Applying "Community Admin XMLUI: Delegated Admins Patch" (DS-228). This adds delegated Admin capabilities and specifically a Community Administrator role. See Jira issue DS-228 for more specific details, including documentation on the permissions of a System Admin vs. Community Admin vs. Collection Admin. [WARNING:] This patch adds a database_schema_15-16.sql (as it requires a new "admin" column on the 'collection' table). This patch also currently only fully works for the XMLUI (but should not break anything with JSPUI) - Andrea Bollini is working on porting it over to JSPUI.

git-svn-id: http://scm.dspace.org/svn/repo/dspace/trunk@3980 9c30dcfa-912a-0410-8fc2-9e0234be79fd
2025-10-12 04:23:13 +00:00 · 2009-06-26 17:07:25 +00:00
parent fd2be53602
commit 1c7affd37a
16 changed files with 939 additions and 56 deletions
--- a/dspace-api/src/main/java/org/dspace/authorize/AuthorizeManager.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/AuthorizeManager.java
@@ -39,10 +39,14 @@ package org.dspace.authorize;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import org.dspace.content.Bitstream;
 import org.dspace.content.Bundle;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
 import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
@@ -279,9 +283,9 @@ public class AuthorizeManager
        {
            userid = e.getID();
-            // perform isadmin check since user
+            // perform isAdmin check to see
-            // is user part of admin group?
+            // if user is an Admin on this object
-            if (isAdmin(c))
+            if (isAdmin(c,o))
            {
                return true;
            }
@@ -315,8 +319,205 @@ public class AuthorizeManager
    // admin check methods
    ///////////////////////////////////////////////
 	/**
-     * Check to see if the current user is an admin. Always return
+     * Check to see if the current user is an Administrator of a given
     * object within DSpace. Always return <code>true</code> if the
     * user is a System Admin
     *
     * @param c
     *            current context
     * @param o
     *            current DSpace Object
     *
     * @return <code>true</code> if user has administrative privileges
     *        on the given DSpace object
     */
    public static boolean isAdmin(Context c, DSpaceObject o) throws SQLException {
 		if (isAdmin(c))
 		{
 			return true;
 		}
        //
        // First, check all Resource Policies directly on this object
        //
 		List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, Constants.ADMIN);
        int userid = c.getCurrentUser().getID();
        for (ResourcePolicy rp : policies)
        {
            // check policies for date validity
            if (rp.isDateValid())
            {
                if ((rp.getEPersonID() != -1) && (rp.getEPersonID() == userid))
                {
                    return true; // match
                }
                if ((rp.getGroupID() != -1)
                        && (Group.isMember(c, rp.getGroupID())))
                {
                    // group was set, and eperson is a member
                    // of that group
                    return true;
                }
            }
        }
 		//
        // If user doesn't have specific Admin permissions on this object,
        // check the *parent* objects of this object.  This allows Admin
        // permissions to be inherited automatically (e.g. Admin on Community
        // is also an Admin of all Collections/Items in that Community)
 		switch (o.getType()) {
 			case Constants.BITSTREAM:
 			{
 				Bitstream bitstream = (Bitstream) o;
 				Bundle[] bundles = bitstream.getBundles();
 				if (bundles != null && (bundles.length > 0 && bundles[0] != null))
 				{
 					return isAdmin(c,bundles[0]);
 				}
 				else
 				{
 					// is the bitstream a logo for a community or a collection?
 					TableRow qResult = DatabaseManager.querySingle(c,
 						       "SELECT collection_id FROM collection " +
 						       "WHERE logo_bitstream_id = ?",o.getID());
 					if (qResult != null) 
 					{
 						Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
 						return isAdmin(c,collection);
 					}
 					else
 					{   
 						// is the group releated to a community?
 						qResult = DatabaseManager.querySingle(c,
 								"SELECT community_id FROM community " +
 								"WHERE logo_bitstream_id = ?",o.getID());
 						if (qResult != null)
 						{
 							Community community = Community.find(c,qResult.getIntColumn("community_id"));
 							return isAdmin(c,community);
 						}
 						else
 						{
 							return false;
 						}
 					}									
 				}
 			}
 			case Constants.BUNDLE:
 			{
                Bundle bundle = (Bundle) o;
 				Item[] items = bundle.getItems();
 				if (items != null && (items.length > 0 && items[0] != null))
 				{
 					return isAdmin(c,items[0]);
 				}
 				else
 				{
 					return false;
 				}
 			}
 			case Constants.ITEM:
 			{
 				Item item = (Item) o;
 				Collection ownCollection = item.getOwningCollection();
 				if (ownCollection != null)
 				{
 					return isAdmin(c,ownCollection);
 				}
 				else
 				{
 					// is a template item?
 					TableRow qResult = DatabaseManager.querySingle(c,
 						       "SELECT collection_id FROM collection " +
 						       "WHERE template_item_id = ?",o.getID());
 					if (qResult != null) 
 					{
 						Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
 						return isAdmin(c,collection);
 					}					
 					return false;
 				}
 			}
 			case Constants.COLLECTION:
 			{			
 				Collection collection = (Collection) o;
 				Community[] communities = collection.getCommunities();
 				if (communities != null && (communities.length > 0 && communities[0] != null))
 				{
 					return isAdmin(c,communities[0]);
 				}
 				else
 				{
 					return false;
 				}			
 			}
 			case Constants.COMMUNITY:
 			{			
 				Community community = (Community) o;
 				Community pCommunity = community.getParentCommunity();
 				if (pCommunity != null)
 				{
 					return isAdmin(c,pCommunity);
 				}
 				else
 				{
 					return false;
 				}			
 			}
 			case Constants.GROUP:
 			{
 				// is the group releated to a collection?
 				TableRow qResult = DatabaseManager.querySingle(c,
 								       "SELECT collection_id FROM collection " +
 								       "WHERE workflow_step_1 = ? OR " +
 								       		" workflow_step_2 = ? OR " +
 								       		" workflow_step_3 = ? OR " +
 								       		" submitter =  ? OR " +
 								       		" admin = ?",o.getID(),o.getID(),o.getID(),o.getID(),o.getID());
 				if (qResult != null) 
 				{
 					Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
 					return isAdmin(c,collection);
 				}
 				else
 				{   // is the group releated to a community?
