From: Benny Baumann <BenBE1987@gmx.net>
Date: Thu, 25 Aug 2016 19:41:08 +0000 (+0200)
Subject: Merge "Fix typo and spelling"
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=9efe305311c7e9f78a41093d2e2e9c57bfd10c7b;hp=d309ba7485e0c84a33a806ffdcbc14ce36662703

Merge "Fix typo and spelling"
---

diff --git a/src/org/cacert/gigi/dbObjects/Group.java b/src/org/cacert/gigi/dbObjects/Group.java
index 13080efb..287187a2 100644
--- a/src/org/cacert/gigi/dbObjects/Group.java
+++ b/src/org/cacert/gigi/dbObjects/Group.java
@@ -6,18 +6,18 @@ import org.cacert.gigi.output.template.Outputable;
 import org.cacert.gigi.output.template.TranslateCommand;
 
 public enum Group {
-    SUPPORTER("supporter", "supporter", true, true), //
-    ARBITRATOR("arbitrator", "arbitrator", true, true), //
-    BLOCKEDASSURER("blockedassurer", "may not verify", true, false), //
-    BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false), //
-    BLOCKEDLOGIN("blockedlogin", "may not login", true, false), //
-    BLOCKEDCERT("blockedcert", "may not issue certificates", true, false), //
-    TTP_ASSURER("ttp-assurer", "may verify via TTP", true, true), //
-    TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", true, false), //
-    CODESIGNING("codesigning", "may issue codesigning certificates", true, false), //
-    ORGASSURER("orgassurer", "may verify organisations", true, true), //
-    NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, true), //
-    LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, false);
+    SUPPORTER("supporter", "supporter", true, false, true), //
+    ARBITRATOR("arbitrator", "arbitrator", true, false, true), //
+    BLOCKEDASSURER("blockedassurer", "may not verify", true, false, false), //
+    BLOCKEDASSUREE("blockedassuree", "may not be verified", true, false, false), //
+    BLOCKEDLOGIN("blockedlogin", "may not login", true, false, false), //
+    BLOCKEDCERT("blockedcert", "may not issue certificates", true, false, false), //
+    TTP_ASSURER("ttp-assurer", "may verify via TTP", true, false, true), //
+    TTP_APPLICANT("ttp-applicant", "requests to be verified via ttp", false, true, false), //
+    CODESIGNING("codesigning", "may issue codesigning certificates", true, false, false), //
+    ORGASSURER("orgassurer", "may verify organisations", true, false, true), //
+    NUCLEUS_ASSURER("nucleus-assurer", "may enter nucleus verifications", true, false, true), //
+    LOCATE_AGENT("locate-agent", "wants access to the locate agent system", false, true, false);
 
     private final String dbName;
 
@@ -25,6 +25,8 @@ public enum Group {
 
     private final boolean managedBySupport;
 
+    private final boolean managedByUser;
+
     private final boolean isSelfViewable;
 
     /**
@@ -40,9 +42,16 @@ public enum Group {
      * @param isSelfViewable
      *            true iff user should be able to see others in the same group
      */
-    private Group(String name, String display, boolean managedBySupport, boolean isSelfViewable) {
+    private Group(String name, String display, boolean managedBySupport, boolean managedByUser, boolean isSelfViewable) {
         dbName = name;
         tc = new TranslateCommand(display);
+        if (managedByUser && managedBySupport) {
+            throw new IllegalArgumentException("We do not allow groups to be user and support managable.");
+        }
+        if (managedByUser && isSelfViewable) {
+            throw new IllegalArgumentException("We do not allow groups to be self-viewable and managable by user.");
+        }
+        this.managedByUser = managedByUser;
         this.managedBySupport = managedBySupport;
         this.isSelfViewable = isSelfViewable;
     }
@@ -55,6 +64,10 @@ public enum Group {
         return managedBySupport;
     }
 
+    public boolean isManagedByUser() {
+        return managedByUser;
+    }
+
     public boolean isSelfViewable() {
         return isSelfViewable;
     }
diff --git a/src/org/cacert/gigi/dbObjects/SupportNotificationMail.templ b/src/org/cacert/gigi/dbObjects/SupportNotificationMail.templ
index 42254b73..b6b857ee 100644
--- a/src/org/cacert/gigi/dbObjects/SupportNotificationMail.templ
+++ b/src/org/cacert/gigi/dbObjects/SupportNotificationMail.templ
@@ -1,9 +1,7 @@
-Subject: [<?=${ticket}?>] <?=${subject}?>
+Subject: [<?=$ticket?>] <?=$subject?>
 
 <?=_Hi?>,
 
 <?=_supporter ${supporter} triggered:?>
 
 <?=$action?>
-
-RA DB
diff --git a/src/org/cacert/gigi/dbObjects/SupportUserNotificationMail.templ b/src/org/cacert/gigi/dbObjects/SupportUserNotificationMail.templ
new file mode 100644
index 00000000..6b69f184
--- /dev/null
+++ b/src/org/cacert/gigi/dbObjects/SupportUserNotificationMail.templ
@@ -0,0 +1,7 @@
+Subject: [<?=$ticket?>] Support action: <?=$subject?>
+
+<?=_Hi?>,
+
+<?=_support triggered:?>
+
+<?=$action?>
diff --git a/src/org/cacert/gigi/dbObjects/SupportedUser.java b/src/org/cacert/gigi/dbObjects/SupportedUser.java
index a663215a..e5daeb31 100644
--- a/src/org/cacert/gigi/dbObjects/SupportedUser.java
+++ b/src/org/cacert/gigi/dbObjects/SupportedUser.java
@@ -10,6 +10,7 @@ import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.MailTemplate;
 import org.cacert.gigi.output.template.Outputable;
+import org.cacert.gigi.output.template.SprintfCommand;
 import org.cacert.gigi.util.DayDate;
 import org.cacert.gigi.util.ServerConstants;
 
@@ -53,6 +54,14 @@ public class SupportedUser {
         if (cert.getStatus() == CertificateStatus.ISSUED) {
             writeSELog("SE Revoke certificate");
             cert.revoke().waitFor(60000);
+            // send notification to support
+            String subject = "Revoke certificate";
+            Outputable message = SprintfCommand.createSimple("Certificate with serial number {0} for {1} <{2}>, has been revoked.", cert.getSerial(), target.getPreferredName().toString(), target.getEmail());
+            sendSupportNotification(subject, message);
+            // send notification to user
+            subject = "Revoke certificate";
+            message = SprintfCommand.createSimple("Certificate with serial number {0} with subject distinguished name {1} has been revoked.", cert.getSerial(), cert.getDistinguishedName());
+            sendSupportUserNotification(subject, message);
         }
     }
 
@@ -85,7 +94,7 @@ public class SupportedUser {
         return target;
     }
 
-    public void grant(Group toMod) {
+    public void grant(Group toMod) throws GigiApiException {
         target.grantGroup(supporter, toMod);
     }
 
@@ -109,4 +118,19 @@ public class SupportedUser {
             e.printStackTrace();
         }
     }
+
+    private static final MailTemplate supportUserNotification = new MailTemplate(SupportedUser.class.getResource("SupportUserNotificationMail.templ"));
+
+    public void sendSupportUserNotification(String subject, Outputable message) {
+        try {
+            HashMap<String, Object> vars = new HashMap<>();
+            vars.put("action", message);
+            vars.put("ticket", this.getTicket());
+            vars.put("subject", subject);
+
+            supportUserNotification.sendMail(Language.getInstance(Locale.ENGLISH), vars, target.getEmail());
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
 }
diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index 3c9b972d..69b76ad2 100644
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -45,7 +45,7 @@ public class User extends CertificateOwner {
 
     private Locale locale;
 
-    private final Set<Group> groups = new HashSet<>();
+    private Set<Group> groups = new HashSet<>();
 
     public static final int MINIMUM_AGE = 16;
 
@@ -93,15 +93,21 @@ public class User extends CertificateOwner {
             locale = Language.getLocaleFromString(localeStr);
         }
 
+        refreshGroups();
+    }
+
+    public synchronized void refreshGroups() {
+        HashSet<Group> hs = new HashSet<>();
         try (GigiPreparedStatement psg = new GigiPreparedStatement("SELECT `permission` FROM `user_groups` WHERE `user`=? AND `deleted` is NULL")) {
-            psg.setInt(1, rs.getInt("id"));
+            psg.setInt(1, getId());
 
             try (GigiResultSet rs2 = psg.executeQuery()) {
                 while (rs2.next()) {
-                    groups.add(Group.getByString(rs2.getString(1)));
+                    hs.add(Group.getByString(rs2.getString(1)));
                 }
             }
         }
+        groups = hs;
     }
 
     public User(String email, String password, DayDate dob, Locale locale, Country residenceCountry, NamePart... preferred) throws GigiApiException {
@@ -438,7 +444,10 @@ public class User extends CertificateOwner {
         return Collections.unmodifiableSet(groups);
     }
 
