UPD: add another check for the certprofile.

[gigi.git] / src / org / cacert / gigi / dbObjects / Certificate.java

diff --git a/src/org/cacert/gigi/dbObjects/Certificate.java b/src/org/cacert/gigi/dbObjects/Certificate.java
index 991310adb44dace46da3887d109bfb50e49d5b82..0c63c2cdee088add0a37f51154cd01a41863d76d 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/Certificate.java
+++ b/src/org/cacert/gigi/dbObjects/Certificate.java
@@ -128,7 +128,10 @@ public class Certificate {
 
     private CertificateProfile profile;
 
-    public Certificate(User owner, String dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) {
+    public Certificate(User owner, String dn, String md, String csr, CSRType csrType, CertificateProfile profile, SubjectAlternateName... sans) throws GigiApiException {
+        if ( !owner.canIssue(profile)) {
+            throw new GigiApiException("You are not allowed to issue these certificates.");
+        }
         this.owner = owner;
         this.dn = dn;
         this.md = md;