 					qResult = DatabaseManager.querySingle(c,
 						       "SELECT community_id FROM community " +
 						       "WHERE admin = ?",o.getID());
 					if (qResult != null)
 					{
 						Community community = Community.find(c,qResult.getIntColumn("community_id"));
 						return isAdmin(c,community);
 					}
 					else
 					{
 						return false;
 					}
 				}
 			}
 		}
 		return false;
 	}
    /**
     * Check to see if the current user is a System Admin. Always return
     * <code>true</code> if c.ignoreAuthorization is set. Anonymous users
     * can't be Admins (EPerson set to NULL)
     * 
@@ -567,7 +768,16 @@ public class AuthorizeManager
        // find all policies for the source object
        List<ResourcePolicy> policies = getPolicies(c, src);
-        addPolicies(c, policies, dest);
+        //Only inherit non-ADMIN policies (since ADMIN policies are automatically inherited)
        List<ResourcePolicy> nonAdminPolicies = new ArrayList<ResourcePolicy>();
        for (ResourcePolicy rp : policies)
        {
        	if (rp.getAction() != Constants.ADMIN)
        	{
        		nonAdminPolicies.add(rp);
            }
        }
        addPolicies(c, nonAdminPolicies, dest);
    }
    /**
--- a/dspace-api/src/main/java/org/dspace/content/Collection.java
+++ b/dspace-api/src/main/java/org/dspace/content/Collection.java
@@ -541,12 +541,16 @@ public class Collection extends DSpaceObject
    public Group createWorkflowGroup(int step) throws SQLException,
            AuthorizeException
    {
-        // Check authorisation
+        // Check authorisation - Must be an Admin to create Submitters Group
-        AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE);
+        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        if (workflowGroup[step - 1] == null)
        {
            //turn off authorization so that Collection Admins can create Collection Workflow Groups
            ourContext.turnOffAuthorisationSystem();
            Group g = Group.create(ourContext);
            ourContext.restoreAuthSystemState();
            g.setName("COLLECTION_" + getID() + "_WORKFLOW_STEP_" + step);
            g.update();
            setWorkflowGroup(step, g);
@@ -609,12 +613,16 @@ public class Collection extends DSpaceObject
     */
    public Group createSubmitters() throws SQLException, AuthorizeException
    {
-        // Check authorisation
+        // Check authorisation - Must be an Admin to create Submitters Group
-        AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE);
+        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        if (submitters == null)
        {
            //turn off authorization so that Collection Admins can create Collection Submitters
            ourContext.turnOffAuthorisationSystem();
            submitters = Group.create(ourContext);
            ourContext.restoreAuthSystemState();
            submitters.setName("COLLECTION_" + getID() + "_SUBMIT");
            submitters.update();
        }
@@ -636,8 +644,8 @@ public class Collection extends DSpaceObject
     */
    public void removeSubmitters() throws SQLException, AuthorizeException
    {
-    	// Check authorisation
+    	// Check authorisation - Must be an Admin to delete Submitters Group
-        AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE);
+        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        // just return if there is no administrative group.
        if (submitters == null)
@@ -678,18 +686,22 @@ public class Collection extends DSpaceObject
     */
    public Group createAdministrators() throws SQLException, AuthorizeException
    {
-        // Check authorisation
+        // Check authorisation - Must be an Admin to create more Admins
-        AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE);
+        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        if (admins == null)
        {
            //turn off authorization so that Community Admins can create Collection Admins
            ourContext.turnOffAuthorisationSystem();
            admins = Group.create(ourContext);
            ourContext.restoreAuthSystemState();
            admins.setName("COLLECTION_" + getID() + "_ADMIN");
            admins.update();
        }
        AuthorizeManager.addPolicy(ourContext, this,
-                Constants.COLLECTION_ADMIN, admins);
+                Constants.ADMIN, admins);
        // register this as the admin group
        collectionRow.setColumn("admin", admins.getID());
@@ -713,8 +725,8 @@ public class Collection extends DSpaceObject
     */
    public void removeAdministrators() throws SQLException, AuthorizeException
    {
-    	// Check authorisation
+        // Check authorisation - Must be an Admin to delete Admin Group
-        AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE);
+        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        // just return if there is no administrative group.
        if (admins == null)
@@ -1021,7 +1033,7 @@ public class Collection extends DSpaceObject
        }
        AuthorizeManager.authorizeAnyOf(ourContext, this, new int[] {
-                Constants.WRITE, Constants.COLLECTION_ADMIN });
+                Constants.WRITE, Constants.ADMIN });
    }
    /**
--- a/dspace-api/src/main/java/org/dspace/content/Community.java
+++ b/dspace-api/src/main/java/org/dspace/content/Community.java
@@ -94,6 +94,9 @@ public class Community extends DSpaceObject
    /** Flag set when metadata is modified, for events */
    private boolean modifiedMetadata;
    /** The default group of administrators */
    private Group admins;
    /**
     * Construct a community object from a database row.
     * 
@@ -125,6 +128,9 @@ public class Community extends DSpaceObject
        context.cache(this, row.getIntColumn("community_id"));
        modified = modifiedMetadata = false;
        admins = groupFromColumn("admin");
        clearDetails();
    }
@@ -507,6 +513,78 @@ public class Community extends DSpaceObject
        }
    }
    /**
     * Create a default administrators group if one does not already exist.
     * Returns either the newly created group or the previously existing one.
     * Note that other groups may also be administrators.
     * 
     * @return the default group of editors associated with this community
     * @throws SQLException
     * @throws AuthorizeException
     */
    public Group createAdministrators() throws SQLException, AuthorizeException
    {
        // Check authorisation - Must be an Admin to create more Admins
        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        if (admins == null)
        {
            //turn off authorization so that Community Admins can create Sub-Community Admins
            ourContext.turnOffAuthorisationSystem();
            admins = Group.create(ourContext);
            ourContext.restoreAuthSystemState();
            admins.setName("COMMUNITY_" + getID() + "_ADMIN");
            admins.update();
        }
        AuthorizeManager.addPolicy(ourContext, this, Constants.ADMIN, admins);
        // register this as the admin group
        communityRow.setColumn("admin", admins.getID());
        modified = true;
        return admins;
    }
    /**
     * Remove the administrators group, if no group has already been created 
     * then return without error. This will merely dereference the current 
     * administrators group from the community so that it may be deleted 
     * without violating database constraints.
     */
    public void removeAdministrators() throws SQLException, AuthorizeException
    {
        // Check authorisation - Must be an Admin to delete Admin group
        AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
        // just return if there is no administrative group.
        if (admins == null)
            return; 
        // Remove the link to the community table.
        communityRow.setColumnNull("admin");
        admins = null;
        modified = true;
    }
    /**
     * Get the default group of administrators, if there is one. Note that the
     * authorization system may allow others to be administrators for the
     * community.
     * <P>
     * The default group of administrators for community 100 is the one called
     * <code>community_100_admin</code>.
     * 
     * @return group of administrators, or <code>null</code> if there is no
     *         default group.
     */
    public Group getAdministrators()
    {
        return admins;
    }
    /**
     * Get the collections in this community. Throws an SQLException because
     * creating a community object won't load in all collections.
@@ -999,6 +1077,14 @@ public class Community extends DSpaceObject
        // Delete community row
        DatabaseManager.delete(ourContext, communityRow);
        // Remove administrators group - must happen after deleting community
        Group g = getAdministrators();
        if (g != null)
        {
            g.delete();
        }
    }
    /**
@@ -1021,6 +1107,25 @@ public class Community extends DSpaceObject
        return (getID() == ((Community) other).getID());
    }
    /**
     * Utility method for reading in a group from a group ID in a column. If the
     * column is null, null is returned.
     * 
     * @param col
     *            the column name to read
     * @return the group referred to by that column, or null
     * @throws SQLException
     */
    private Group groupFromColumn(String col) throws SQLException
    {
        if (communityRow.isColumnNull(col))
        {
            return null;
        }
        return Group.find(ourContext, communityRow.getIntColumn(col));
    }
    /**
     * return type found in Constants
     */
--- a/dspace-api/src/main/java/org/dspace/content/Item.java
+++ b/dspace-api/src/main/java/org/dspace/content/Item.java
@@ -1709,7 +1709,7 @@ public class Item extends DSpaceObject
        // Check permission. User either has to have REMOVE on owning collection
        // or be COLLECTION_EDITOR of owning collection
        if (AuthorizeManager.authorizeActionBoolean(ourContext,
-                getOwningCollection(), Constants.COLLECTION_ADMIN)
+                getOwningCollection(), Constants.ADMIN)
                || AuthorizeManager.authorizeActionBoolean(ourContext,
                        getOwningCollection(), Constants.REMOVE))
        {
@@ -2247,7 +2247,7 @@ public class Item extends DSpaceObject
        // is this person an COLLECTION_EDITOR for the owning collection?
        if (AuthorizeManager.authorizeActionBoolean(ourContext,
-                getOwningCollection(), Constants.COLLECTION_ADMIN))
+                getOwningCollection(), Constants.ADMIN))
        {
            return true;
        }
--- a/dspace-api/src/main/java/org/dspace/core/Constants.java
+++ b/dspace-api/src/main/java/org/dspace/core/Constants.java
@@ -148,11 +148,15 @@ public class Constants
    public static final int DEFAULT_ITEM_READ = 10;
    /**
-     * collection admin -- metadata, logo, item metadata, submitters, withdraw
+     * @deprecated As of DSpace 1.6, replaced by Constants.ADMIN
     * items, etc.
     */
    public static final int COLLECTION_ADMIN = 11;
    /**
     * Administrative actions - System Admin, Community Admin, Collection Admin
     */
    public static final int ADMIN = 11;
    /** Position of front page news item -- top box */
    public static final int NEWS_TOP = 0;
@@ -165,7 +169,7 @@ public class Constants
    public static final String[] actionText = { "READ", "WRITE",
            "OBSOLETE (DELETE)", "ADD", "REMOVE", "WORKFLOW_STEP_1",
            "WORKFLOW_STEP_2", "WORKFLOW_STEP_3", "WORKFLOW_ABORT",
-            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "COLLECTION_ADMIN" };
+            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "ADMIN" };
    /**
     * constants for the relevance array generating dynamicallis is simple: just
@@ -201,7 +205,7 @@ public class Constants
            0, // 8 - WORKFLOW_ABORT
            RCOLLECTION, // 9 - DEFAULT_BITSTREAM_READ
            RCOLLECTION, // 10 - DEFAULT_ITEM_READ
-            RCOLLECTION // 11 - COLLECTION_ADMIN
+            RBUNDLE | RITEM | RCOLLECTION | RCOMMUNITY // 11 - ADMIN
    };
    public static final String DEFAULT_ENCODING = "UTF-8";
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowContainerUtils.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowContainerUtils.java
@@ -706,7 +706,106 @@ public class FlowContainerUtils
 		return result;
 	}
 	/**
     * Look up the id of a group authorized for one of the given roles. If no group is currently 
     * authorized to perform this role then a new group will be created and assigned the role.
     * 
     * @param context The current DSpace context.
     * @param collectionID The collection id.
     * @param roleName ADMIN.
     * @return The id of the group associated with that particular role, or -1 if the role was not found.
     */
    public static int getCommunityRole(Context context, int communityID, String roleName) throws SQLException, AuthorizeException, IOException
    {
        Community community = Community.find(context, communityID);
        // Determine the group based upon which role we are looking for.
        Group role = null;
        if (ROLE_ADMIN.equals(roleName))
        {
            role = community.getAdministrators();
            if (role == null)
                role = community.createAdministrators();
        } 
        // In case we needed to create a group, save our changes
        community.update();
        context.commit();
        // If the role name was valid then role should be non null,
        if (role != null)
            return role.getID();
        return -1;
    }
 	/**
     * Delete one of a community's roles
     * 
     * @param context The current DSpace context.
     * @param communityID The community id.
     * @param roleName ADMIN.
     * @param groupID The id of the group associated with this role.
     * @return A process result's object.
     */
    public static FlowResult processDeleteCommunityRole(Context context, int communityID, String roleName, int groupID) throws SQLException, UIException, IOException, AuthorizeException
    {
        FlowResult result = new FlowResult();
        Community community = Community.find(context, communityID);
        Group role = Group.find(context, groupID);
        // First, unregister the role
        if (ROLE_ADMIN.equals(roleName))
        {
            community.removeAdministrators();
        }
        // Second, remove all authorizations for this role by searching for all policies that this 
        // group has on the collection and remove them otherwise the delete will fail because 
        // there are dependencies.
        @SuppressWarnings("unchecked") // the cast is correct
        List<ResourcePolicy> policies = AuthorizeManager.getPolicies(context, community);
        for (ResourcePolicy policy : policies)
        {
            if (policy.getGroupID() == groupID)
                policy.delete();
        }
        // Finally, delete the role's actual group.
        community.update();
        role.delete();
        context.commit();
        result.setContinue(true);
        result.setOutcome(true);
        result.setMessage(new Message("default","The role was successfully deleted."));
        return result;
    }
    /**
     * Delete a collection's template item (which is not a member of the collection).
     * 
     * @param context
     * @param collectionID
     * @return
     * @throws SQLException
     * @throws AuthorizeException
     * @throws IOException
     */
    public static FlowResult processDeleteTemplateItem(Context context, int collectionID) throws SQLException, AuthorizeException, IOException
    {
        FlowResult result = new FlowResult();
        Collection collection = Collection.find(context, collectionID);
        collection.removeTemplateItem();
        context.commit();
        result.setContinue(true);
        result.setOutcome(true);
        return result;
    }
 	/**
 	 * Check whether this metadata value is a proper XML fragment. If the value is not 
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowGroupUtils.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowGroupUtils.java
@@ -493,4 +493,87 @@ public class FlowGroupUtils {
    /**
     * The community prefix: all groups which are specific to
     * a community start with this.
     */
    private static final String COMMUNITY_PREFIX = "COMMUNITY_";
    /**
     * These are the possible community suffixes. All groups which are
     * specific to a collection will end with one of these. The collection
     * id should be between the prefix and the suffix.
     * 
     * Note: the order of these suffixes are important, see getCollectionRole()
     */
    private static final String[] COMMUNITY_SUFFIXES = {"_ADMIN"};
    /**
     * Extracts the community id that may be embedded in the given group name.
     * 
     * @param groupName - the name of a group (ie group.getName())
     * @return the integer community id or -1 if the group is not that of a community
     */
    public static int getCommunityId(String groupName)
    {
        if (groupName != null && groupName.startsWith(COMMUNITY_PREFIX))
        {
            for (String suffix : COMMUNITY_SUFFIXES)
            {
                if (groupName.endsWith(suffix))
                {
                    String idString = groupName.substring(COMMUNITY_PREFIX.length());
                    idString = idString.substring(0, idString.length() - suffix.length());
                    int communityID = -1;
                    try {
                        communityID = Integer.valueOf(idString); 
                        return communityID;
 }
                    catch (NumberFormatException nfe)
                    {}
                } // if it ends with a proper suffix.
            } // for each possible suffix
        } // if it starts with COLLECTION_
        return -1;
    }
    public static Role getCommunityRole(String groupName)
    {
        if (groupName != null && groupName.startsWith(COMMUNITY_PREFIX))
        {
            for (String suffix : COMMUNITY_SUFFIXES)
            {
                if (groupName.endsWith(suffix))
                {
                    if (COLLECTION_SUFFIXES[0].equals(suffix))
                        return Role.Submitters;
                    else if (COLLECTION_SUFFIXES[1].equals(suffix))
                        return Role.Administrators;
                    else if (COLLECTION_SUFFIXES[2].equals(suffix))
                        return Role.WorkflowStep1;
                    else if (COLLECTION_SUFFIXES[3].equals(suffix))
                        return Role.WorkflowStep1;
                    else if (COLLECTION_SUFFIXES[4].equals(suffix))
                        return Role.WorkflowStep2;
                    else if (COLLECTION_SUFFIXES[5].equals(suffix))
                        return Role.WorkflowStep2;
                    else if (COLLECTION_SUFFIXES[6].equals(suffix))
                        return Role.WorkflowStep3;
                    else if (COLLECTION_SUFFIXES[7].equals(suffix))
                        return Role.WorkflowStep3;
                    else if (COLLECTION_SUFFIXES[8].equals(suffix))
                        return Role.DefaultRead;
                } // if it ends with a proper suffix.
            } // for each possible suffix
        } // if it starts with COMMUNITY_
        return Role.none;
    }
 }
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowItemUtils.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/FlowItemUtils.java
@@ -49,6 +49,7 @@ import org.apache.cocoon.servlet.multipart.Part;
 import org.dspace.app.xmlui.utils.UIException;
 import org.dspace.app.xmlui.wing.Message;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.AuthorizeManager;
 import org.dspace.content.Bitstream;
 import org.dspace.content.BitstreamFormat;
 import org.dspace.content.Bundle;
@@ -77,6 +78,8 @@ public class FlowItemUtils
 	private static final Message T_metadata_added = new Message("default","New metadata was added.");
 	private static final Message T_item_withdrawn = new Message("default","The item has been withdrawn.");
 	private static final Message T_item_reinstated = new Message("default","The item has been reinstated.");
    private static final Message T_item_moved = new Message("default","The item has been moved.");
    private static final Message T_item_move_destination_not_found = new Message("default","The selected destination collection could not be found.");
 	private static final Message T_bitstream_added = new Message("default","The new bitstream was successfully uploaded.");
 	private static final Message T_bitstream_failed = new Message("default","Error while uploading file.");
 	private static final Message T_bitstream_updated = new Message("default","The bitstream has been updated.");
@@ -320,6 +323,82 @@ public class FlowItemUtils
 	}
    /**
     * Move the specified item to another collection.
     *
     * @param context The DSpace context
     * @param itemID The id of the to-be-moved item.
     * @param collectionID The id of the destination collection.
     * @return A result object
     */
    public static FlowResult processMoveItem(Context context, int itemID, int collectionID) throws SQLException, AuthorizeException, IOException
    {
        FlowResult result = new FlowResult();
        result.setContinue(false);
        Item item = Item.find(context, itemID);
        if(AuthorizeManager.isAdmin(context, item))
        {
          //Add a policy giving this user *explicit* admin permissions on the item itself.
          //This ensures that the user will be able to call item.update() even if he/she
          // moves it to a Collection that he/she doesn't administer.
          AuthorizeManager.addPolicy(context, item, Constants.ADMIN, context.getCurrentUser());
          Collection destination = Collection.find(context, collectionID);
          if (destination == null)
          {
              result.setOutcome(false);
              result.setContinue(false);
              result.setMessage(T_item_move_destination_not_found);
              return result;
          }
          Collection owningCollection = item.getOwningCollection();
          if (destination.equals(owningCollection))
          {
              // nothing to do
              result.setOutcome(false);
              result.setContinue(false);
              return result;
          }
          // note: an item.move() method exists, but does not handle several cases:
          // - no preexisting owning collection (first arg is null)
          // - item already in collection, but not an owning collection
          //   (works, but puts item in collection twice)
          // Don't re-add the item to a collection it's already in.
          boolean alreadyInCollection = false;
          for (Collection collection : item.getCollections())
          {
              if (collection.equals(destination))
              {
                  alreadyInCollection = true;
                  break;
              }
          }
          // Remove item from its owning collection and add to the destination
          if (!alreadyInCollection)
              destination.addItem(item);
          if (owningCollection != null)
              owningCollection.removeItem(item);
          item.setOwningCollection(destination);
          item.update();
          context.commit();
          result.setOutcome(true);
          result.setContinue(true);
          result.setMessage(T_item_moved);
        }
        return result;
    }
 	/**
 	 * Permanently delete the specified item, this method assumes that
 	 * the action has been confirmed.
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/Navigation.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/Navigation.java
@@ -227,6 +227,8 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
            account.addItem().addXref(contextPath+"/admin/export", T_account_export);
        }
        //Check if a system administrator
        boolean isSystemAdmin = AuthorizeManager.isAdmin(this.context);
        // Context Administrative options
        DSpaceObject dso = HandleUtil.obtainHandle(objectModel);
@@ -238,6 +240,7 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
    		{
            	context.setHead(T_context_head);
            	context.addItem().addXref(contextPath+"/admin/item?itemID="+item.getID(), T_context_edit_item);
            	if (AuthorizeManager.isAdmin(this.context, dso))
                    context.addItem().addXref(contextPath+"/admin/export?itemID="+item.getID(), T_context_export_item );
    		}
    	}
@@ -247,11 +250,12 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
    		// can they admin this collection?
-            if (AuthorizeManager.authorizeActionBoolean(this.context, collection, Constants.COLLECTION_ADMIN))
+            if (AuthorizeManager.authorizeActionBoolean(this.context, collection, Constants.ADMIN))
            {
            	context.setHead(T_context_head);
            	context.addItemXref(contextPath+"/admin/collection?collectionID=" + collection.getID(), T_context_edit_collection);            	
            	context.addItemXref(contextPath+"/admin/mapper?collectionID="+collection.getID(), T_context_item_mapper); 
            	if (AuthorizeManager.isAdmin(this.context, dso))
                    context.addItem().addXref(contextPath+"/admin/export?collectionID="+collection.getID(), T_context_export_collection );
            }
    	}
@@ -264,6 +268,7 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
            {
            	context.setHead(T_context_head);
            	context.addItemXref(contextPath+"/admin/community?communityID=" + community.getID(), T_context_edit_community); 
            	if (AuthorizeManager.isAdmin(this.context, dso))
                    context.addItem().addXref(contextPath+"/admin/export?communityID="+community.getID(), T_context_export_community );
            }
@@ -274,8 +279,8 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
            	context.addItemXref(contextPath+"/admin/collection?createNew&communityID=" + community.getID(), T_context_create_collection);         	
            }
-            // Only administrators can create communities
+            // Only System & Community administrators can create sub-communities
-            if (AuthorizeManager.isAdmin(this.context))
+            if (isSystemAdmin || AuthorizeManager.authorizeActionBoolean(this.context, community, Constants.ADMIN))
            {
            	context.setHead(T_context_head);
            	context.addItemXref(contextPath+"/admin/community?createNew&communityID=" + community.getID(), T_context_create_subcommunity);  	
@@ -284,7 +289,8 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
    	if ("community-list".equals(this.sitemapURI))
    	{
-    		if (AuthorizeManager.isAdmin(this.context))
+            // Only System administrators can create top-level communities
    		if (isSystemAdmin)
            {
            	context.setHead(T_context_head);
    			context.addItemXref(contextPath+"/admin/community?createNew", T_context_create_community);    			
@@ -293,7 +299,7 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
        // System Administrator options!
-        if (AuthorizeManager.isAdmin(this.context))
+        if (isSystemAdmin)
        {
 	        admin.setHead(T_administrative_head);
@@ -339,7 +345,7 @@ public class Navigation extends AbstractDSpaceTransformer implements CacheablePr
    		// can they admin this collection?
-            if (AuthorizeManager.authorizeActionBoolean(this.context, collection, Constants.COLLECTION_ADMIN))
+            if (AuthorizeManager.authorizeActionBoolean(this.context, collection, Constants.ADMIN))
            {            	
            	context.addItemXref(contextPath+"/admin/collection?collectionID=" + collection.getID(), T_context_edit_collection);
            	context.addItemXref(contextPath+"/admin/mapper?collectionID="+collection.getID(), T_context_item_mapper);            	
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemBitstreamsForm.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemBitstreamsForm.java
@@ -233,7 +233,8 @@ public class EditItemBitstreamsForm extends AbstractDSpaceTransformer {
 		// PARA: actions
 		Para actions = main.addPara("editItemActionsP","editItemActionsP" );
-		if (AuthorizeManager.authorizeActionBoolean(context, item, Constants.REMOVE))
+        // Only System Administrators can delete bitstreams
 		if (AuthorizeManager.isAdmin(context))
 			actions.addButton("submit_delete").setValue(T_submit_delete);
 		else
 		{
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemMetadataForm.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemMetadataForm.java
@@ -61,6 +61,7 @@ import org.dspace.app.xmlui.wing.element.Select;
 import org.dspace.app.xmlui.wing.element.Table;
 import org.dspace.app.xmlui.wing.element.Text;
 import org.dspace.app.xmlui.wing.element.TextArea;
 import org.dspace.content.Collection;
 import org.dspace.content.DCValue;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataField;
@@ -81,6 +82,7 @@ public class EditItemMetadataForm extends AbstractDSpaceTransformer {
 	private static final Message T_submit_update = message("xmlui.general.update");
 	private static final Message T_submit_return = message("xmlui.general.return");
 	private static final Message T_item_trail = message("xmlui.administrative.item.general.item_trail");
    private static final Message T_template_head = message("xmlui.administrative.item.general.template_head");
 	private static final Message T_option_head = message("xmlui.administrative.item.general.option_head");
 	private static final Message T_option_status = message("xmlui.administrative.item.general.option_status");
 	private static final Message T_option_bitstreams = message("xmlui.administrative.item.general.option_bitstreams");
@@ -134,20 +136,39 @@ public class EditItemMetadataForm extends AbstractDSpaceTransformer {
 		Request request = ObjectModelHelper.getRequest(objectModel);
 		String previousFieldID = request.getParameter("field");
        // Metadata editing is the only type of editing available for a template item.
        boolean editingTemplateItem = false;
        int templateCollectionID = parameters.getParameterAsInteger("templateCollectionID",-1);
        Collection templateCollection = templateCollectionID == -1 ? null : Collection.find(context, templateCollectionID);
        if (templateCollection != null)
        {
            Item templateItem = templateCollection.getTemplateItem();
            if (templateItem != null && templateItem.getID() == itemID)
                editingTemplateItem = true;
        }
 		// DIVISION: main 
 		Division main = body.addInteractiveDivision("edit-item-status", contextPath+"/admin/item", Division.METHOD_POST,"primary administrative item");
 		if (editingTemplateItem)
        {
 		    main.setHead(T_template_head.parameterize(templateCollection.getName()));
 		} 
        else
        {
 		main.setHead(T_option_head);
 		}
 		// LIST: options
 		if (!editingTemplateItem)
        {
 		  List options = main.addList("options",List.TYPE_SIMPLE,"horizontal");
 		  options.addItem().addXref(baseURL+"&submit_status",T_option_status);
 		  options.addItem().addXref(baseURL+"&submit_bitstreams",T_option_bitstreams);
 		  options.addItem().addHighlight("bold").addXref(baseURL+"&submit_metadata",T_option_metadata);
 		  options.addItem().addXref(baseURL + "&view_item", T_option_view);
-
+		}
 		// LIST: add new metadata
 		List addForm = main.addList("addItemMetadata",List.TYPE_FORM);
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemStatusForm.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/EditItemStatusForm.java
@@ -86,14 +86,17 @@ public class EditItemStatusForm extends AbstractDSpaceTransformer {
 	private static final Message T_label_auth = message("xmlui.administrative.item.EditItemStatusForm.label_auth");
 	private static final Message T_label_withdraw = message("xmlui.administrative.item.EditItemStatusForm.label_withdraw");
 	private static final Message T_label_reinstate = message("xmlui.administrative.item.EditItemStatusForm.label_reinstate");
    private static final Message T_label_move = message("xmlui.administrative.item.EditItemStatusForm.label_move");
 	private static final Message T_label_delete = message("xmlui.administrative.item.EditItemStatusForm.label_delete");
 	private static final Message T_submit_authorizations = message("xmlui.administrative.item.EditItemStatusForm.submit_authorizations");
 	private static final Message T_submit_withdraw = message("xmlui.administrative.item.EditItemStatusForm.submit_withdraw");
 	private static final Message T_submit_reinstate = message("xmlui.administrative.item.EditItemStatusForm.submit_reinstate");
    private static final Message T_submit_move = message("xmlui.administrative.item.EditItemStatusForm.submit_move");
 	private static final Message T_submit_delete = message("xmlui.administrative.item.EditItemStatusForm.submit_delete");
 	private static final Message T_na = message("xmlui.administrative.item.EditItemStatusForm.na");
 	private static final Message T_sysadmins_only = message("xmlui.administrative.item.EditItemStatusForm.sysadmins_only");
 	private static final Message T_collectionadmins_only = message("xmlui.administrative.item.EditItemStatusForm.collection_admins_only");
 	public void addPageMeta(PageMeta pageMeta) throws WingException