-    public void grantGroup(User granter, Group toGrant) {
+    public void grantGroup(User granter, Group toGrant) throws GigiApiException {
+        if (toGrant.isManagedBySupport() && !granter.isInGroup(Group.SUPPORTER)) {
+            throw new GigiApiException("Group may only be managed by supporter");
+        }
         groups.add(toGrant);
         try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
             ps.setInt(1, getId());
diff --git a/src/org/cacert/gigi/output/GroupSelector.java b/src/org/cacert/gigi/output/GroupSelector.java
index 66236e16..49db7050 100644
--- a/src/org/cacert/gigi/output/GroupSelector.java
+++ b/src/org/cacert/gigi/output/GroupSelector.java
@@ -17,20 +17,22 @@ public class GroupSelector implements Outputable {
 
     private Group value = null;
 
-    private final boolean supportFlag;
+    private final boolean bySupporter;
 
-    public GroupSelector(String name, boolean supportFlag) {
+    public GroupSelector(String name, boolean bySupporter) {
         this.name = HTMLEncoder.encodeHTML(name);
-        this.supportFlag = supportFlag;
+        this.bySupporter = bySupporter;
     }
 
     public void update(HttpServletRequest r) throws GigiApiException {
         String vS = r.getParameter(name);
-        value = null;
-        for (Group g : Group.values()) {
-            if (g.getDatabaseName().equals(vS)) {
-                value = g;
-            }
+        if (vS == null) {
+            throw new GigiApiException("No value for group.");
+        }
+        try {
+            value = Group.getByString(vS);
+        } catch (IllegalArgumentException e) {
+            throw new GigiApiException("Invalid value for group.");
         }
     }
 
@@ -38,7 +40,7 @@ public class GroupSelector implements Outputable {
     public void output(PrintWriter out, Language l, Map<String, Object> vars) {
         out.println("<select name='" + name + "'>");
         for (Group g : Group.values()) {
-            if (supportFlag == g.isManagedBySupport()) {
+            if (mayManage(g)) {
                 out.print("<option value='" + g.getDatabaseName());
                 if (g.equals(value)) {
                     out.print(" selected");
@@ -51,6 +53,10 @@ public class GroupSelector implements Outputable {
         out.println("</select>");
     }
 
+    private boolean mayManage(Group g) {
+        return (bySupporter && g.isManagedBySupport()) || ( !bySupporter && g.isManagedByUser());
+    }
+
     public Group getGroup() {
         return value;
     }
diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index c206ad44..1c002e57 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -188,7 +188,7 @@ public class LoginPage extends Page {
         return uc;
     }
 
-    private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
+    private static final Group LOGIN_BLOCKED = Group.BLOCKEDLOGIN;
 
     private void loginSession(HttpServletRequest req, User user) {
         if (user.isInGroup(LOGIN_BLOCKED)) {
diff --git a/src/org/cacert/gigi/pages/admin/TTPAdminPage.java b/src/org/cacert/gigi/pages/admin/TTPAdminPage.java
index 8d9e4717..bf773cb4 100644
--- a/src/org/cacert/gigi/pages/admin/TTPAdminPage.java
+++ b/src/org/cacert/gigi/pages/admin/TTPAdminPage.java
@@ -22,7 +22,7 @@ public class TTPAdminPage extends Page {
 
     public static final String PATH = "/admin/ttp";
 
-    public static final Group TTP_APPLICANT = Group.getByString("ttp-applicant");
+    public static final Group TTP_APPLICANT = Group.TTP_APPLICANT;
 
     public TTPAdminPage() {
         super("TTP-Admin");
@@ -85,6 +85,6 @@ public class TTPAdminPage extends Page {
 
