b81ac59 ca: correctly authorise ca-del, ca-enable and ca-disable

1 file Authored by ftweedal 7 years ago, Committed by jcholast 7 years ago,
    ca: correctly authorise ca-del, ca-enable and ca-disable
    
    CAs consist of a FreeIPA and a corresponding Dogtag object.  When
    executing ca-del, ca-enable and ca-disable, changes are made to the
    Dogtag object.  In the case of ca-del, the corresponding FreeIPA
    object is deleted after the Dogtag CA is deleted.
    
    These operations were not correctly authorised; the FreeIPA
    permissions are not checked before the Dogtag operations are
    executed.  This allows any user to delete, enable or disable a
    lightweight CA (except the main IPA CA, for which there are
    additional check to prevent deletion or disablement).
    
    Add the proper authorisation checks to the ca-del, ca-enable and
    ca-disable commands.
    
    https://pagure.io/freeipa/issue/6713
    
    Reviewed-By: Jan Cholasta <jcholast@redhat.com>
    
        
file modified
+14 -2