@@ -172,14 +175,17 @@ public class EditItemStatusForm extends AbstractDSpaceTransformer {
 		if(!item.isWithdrawn())
 		{
 			itemInfo.addLabel(T_label_withdraw);
-			itemInfo.addItem().addButton("submit_withdraw").setValue(T_submit_withdraw);
+			addAdministratorOnlyButton(itemInfo.addItem(), "submit_withdraw", T_submit_withdraw);
 		}
 		else
 		{	
 			itemInfo.addLabel(T_label_reinstate);
-			itemInfo.addItem().addButton("submit_reinstate").setValue(T_submit_reinstate);
+			addAdministratorOnlyButton(itemInfo.addItem(), "submit_reinstate", T_submit_reinstate);
 		}
        itemInfo.addLabel(T_label_move);
        addCollectionAdminOnlyButton(itemInfo.addItem(), item.getOwningCollection(), "submit_move", T_submit_move);
 		itemInfo.addLabel(T_label_delete);
 		addAdministratorOnlyButton(itemInfo.addItem(), "submit_delete", T_submit_delete);
@@ -204,4 +210,18 @@ public class EditItemStatusForm extends AbstractDSpaceTransformer {
    	}
 	}
    private void addCollectionAdminOnlyButton(org.dspace.app.xmlui.wing.element.Item item, Collection collection, String buttonName, Message buttonLabel) throws WingException, SQLException
 	{
    	Button button = item.addButton(buttonName);
    	button.setValue(buttonLabel);
    	if (!AuthorizeManager.isAdmin(context, collection))
    	{
    		// Only admins can create or delete
    		button.setDisabled();
    		item.addHighlight("fade").addContent(T_collectionadmins_only);
    	}
 	}
 }
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/MoveItemForm.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/aspect/administrative/item/MoveItemForm.java
@@ -0,0 +1,147 @@
 /*
 * MoveItemForm.java
 *
 * Version: $Revision$
 *
 * Date: $Date$
 *
 * Copyright (c) 2002, Hewlett-Packard Company and Massachusetts
 * Institute of Technology.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 * - Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 * notice, this list of conditions and the following disclaimer in the
 * documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the Hewlett-Packard Company nor the name of the
 * Massachusetts Institute of Technology nor the names of their
 * contributors may be used to endorse or promote products derived from
 * this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */
 package org.dspace.app.xmlui.aspect.administrative.item;
 import java.sql.SQLException;
 import java.util.Arrays;
 import java.util.Comparator;
 import org.dspace.app.xmlui.cocoon.AbstractDSpaceTransformer;
 import org.dspace.app.xmlui.wing.Message;
 import org.dspace.app.xmlui.wing.WingException;
 import org.dspace.app.xmlui.wing.element.Body;
 import org.dspace.app.xmlui.wing.element.Button;
 import org.dspace.app.xmlui.wing.element.Division;
 import org.dspace.app.xmlui.wing.element.List;
 import org.dspace.app.xmlui.wing.element.PageMeta;
 import org.dspace.app.xmlui.wing.element.Row;
 import org.dspace.app.xmlui.wing.element.Select;
 import org.dspace.app.xmlui.wing.element.Table;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
 import org.dspace.content.DCValue;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
 import org.dspace.core.Constants;
 import org.dspace.handle.HandleManager;
 /**
 * This page displays collections to which the user can move an item.
 * 
 * @author Nicholas Riley
 */
 public class MoveItemForm extends AbstractDSpaceTransformer {
 	/** Language strings */
 	private static final Message T_dspace_home = message("xmlui.general.dspace_home");
 	private static final Message T_item_trail = message("xmlui.administrative.item.general.item_trail");
 	private static final Message T_submit_cancel = message("xmlui.general.cancel");
 	private static final Message T_title = message("xmlui.administrative.item.MoveItemForm.title");
 	private static final Message T_trail = message("xmlui.administrative.item.MoveItemForm.trail");
 	private static final Message T_head1 = message("xmlui.administrative.item.MoveItemForm.head1");
 	private static final Message T_collection = message("xmlui.administrative.item.MoveItemForm.collection");
 	private static final Message T_collection_help = message("xmlui.administrative.item.MoveItemForm.collection_help");
 	private static final Message T_collection_default = message("xmlui.administrative.item.MoveItemForm.collection_default");
 	private static final Message T_submit_move = message("xmlui.administrative.item.MoveItemForm.submit_move");
 	public void addPageMeta(PageMeta pageMeta) throws WingException
 	{
 		pageMeta.addMetadata("title").addContent(T_title);
 		pageMeta.addTrailLink(contextPath + "/", T_dspace_home);
 		pageMeta.addTrailLink(contextPath+"/admin/item", T_item_trail);
 		pageMeta.addTrail().addContent(T_trail);
 	}
 	public void addBody(Body body) throws WingException, SQLException 
 	{
        // Get our parameters and state
        int itemID = parameters.getParameterAsInteger("itemID",-1);
        Item item = Item.find(context, itemID);
        // DIVISION: Main
        Division main = body.addInteractiveDivision("move-item", contextPath+"/admin/item", Division.METHOD_POST, "primary administrative item");
        main.setHead(T_head1.parameterize(item.getHandle()));
        Collection[] collections = Collection.findAuthorized(context, null, Constants.ADD);
        List list = main.addList("select-collection", List.TYPE_FORM);
        Select select = list.addItem().addSelect("collectionID");
        select.setLabel(T_collection);
        select.setHelp(T_collection_help);
        Collection owningCollection = item.getOwningCollection();
        if (owningCollection == null) {
            select.addOption("",T_collection_default);
        }
        for (Collection collection : collections)
        {
            String name = collection.getMetadata("name");
            if (name.length() > 50)
                name = name.substring(0, 47) + "...";
            select.addOption(collection.equals(owningCollection), collection.getID(), name);
        }
        org.dspace.app.xmlui.wing.element.Item actions = list.addItem();
        actions.addButton("submit_move").setValue(T_submit_move);
 		actions.addButton("submit_cancel").setValue(T_submit_cancel);
 		main.addHidden("administrative-continue").setValue(knot.getId());
 	}
 	/**
 	 * Compare two metadata element's name so that they may be sorted.