     @Override
     public boolean isPermitted(AuthorizationContext ac) {
-        return ac != null && ac.isInGroup(Group.getByString("ttp-assurer"));
+        return ac != null && ac.isInGroup(Group.TTP_ASSURER);
     }
 }
diff --git a/src/org/cacert/gigi/pages/admin/support/FindCertPage.java b/src/org/cacert/gigi/pages/admin/support/FindCertPage.java
index fb9d14f7..2e1f9134 100644
--- a/src/org/cacert/gigi/pages/admin/support/FindCertPage.java
+++ b/src/org/cacert/gigi/pages/admin/support/FindCertPage.java
@@ -39,7 +39,7 @@ public class FindCertPage extends Page {
         if (form.submitProtected(resp.getWriter(), req)) {
             final Certificate[] certs = form.getCerts();
             if (certs.length == 1) {
-                resp.sendRedirect(Certificates.SUPPORT_PATH + certs[0].getSerial() + "/");
+                resp.sendRedirect(Certificates.SUPPORT_PATH + "/" + certs[0].getSerial());
             } else {
                 HashMap<String, Object> vars = new HashMap<String, Object>();
                 Language l = LoginPage.getLanguage(req);
diff --git a/src/org/cacert/gigi/pages/admin/support/SupportRevokeCertificatesForm.java b/src/org/cacert/gigi/pages/admin/support/SupportRevokeCertificatesForm.java
index ff64c6f5..8c106dcb 100644
--- a/src/org/cacert/gigi/pages/admin/support/SupportRevokeCertificatesForm.java
+++ b/src/org/cacert/gigi/pages/admin/support/SupportRevokeCertificatesForm.java
@@ -13,12 +13,13 @@ import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
 import org.cacert.gigi.dbObjects.CertificateProfile;
 import org.cacert.gigi.dbObjects.SupportedUser;
+import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
 import org.cacert.gigi.output.template.IterableDataset;
 import org.cacert.gigi.output.template.Outputable;
+import org.cacert.gigi.output.template.SprintfCommand;
 import org.cacert.gigi.output.template.Template;
-import org.cacert.gigi.output.template.TranslateCommand;
 
 public class SupportRevokeCertificatesForm extends Form {
 
@@ -35,9 +36,15 @@ public class SupportRevokeCertificatesForm extends Form {
     public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
         if (user.getTicket() != null) {
             user.revokeAllCertificates();
+            User target = user.getTargetUser();
+            // send notification to support
             String subject = "Revoke certificates";
-            Outputable message = new TranslateCommand("All certificates in the account have been revoked.");
+            Outputable message = SprintfCommand.createSimple("All certificates in the account {0} <{1}> have been revoked.", target.getPreferredName().toString(), target.getEmail());
             user.sendSupportNotification(subject, message);
+            // send notification to user
+            subject = "Revoke certificate";
+            message = SprintfCommand.createSimple("All certificates in your account have been revoked.");
+            user.sendSupportUserNotification(subject, message);
             return true;
         }
         return false;
diff --git a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
index ccfb3cc7..57382036 100644
--- a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
+++ b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
@@ -48,18 +48,23 @@ public class SupportUserDetailsForm extends Form {
             throw new GigiApiException("More than one action requested!");
         }
         if (req.getParameter("addGroup") != null || req.getParameter("removeGroup") != null) {
-            String actionType = "granted";
             value.update(req);
             Group toMod = value.getGroup();
+            boolean grant;
             if (req.getParameter("addGroup") != null) {
+                grant = true;
                 user.grant(toMod);
             } else {
-                actionType = "revoked";
+                grant = false;
                 user.revoke(toMod);
             }
             String subject = "Change Group Permissions";
-            Outputable message = SprintfCommand.createSimple("The group permission {0} was {1}.", toMod.getDatabaseName(), actionType);
+            // send notification to support
+            Outputable message = SprintfCommand.createSimple(grant ? "The group permission '{0}' was granted." : "The group permission '{0}' was revoked.", toMod.getName());
             user.sendSupportNotification(subject, message);
+            // send notification to user
+            message = SprintfCommand.createSimple(grant ? "The group permission '{0}' was granted to your account." : "The group permission '{0}' was revoked from your account.", toMod.getName());
+            user.sendSupportUserNotification(subject, message);
             return true;
         }
         if (req.getParameter("resetPass") != null) {
@@ -81,9 +86,13 @@ public class SupportUserDetailsForm extends Form {
         }
         user.setDob(dobSelector.getDate());
 
