@RequestMapping("/roleeditsubmit")
 public ModelAndView roleEditSubmit(
     @RequestParam("role") String role, @RequestParam("id") Long userId) {
   SecurityContext.assertUserHasPrivilege(Privilege.MANAGE_USERS);
   User user = userRepository.find(userId);
   user.setRole(Role.valueOf(role));
   return createModelAndView(user);
 }
 @RequestMapping("/privilegeeditsubmit")
 public ModelAndView privilegeEditSubmit(@RequestParam Map<String, String> params) {
   SecurityContext.assertUserHasPrivilege(Privilege.MANAGE_USERS);
   User user = getRequiredEntity(Long.parseLong(params.get("id")));
   // ModelAndView mv = new ModelAndView("redirect:user", "username", user.getUserName());
   ModelAndView mv = new ModelAndView("redirect:/user/" + user.getUserName());
   params.remove("id");
   user.getPrivileges().clear();
   for (Map.Entry<String, String> entry : params.entrySet()) {
     try {
       user.getPrivileges().add(Privilege.valueOf(entry.getKey()));
     } catch (Exception e) {
       throw new IllegalArgumentException("parameters should only contains Id and privileges");
     }
   }
   // em.merge(user); Not needed (we did not modify the user, we changed the .privilege
   // collection). Save will happen with dirty checking.
   return mv;
 }