 	 */
 	class DCValueComparator implements Comparator{
 		public int compare(Object arg0, Object arg1) {
 			final DCValue o1 = (DCValue)arg0;
 			final DCValue o2 = (DCValue)arg1;
 			final String s1 = o1.schema + o1.element + (o1.qualifier==null?"":("." + o1.qualifier));
 			final  String s2 = o2.schema + o2.element + (o2.qualifier==null?"":("." + o2.qualifier));
 			return s1.compareTo(s2);
 		}
 	}
 }
--- a/dspace-xmlui/dspace-xmlui-webapp/src/main/webapp/i18n/messages.xml
+++ b/dspace-xmlui/dspace-xmlui-webapp/src/main/webapp/i18n/messages.xml
@@ -783,6 +783,8 @@
 	<message key="xmlui.administrative.FlowItemUtils.metadata_added">New metadata was added.</message>
 	<message key="xmlui.administrative.FlowItemUtils.item_withdrawn">The item has been withdrawn.</message>
 	<message key="xmlui.administrative.FlowItemUtils.item_reinstated">The item has been reinstated.</message>
 	<message key="xmlui.administrative.FlowItemUtils.item_moved">The item has been moved.</message>
 	<message key="xmlui.administrative.FlowItemUtils.item_move_failed">The selected destination collection could not be found.</message>
 	<message key="xmlui.administrative.FlowItemUtils.bitstream_added">The new bitstream was successfully uploaded.</message>
 	<message key="xmlui.administrative.FlowItemUtils.bitstream_failed">Error while uploading file.</message>
 	<message key="xmlui.administrative.FlowItemUtils.bitstream_updated">The bitstream has been updated.</message>
@@ -931,7 +933,7 @@
 	<message key="xmlui.administrative.group.ManageGroupsMain.search_column2">ID</message>
 	<message key="xmlui.administrative.group.ManageGroupsMain.search_column3">Name</message>
 	<message key="xmlui.administrative.group.ManageGroupsMain.search_column4">Members</message>
-	<message key="xmlui.administrative.group.ManageGroupsMain.search_column5">Collection</message>
+	<message key="xmlui.administrative.group.ManageGroupsMain.search_column5">Community / Collection</message>
 	<message key="xmlui.administrative.group.ManageGroupsMain.collection_link">View</message>
 	<message key="xmlui.administrative.group.ManageGroupsMain.submit_delete">Delete groups</message>
 	<message key="xmlui.administrative.group.ManageGroupsMain.no_results">Your search found no results...</message>
@@ -949,8 +951,9 @@
 	<message key="xmlui.administrative.group.EditGroupForm.submit_add">Add</message>
 	<message key="xmlui.administrative.group.EditGroupForm.submit_remove">Remove</message>
 	<message key="xmlui.administrative.group.EditGroupForm.collection_para">This group is associated with collection: </message>
 	<message key="xmlui.administrative.group.EditGroupForm.community_para">This group is associated with community: </message>
 	<message key="xmlui.administrative.group.EditGroupForm.label_name">Change group name: </message>
-	<message key="xmlui.administrative.group.EditGroupForm.label_instructions">This group is associated with a specific collection and the name cannot be modified.</message>
+	<message key="xmlui.administrative.group.EditGroupForm.label_instructions">This group is associated with a specific collection or community and the name cannot be modified.</message>
 	<message key="xmlui.administrative.group.EditGroupForm.label_search">Search members to add: </message>
 	<message key="xmlui.administrative.group.EditGroupForm.submit_search_people">E-People...</message>
 	<message key="xmlui.administrative.group.EditGroupForm.submit_search_groups">Groups...</message>
@@ -1217,6 +1220,7 @@
 	<!-- general edit item messages -->
 	<message key="xmlui.administrative.item.general.item_trail">Items</message>
 	<message key="xmlui.administrative.item.general.template_head">Edit Template Item for Collection: {0}</message>
 	<message key="xmlui.administrative.item.general.option_head">Edit Item</message>
 	<message key="xmlui.administrative.item.general.option_status">Item Status</message>
 	<message key="xmlui.administrative.item.general.option_bitstreams">Item Bitstreams</message>
@@ -1262,6 +1266,15 @@
 	<message key="xmlui.administrative.item.ConfirmItemForm.submit_withdraw">Withdraw</message>
 	<message key="xmlui.administrative.item.ConfirmItemForm.submit_reinstate">Reinstate</message>
    <!-- org.dspace.app.xmlui.aspect.administrative.item.MoveItemForm -->
 	<message key="xmlui.administrative.item.MoveItemForm.title">Move</message>
 	<message key="xmlui.administrative.item.MoveItemForm.trail">Move</message>
 	<message key="xmlui.administrative.item.MoveItemForm.head1">Move item: {0}</message>
 	<message key="xmlui.administrative.item.MoveItemForm.collection">Collection</message>
 	<message key="xmlui.administrative.item.MoveItemForm.collection_help">Select the collection you wish to move this item to.</message>
 	<message key="xmlui.administrative.item.MoveItemForm.collection_default">Select a collection...</message>
 	<message key="xmlui.administrative.item.MoveItemForm.submit_move">Move</message>
 	<!-- org.dspace.app.xmlui.administrative.item.EditBitstreamForm -->
 	<message key="xmlui.administrative.item.EditBitstreamForm.title">Edit Bitstream</message>
 	<message key="xmlui.administrative.item.EditBitstreamForm.trail">Edit bitstream</message>
@@ -1294,7 +1307,7 @@
 	<message key="xmlui.administrative.item.EditItemBitstreamsForm.submit_add">Upload a new bitstream</message>
 	<message key="xmlui.administrative.item.EditItemBitstreamsForm.submit_delete">Delete bitstreams</message>
 	<message key="xmlui.administrative.item.EditItemBitstreamsForm.no_upload">You need the ADD &amp; WRITE privilege on the item and bundles to be able to upload new bitstreams.</message>
-	<message key="xmlui.administrative.item.EditItemBitstreamsForm.no_remove">You need the REMOVE privilege on the item and bundles to be able to delete bitstreams.</message>
+	<message key="xmlui.administrative.item.EditItemBitstreamsForm.no_remove">Only System Administrators can delete bitstreams / files.</message>
 	<!-- org.dspace.app.xmlui.administrative.item.EditItemMetadataForm -->
 	<message key="xmlui.administrative.item.EditItemMetadataForm.title">Item Metadata</message>
@@ -1314,22 +1327,26 @@
 	<!-- org.dspace.app.xmlui.administrative.item.EditItemStatusForm -->
 	<message key="xmlui.administrative.item.EditItemStatusForm.title">Item Status</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.trail">Item status</message>
-	<message key="xmlui.administrative.item.EditItemStatusForm.para1">Welcome to the item management page. From here you can withdraw, reinstate or delete the item. You may also update or add new metadata / bitstreams on the other tabs.</message>
+	<message key="xmlui.administrative.item.EditItemStatusForm.para1">Welcome to the item management page. From here you can withdraw, reinstate, move or delete the item. You may also update or add new metadata / bitstreams on the other tabs.</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_id">Item Internal ID</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_handle">Handle</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_modified">Last Modified</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_in">In Collections</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_page">Item Page</message>
-	<message key="xmlui.administrative.item.EditItemStatusForm.label_auth">Item's Authorizations</message>
+	<message key="xmlui.administrative.item.EditItemStatusForm.label_auth">Edit item's authorization policies</message>
-	<message key="xmlui.administrative.item.EditItemStatusForm.label_withdraw">Withdrawn item from the repository</message>
+	<message key="xmlui.administrative.item.EditItemStatusForm.label_withdraw">Withdraw item from the repository</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_reinstate">Reinstate item into the repository</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_move">Move item to another collection</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.label_delete">Completely expunge item</message>
-	<message key="xmlui.administrative.item.EditItemStatusForm.submit_authorizations">Edit Authorizations</message>
+	<message key="xmlui.administrative.item.EditItemStatusForm.submit_authorizations">Authorizations...</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.submit_withdraw">Withdraw...</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.submit_reinstate">Reinstate...</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.submit_move">Move...</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.submit_delete">Permanently delete</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.na">n/a</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.sysadmins_only">(system administrators only)</message>
 	<message key="xmlui.administrative.item.EditItemStatusForm.collection_admins_only">(collection administrators only)</message>
 	<!-- org.dspace.app.xmlui.administrative.item.ViewItem -->
 	<message key="xmlui.administrative.item.ViewItem.title">View Item</message>
@@ -1391,14 +1408,14 @@
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.no_role">none</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.create">Create...</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.restrict">Restrict...</message>
-	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_admins">Collection administrators decide who can submit items to the collection, withdraw items, edit item metadata (after submission), and add (map) existing items from other collections to this collection (subject to authorization for that collection).</message>