-        String subject = "Change Account Data";
-        Outputable message = new TranslateCommand("The account data was changed.");
+        String subject = "Change DoB Data";
+        // send notification to support
+        Outputable message = new TranslateCommand("The DoB was changed.");
         user.sendSupportNotification(subject, message);
+        // send notification to user
+        message = SprintfCommand.createSimple("The DoB in your account was changed to {0}.", dobSelector.getDate());
+        user.sendSupportUserNotification(subject, message);
         return true;
     }
 
diff --git a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.templ b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.templ
index 892620ce..03be88e7 100644
--- a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.templ
+++ b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.templ
@@ -15,7 +15,7 @@
         <tr>
             <td><?=_Date of Birth?>:</td>
             <td>
-                <?=$dob?>
+                <?=$dob?> <input class="btn btn-warning" name="detailupdate" type="submit" value="<?=_Update?>"/>
             </td>
         </tr>
         <tr>
@@ -65,7 +65,6 @@
         <tr>
             <td colspan="2"><a href="history"><?=_Show account history?></a></td>
         </tr>
-        <tr><td colspan="2"><input class="btn btn-warning" name="detailupdate" type="submit" value="<?=_Update?>"/></td></tr>
     </tbody>
 </table>
 <br/>
diff --git a/src/org/cacert/gigi/pages/orga/CreateOrgPage.java b/src/org/cacert/gigi/pages/orga/CreateOrgPage.java
index 3219fc01..249871f2 100644
--- a/src/org/cacert/gigi/pages/orga/CreateOrgPage.java
+++ b/src/org/cacert/gigi/pages/orga/CreateOrgPage.java
@@ -13,7 +13,7 @@ import org.cacert.gigi.util.AuthorizationContext;
 
 public class CreateOrgPage extends Page {
 
-    public static final Group ORG_ASSURER = Group.getByString("orgassurer");
+    public static final Group ORG_ASSURER = Group.ORGASSURER;
 
     public static final String DEFAULT_PATH = "/orga/new";
 
diff --git a/src/org/cacert/gigi/pages/wot/RequestTTPForm.java b/src/org/cacert/gigi/pages/wot/RequestTTPForm.java
index 85041860..3a6f7fe4 100644
--- a/src/org/cacert/gigi/pages/wot/RequestTTPForm.java
+++ b/src/org/cacert/gigi/pages/wot/RequestTTPForm.java
@@ -16,7 +16,7 @@ import org.cacert.gigi.pages.LoginPage;
 
 public class RequestTTPForm extends Form {
 
-    public static final Group TTP_APPLICANT = Group.getByString("ttp-applicant");
+    public static final Group TTP_APPLICANT = Group.TTP_APPLICANT;
 
     private static final Template t = new Template(RequestTTPForm.class.getResource("RequestTTPForm.templ"));
 
diff --git a/src/org/cacert/gigi/util/Notary.java b/src/org/cacert/gigi/util/Notary.java
index 2e6edd66..996ddf59 100644
--- a/src/org/cacert/gigi/util/Notary.java
+++ b/src/org/cacert/gigi/util/Notary.java
@@ -55,9 +55,9 @@ public class Notary {
         }
     }
 
-    public static final Group ASSURER_BLOCKED = Group.getByString("blockedassurer");
+    public static final Group ASSURER_BLOCKED = Group.BLOCKEDASSURER;
 
-    public static final Group ASSUREE_BLOCKED = Group.getByString("blockedassuree");
+    public static final Group ASSUREE_BLOCKED = Group.BLOCKEDASSUREE;
 
     /**
      * This method assures another user.
diff --git a/tests/org/cacert/gigi/TestOrga.java b/tests/org/cacert/gigi/TestOrga.java
index 1a0a0aaf..ff3a56cc 100644
--- a/tests/org/cacert/gigi/TestOrga.java
+++ b/tests/org/cacert/gigi/TestOrga.java
@@ -17,13 +17,13 @@ public class TestOrga extends BusinessTest {
     @Test
     public void testAddRm() throws GigiApiException, IOException {
         User u1 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u1.grantGroup(u1, Group.ORGASSURER);
+        u1.grantGroup(getSupporter(), Group.ORGASSURER);
         User u2 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u2.grantGroup(u1, Group.ORGASSURER);
+        u2.grantGroup(getSupporter(), Group.ORGASSURER);
         User u3 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u3.grantGroup(u1, Group.ORGASSURER);
+        u3.grantGroup(getSupporter(), Group.ORGASSURER);
         User u4 = User.getById(createAssuranceUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
-        u4.grantGroup(u1, Group.ORGASSURER);
+        u4.grantGroup(getSupporter(), Group.ORGASSURER);
         Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "prov", "city", "email", "optional name", "postal address", u1);
         assertEquals(0, o1.getAllAdmins().size());
         o1.addAdmin(u2, u1, false);
diff --git a/tests/org/cacert/gigi/TestUserGroupMembership.java b/tests/org/cacert/gigi/TestUserGroupMembership.java
index 32bb1a99..bd1fd4f7 100644
--- a/tests/org/cacert/gigi/TestUserGroupMembership.java
+++ b/tests/org/cacert/gigi/TestUserGroupMembership.java
@@ -3,6 +3,7 @@ package org.cacert.gigi;
 import static org.hamcrest.CoreMatchers.*;
 import static org.junit.Assert.*;
 
