Fix: only allow affiliating with org when user is assurer.

[gigi.git] / src / org / cacert / gigi / pages / orga / AffiliationForm.java

diff --git a/src/org/cacert/gigi/pages/orga/AffiliationForm.java b/src/org/cacert/gigi/pages/orga/AffiliationForm.java
index 0191756fcbfa82f4fdb04463408bb11a943d390b..ad988895b351d5c26e375813257ba881cbf5639c 100644 (file)
--- a/src/org/cacert/gigi/pages/orga/AffiliationForm.java
+++ b/src/org/cacert/gigi/pages/orga/AffiliationForm.java
@@ -39,7 +39,7 @@ public class AffiliationForm extends Form {
             }
         } else if (req.getParameter("do_affiliate") != null) {
             User byEmail = User.getByEmail(req.getParameter("email"));
-            if (byEmail != null) {
+            if (byEmail != null && byEmail.canAssure()) {
                 o.addAdmin(byEmail, LoginPage.getUser(req), req.getParameter("master") != null);
                 return true;
             }