+	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_admins">Collection administrators decide who can submit items to the collection, edit item metadata (after submission), and add (map) existing items from other collections to this collection (subject to authorization for that collection).</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_wf_step1">The people responsible for this step are able to accept or reject incoming submissions. However, they are not able to edit the submission's metadata.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_wf_step2">The people responsible for this step are able to edit the metadata of incoming submissions, and then accept or reject them.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_wf_step3">The people responsible for this step are able to edit the metadata of incoming submissions, but will not be able to reject them.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_submitters">The E-People and Groups that have permission to submit new items to this collection.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.help_default_read">E-People and Groups that can read new items submitted to this collection. Changes to this role are not retroactive.  Existing items in the system will still be viewable by those who had read access at the time of their addition.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.default_read_custom">This collection uses custom default access settings. </message>
-	<message key="xmlui.administrative.collection.AssignCollectionRoles.default_read_anonymous">Default read for incoming items and bitsreams is currently set to Anonymous.</message>
+	<message key="xmlui.administrative.collection.AssignCollectionRoles.default_read_anonymous">Default read for incoming items and bitstreams is currently set to Anonymous.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.edit_authorization">Edit authorization policies directly.</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.role_name">Role</message>
 	<message key="xmlui.administrative.collection.AssignCollectionRoles.role_group">Associated group</message>
@@ -1425,7 +1442,7 @@
 	<message key="xmlui.administrative.collection.DeleteCollectionRoleConfirm.trail">Confirm</message>
 	<message key="xmlui.administrative.collection.DeleteCollectionRoleConfirm.main_head">Confirm deletion for role {0}</message>
 	<message key="xmlui.administrative.collection.DeleteCollectionRoleConfirm.main_para_read">Are you sure you want to delete this role? Deleting this group will give READ access to all users for all items submitted to this collection from now on. Please note that this change is not retroactive. Existing items in the system will still be restricted to the members defined by the role you are about to delete.</message>
-	<message key="xmlui.administrative.collection.DeleteCollectionRoleConfirm.main_para">Are you sure you want to delete this role? All changes and customizations made to the {0} group will be lost and wouuld have to be created anew.</message>
+	<message key="xmlui.administrative.collection.DeleteCollectionRoleConfirm.main_para">Are you sure you want to delete this role? All changes and customizations made to the {0} group will be lost and would have to be created anew.</message>
 	<!-- org.dspace.app.xmlui.administrative.collection.EditCollectionMetadataForm.java -->
 	<message key="xmlui.administrative.collection.EditCollectionMetadataForm.title">Edit Collection Metadata</message>
@@ -1454,6 +1471,27 @@
 	<message key="xmlui.administrative.collection.CreateCollectionForm.main_head">Enter Metadata for a New Collection of {0}</message>
 	<message key="xmlui.administrative.collection.CreateCollectionForm.submit_save">Create</message>
 	<!-- General tags for community management -->
 	<message key="xmlui.administrative.community.general.community_trail">Communities</message>
 	<message key="xmlui.administrative.community.general.options_metadata">Edit Metadata</message>
 	<message key="xmlui.administrative.community.general.options_roles">Assign Roles</message>
 	<!-- org.dspace.app.xmlui.administrative.community.AssignCommunityRoles.java -->
 	<message key="xmlui.administrative.community.AssignCommunityRoles.title">Edit Community Roles</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.trail">Roles</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.main_head">Edit Community: {0}</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.no_role">none</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.create">Create...</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.help_admins">Community administrators can create sub-communities or collections, and manage or assign management for those sub-communities or collections.  In addition, they decide who can submit items to any sub-collections, edit item metadata (after submission), and add (map) existing items from other collections (subject to authorization).</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.default_read_custom">This community uses custom default access settings. </message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.default_read_anonymous">Default read for incoming items and bitstreams is currently set to Anonymous.</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.edit_authorizations">Edit authorization policies directly.</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.role_name">Role</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.role_group">Associated group</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.role_buttons">  </message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.label_admins">Administrators</message>
 	<message key="xmlui.administrative.community.AssignCommunityRoles.sysadmins_only"><nobr>(system administrators only)</nobr></message>
 	<!-- org.dspace.app.xmlui.administrative.community.DeleteCommunityConfirm.java -->
 	<message key="xmlui.administrative.community.DeleteCommunityConfirm.title">Confirm Deletion</message>
 	<message key="xmlui.administrative.community.DeleteCommunityConfirm.trail">Confirm</message>
@@ -1464,6 +1502,12 @@
 	<message key="xmlui.administrative.community.DeleteCommunityConfirm.confirm_item3">The contents of those items</message>
 	<message key="xmlui.administrative.community.DeleteCommunityConfirm.confirm_item4">All associated authorization policies</message>
 	<!-- org.dspace.app.xmlui.administrative.community.DeleteCommunityRoleConfirm.java -->
 	<message key="xmlui.administrative.community.DeleteCommunityRoleConfirm.title">Confirm role deletion</message>
 	<message key="xmlui.administrative.community.DeleteCommunityRoleConfirm.trail">Confirm</message>
 	<message key="xmlui.administrative.community.DeleteCommunityRoleConfirm.main_head">Confirm deletion for role {0}</message>
 	<message key="xmlui.administrative.community.DeleteCommunityRoleConfirm.main_para">Are you sure you want to delete this role? All changes and customizations made to the {0} group will be lost and would have to be created anew.</message>
 	<!-- org.dspace.app.xmlui.administrative.community.EditCommunityMetadataForm.java -->
 	<message key="xmlui.administrative.community.EditCommunityMetadataForm.title">Edit Community Metadata</message>
 	<message key="xmlui.administrative.community.EditCommunityMetadataForm.trail">Metadata</message>
--- a/dspace/CHANGES
+++ b/dspace/CHANGES
@@ -36,6 +36,9 @@
 (Tim Donohue)
 - [DS-218] Cannot add/remove email subscriptions from Profile page in XMLUI
 (Tim Donohue / Andrea Bollini)
 - [DS-228] Community Admin XMLUI: Delegated Admins Patch
 (Ben Bosman)
 - [DS-226] confirmation page of edit profile has an invalid link
--- a/dspace/etc/database_schema_15-16.sql
+++ b/dspace/etc/database_schema_15-16.sql
@@ -0,0 +1,49 @@
 --
 -- database_schema_15-16.sql
 --
 -- Version: $$
 --
 -- Date:    $Date: 2009-04-23 22:26:59 -0500 (Thu, 23 Apr 2009) $
 --
 -- Copyright (c) 2002-2009, The DSpace Foundation.  All rights reserved.
 --
 -- Redistribution and use in source and binary forms, with or without
 -- modification, are permitted provided that the following conditions are
 -- met:
 --
 -- - Redistributions of source code must retain the above copyright
 -- notice, this list of conditions and the following disclaimer.
 --
 -- - Redistributions in binary form must reproduce the above copyright
 -- notice, this list of conditions and the following disclaimer in the
 -- documentation and/or other materials provided with the distribution.
 --
 -- - Neither the name of the DSpace Foundation nor the names of its
 -- contributors may be used to endorse or promote products derived from
 -- this software without specific prior written permission.
 --
 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 -- ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 -- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 -- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 -- HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 -- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 -- BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
 -- OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 -- ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
 -- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 -- USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
 -- DAMAGE.
 --
 -- SQL commands to upgrade the database schema of a live DSpace 1.5 or 1.5.x
 -- to the DSpace 1.6 database schema
 --
 -- DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST.
 -- DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST.
 -- DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST. DUMP YOUR DATABASE FIRST.
 ------------------------------------------------------------------
 -- New Column for Community Admin - Delegated Admin patch (DS-228)
 ------------------------------------------------------------------
 ALTER TABLE community ADD admin INTEGER REFERENCES epersongroup ( eperson_group_id );