+import java.io.IOException;
 import java.sql.SQLException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -18,15 +19,15 @@ import org.junit.Test;
 
 public class TestUserGroupMembership extends BusinessTest {
 
-    private final Group ttpGroup = Group.getByString("ttp-assurer");
+    private final Group ttpGroup = Group.TTP_ASSURER;
 
-    private final Group supporter = Group.getByString("supporter");
+    private final Group supporter = Group.SUPPORTER;
 
     @Test
-    public void testAddObject() throws GigiApiException, SQLException {
+    public void testAddObject() throws GigiApiException, SQLException, IOException {
         User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
 
-        User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+        User granter = getSupporter();
         assertBehavesEmpty(u);
 
         u.grantGroup(granter, ttpGroup);
@@ -55,10 +56,10 @@ public class TestUserGroupMembership extends BusinessTest {
     }
 
     @Test
-    public void testRemoveObject() throws GigiApiException, SQLException {
+    public void testRemoveObject() throws GigiApiException, SQLException, IOException {
         User u = User.getById(createVerifiedUser("fname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
 
-        User granter = User.getById(createVerifiedUser("grFname", "lname", createUniqueName() + "@example.org", TEST_PASSWORD));
+        User granter = getSupporter();
 
         assertBehavesEmpty(u);
         u.grantGroup(granter, ttpGroup);
@@ -99,20 +100,20 @@ public class TestUserGroupMembership extends BusinessTest {
     }
 
     @Test
-    public void testListGroup() throws GigiApiException {
-        Group g = Group.getByString("supporter");
+    public void testListGroup() throws GigiApiException, IOException {
+        Group g = Group.SUPPORTER;
         int start = g.getMembers(0, 10).length;
         User ux = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
         User ux2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.org", TEST_PASSWORD));
         assertEquals(0, g.getMembers(0, 10).length + start);
-        ux.grantGroup(ux, g);
-        assertEquals(1, g.getMembers(0, 10).length + start);
-        ux2.grantGroup(ux, g);
+        ux.grantGroup(getSupporter(), g); // creates a supporter
         assertEquals(2, g.getMembers(0, 10).length + start);
+        ux2.grantGroup(ux, g);
+        assertEquals(3, g.getMembers(0, 10).length + start);
         ux2.revokeGroup(ux, g);
-        assertEquals(1, g.getMembers(0, 10).length + start);
+        assertEquals(2, g.getMembers(0, 10).length + start);
         ux.revokeGroup(ux, g);
-        assertEquals(0, g.getMembers(0, 10).length + start);
+        assertEquals(1, g.getMembers(0, 10).length + start);
 
     }
 
diff --git a/tests/org/cacert/gigi/api/IssueCert.java b/tests/org/cacert/gigi/api/IssueCert.java
index 03ab3f3e..fc1e9d1c 100644
--- a/tests/org/cacert/gigi/api/IssueCert.java
+++ b/tests/org/cacert/gigi/api/IssueCert.java
@@ -18,9 +18,9 @@ import java.security.cert.X509Certificate;
 import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.Certificate.CSRType;
 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
-import org.cacert.gigi.dbObjects.Country.CountryCodeType;
 import org.cacert.gigi.dbObjects.CertificateProfile;
 import org.cacert.gigi.dbObjects.Country;
+import org.cacert.gigi.dbObjects.Country.CountryCodeType;
 import org.cacert.gigi.dbObjects.Digest;
 import org.cacert.gigi.dbObjects.Domain;
 import org.cacert.gigi.dbObjects.Group;
@@ -87,7 +87,7 @@ public class IssueCert extends ClientTest {
     @Test
     public void testIssueOrgCert() throws Exception {
         makeAssurer(id);
-        u.grantGroup(u, Group.ORGASSURER);
+        u.grantGroup(getSupporter(), Group.ORGASSURER);
 
