#6427 cert-request: only check userCertificate write permission if write would be attempted
Opened 7 years ago by ftweedal. Modified 7 years ago

cert-request currently unconditionally checks that the operator has
write permission to the subject principal's userCertificate' attribute. But if the profile hasipaCertProflileStoreIssued=False` write would not
even be attempted. The permission check could (should) be skipped in
this case.

Futuremore, in future we might implement support for requesting certs
for subjects whose objects do not have a `userCertificate' attribute,
or for external subjects, so the permission check would also be predicated
on that.

As of 2016-10-24 noone has actually asked for this - it is just a shortcoming
that has been observed. See related discussion:
https://gist.github.com/frasertweedale/6093f2312d16b3958374cc15b55b4d63


Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata