     trackedEntityProgramOwnerService.updateTrackedEntityProgramOwner(
         maleA.getUid(), programA.getUid(), organisationUnitA.getUid());
     manager.update(programA);
-    User user = userService.getUser(USER_5);
     OrganisationUnit qfUVllTs6cS = organisationUnitService.getOrganisationUnit("QfUVllTs6cS");
-    user.addOrganisationUnit(qfUVllTs6cS);
-    user.addOrganisationUnit(organisationUnitA);
     User adminUser = userService.getUser(ADMIN_USER_UID);
     adminUser.addOrganisationUnit(organisationUnitA);
     Program p = programService.getProgram("prabcdefghA");
     p.addOrganisationUnit(qfUVllTs6cS);
     programService.updateProgram(p);
-    manager.update(user);
     manager.update(adminUser);
   }
 
@@ -258,4 +256,35 @@ void testNoUncompleteEventAuth() throws IOException {
     importReport = trackerImportService.importTracker(trackerBundleParams);
     assertHasOnlyErrors(importReport, ValidationCode.E1083);
   }
+
+  @Test
+  void shouldSucceedWhenCreatingScheduledEventFromInsideSearchOrgUnit() throws IOException {
+    TrackerImportParams trackerBundleParams =
+        fromJson("tracker/validations/events-scheduled-with-registration.json");
+    OrganisationUnit orgUnit = organisationUnitService.getOrganisationUnit("QfUVllTs6cS");
+    User user = userService.getUser(USER_5);
+    user.setTeiSearchOrganisationUnits(Set.of(orgUnit));
+    manager.update(user);
+    injectSecurityContext(user);
+    trackerBundleParams.setUser(user);
+
+    ImportReport importReport = trackerImportService.importTracker(trackerBundleParams);
+
+    assertNoErrors(importReport);
+  }
+
+  @Test
+  void shouldFailWhenCreatingScheduledEventFromOutsideSearchOrgUnit() throws IOException {
+    TrackerImportParams trackerBundleParams =
+        fromJson("tracker/validations/events-scheduled-with-registration.json");
+    TrackerImportParams params = TrackerImportParams.builder().build();
+    params.setImportStrategy(TrackerImportStrategy.CREATE);
+    User user = userService.getUser(USER_5);
+    injectSecurityContext(user);
+    trackerBundleParams.setUser(user);
+
+    ImportReport importReport = trackerImportService.importTracker(trackerBundleParams);
+
+    assertHasError(importReport, ValidationCode.E1000);
+  }
 }

dhis-2/dhis-test-integration/src/test/resources/tracker/validations/events-scheduled-with-registration.json

@@ -0,0 +1,29 @@
+{
+  "events": [
+    {
+      "event": "ZwwuwNp6gVd",
+      "status": "SCHEDULE",
+      "program": {
+        "idScheme": "UID",
+        "identifier": "E8o1E9tAppy"
+      },
+      "programStage": {
+        "idScheme": "UID",
+        "identifier": "Qmqxq907VNz"
+      },
+      "enrollment": "MNWZ6hnuhSw",
+      "orgUnit": {
+        "idScheme": "UID",
+        "identifier": "QfUVllTs6cS"
+      },
+      "orgUnitName": "TA org_unit lvl2",
+      "scheduledAt": "2019-08-19T13:59:13.688",
+      "storedBy": "admin",
+      "deleted": false,
+      "attributeOptionCombo": {
+        "idScheme": "UID",
+        "identifier": "HllvX50cXC0"
+      }
+    }
+  ]
+}