         Organisation o1 = new Organisation("name", Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "pr", "st", "test@mail", "", "", u);
         o1.addAdmin(u, u, false);
diff --git a/tests/org/cacert/gigi/api/TestFindAgent.java b/tests/org/cacert/gigi/api/TestFindAgent.java
index 3b8b9927..d7213961 100644
--- a/tests/org/cacert/gigi/api/TestFindAgent.java
+++ b/tests/org/cacert/gigi/api/TestFindAgent.java
@@ -33,7 +33,7 @@ public class TestFindAgent extends RestrictedApiTest {
         assertEquals(501, v.getResponseCode());
         assertThat(IOUtils.readURL(new InputStreamReader(v.getErrorStream(), "UTF-8")), containsString(FindAgentAccess.PATH));
 
-        grant(u.getEmail(), Group.LOCATE_AGENT);
+        grant(u, Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_RESOLVE, "serial=" + target2.getSerial().toLowerCase());
         assertEquals(u.getId(), Integer.parseInt(IOUtils.readURL(v)));
     }
@@ -58,13 +58,13 @@ public class TestFindAgent extends RestrictedApiTest {
         assertThat(v.getResponseMessage(), containsString("needs to enable access"));
 
         // even if sender enables service
-        grant((userUFirst ? u : us2).getEmail(), Group.LOCATE_AGENT);
+        grant((userUFirst ? u : us2), Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
         assertEquals(v.getResponseMessage(), 501, v.getResponseCode());
         assertThat(v.getResponseMessage(), containsString("needs to enable access"));
 
         // receiver needs to enable access as well
-        grant((userUFirst ? us2 : u).getEmail(), Group.LOCATE_AGENT);
+        grant((userUFirst ? us2 : u), Group.LOCATE_AGENT);
         v = doApi(FindAgent.PATH_MAIL, "from=" + id + "&to=" + u2 + "&subject=the-subject&body=body");
         assertEquals(v.getResponseMessage(), 200, v.getResponseCode());
         TestMail mail = getMailReceiver().receive();
@@ -79,8 +79,8 @@ public class TestFindAgent extends RestrictedApiTest {
 
         String res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
         assertEquals(res, "");
-        grant(email, Group.LOCATE_AGENT);
-        grant(User.getById(u2).getEmail(), Group.LOCATE_AGENT);
+        grant(u, Group.LOCATE_AGENT);
+        grant(User.getById(u2), Group.LOCATE_AGENT);
         res = IOUtils.readURL(doApi(FindAgent.PATH_INFO, "id=" + id + "&id=" + u2)).replace("\r", "");
         assertEquals(id + ",true," + u.getPreferredName().toAbbreviatedString() + "\n" + u2 + ",false," + User.getById(u2).getPreferredName().toAbbreviatedString() + "\n", res);
     }
diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
index 98f105f0..0beaef87 100644
--- a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
+++ b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
@@ -20,11 +20,9 @@ public class TestCertificateRequest extends ClientTest {
 
     AuthorizationContext ac;
 
-    public TestCertificateRequest() throws GeneralSecurityException, IOException {
+    public TestCertificateRequest() throws GeneralSecurityException, IOException, GigiApiException {
         ac = new AuthorizationContext(u, u);
         makeAssurer(u.getId());
-        grant(email, Group.CODESIGNING);
-
     }
 
     @Test
@@ -62,7 +60,7 @@ public class TestCertificateRequest extends ClientTest {
     @Test
     public void testCodesignModifiedName() throws Exception {
         try {
-            u.grantGroup(u, Group.CODESIGNING);
+            u.grantGroup(getSupporter(), Group.CODESIGNING);
             CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
             cr.update("name", "SHA512", "code-a", null, null, "email:" + email);
             cr.draft();
diff --git a/tests/org/cacert/gigi/pages/account/TestMyDetailsEdit.java b/tests/org/cacert/gigi/pages/account/TestMyDetailsEdit.java
index 43a110ea..38f691ab 100644
--- a/tests/org/cacert/gigi/pages/account/TestMyDetailsEdit.java
+++ b/tests/org/cacert/gigi/pages/account/TestMyDetailsEdit.java
@@ -3,6 +3,7 @@ package org.cacert.gigi.pages.account;
 import static org.junit.Assert.*;
 
 import java.io.IOException;
+import java.net.URLEncoder;
 import java.sql.Date;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -10,6 +11,7 @@ import java.util.GregorianCalendar;
 import java.util.TimeZone;
 
 import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Name;
 import org.cacert.gigi.dbObjects.NamePart;
 import org.cacert.gigi.dbObjects.NamePart.NamePartType;
@@ -108,4 +110,32 @@ public class TestMyDetailsEdit extends ManagedTest {
         assertNull(executeBasicWebInteraction(cookie, MyDetails.PATH, "residenceCountry=invalid&action=updateResidenceCountry", 0));
         assertEquals(null, user.getResidenceCountry());
     }
+
+    @Test
+    public void testModifyUserGroup() throws IOException {
+        User user = User.getById(id);
+        // test add group
+        assertNull(executeBasicWebInteraction(cookie, MyDetails.PATH, "action=addGroup&groupToModify=" + URLEncoder.encode(Group.LOCATE_AGENT.getDatabaseName(), "UTF-8"), 0));
+
+        user = User.getById(id);
+        user.refreshGroups();
+        assertTrue(user.isInGroup(Group.LOCATE_AGENT));
+
+        // test remove group
+        assertNull(executeBasicWebInteraction(cookie, MyDetails.PATH, "action=removeGroup&groupToModify=" + URLEncoder.encode(Group.LOCATE_AGENT.getDatabaseName(), "UTF-8"), 0));
+
+        user = User.getById(id);
+        user.refreshGroups();
+        assertFalse(user.isInGroup(Group.LOCATE_AGENT));
+
+        // test add group that only support can add
+        assertNotNull(executeBasicWebInteraction(cookie, MyDetails.PATH, "action=addGroup&groupToModify=" + URLEncoder.encode(Group.SUPPORTER.getDatabaseName(), "UTF-8"), 0));
+
+        user = User.getById(id);
+        user.refreshGroups();
+        assertFalse(user.isInGroup(Group.SUPPORTER));
+
+        // test add invalid group
+        assertNotNull(executeBasicWebInteraction(cookie, MyDetails.PATH, "action=addGroup&groupToModify=non-existing", 0));
+    }
 }
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
index 689fb513..dac9053e 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminNotificationMail.java
@@ -4,9 +4,17 @@ import static org.hamcrest.CoreMatchers.*;
 import static org.junit.Assert.*;
 
 import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
 import java.net.MalformedURLException;
+import java.net.URLEncoder;
+import java.util.HashMap;
+import java.util.Locale;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
+import org.cacert.gigi.dbObjects.User;
+import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.pages.admin.support.SupportEnterTicketPage;
 import org.cacert.gigi.pages.admin.support.SupportUserDetailsPage;
 import org.cacert.gigi.testUtils.ClientTest;
@@ -18,8 +26,9 @@ public class TestSEAdminNotificationMail extends ClientTest {
 
     private int targetID;
 
-    public TestSEAdminNotificationMail() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminNotificationMail() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
 
         String email = createUniqueName() + "@example.com";
@@ -33,10 +42,13 @@ public class TestSEAdminNotificationMail extends ClientTest {
 
         executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "dobd=1&dobm=2&doby=2000&detailupdate", 0);
 
+        // mail to support
         String message = getMailReceiver().receive().getMessage();
-        assertThat(message, containsString("The account data was changed."));
+        assertThat(message, containsString("The DoB was changed"));
         assertThat(message, containsString("supporter " + u.getPreferredName().toString() + " triggered:"));
-
+        // mail to user
+        message = getMailReceiver().receive().getMessage();
+        assertThat(message, containsString("The DoB in your account was changed to 2000-02-01."));
     }
 
     @Test
@@ -52,26 +64,46 @@ public class TestSEAdminNotificationMail extends ClientTest {
 
     @Test
     public void testGrantUserGroup() throws MalformedURLException, IOException {
-        executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "addGroup&groupToModify=supporter", 0);
+        executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "addGroup&groupToModify=" + URLEncoder.encode(Group.SUPPORTER.getDatabaseName(), "UTF-8"), 0);
+
+        StringWriter sw = new StringWriter();
+        PrintWriter pw = new PrintWriter(sw);
+        Group.SUPPORTER.getName().output(pw, Language.getInstance(Locale.ENGLISH), new HashMap<String, Object>());
 
+        // mail to support
         String message = getMailReceiver().receive().getMessage();
-        assertThat(message, containsString("The group permission supporter was granted."));
+        assertThat(message, containsString("The group permission '" + sw.toString() + "' was granted."));
+        // mail to user
+        message = getMailReceiver().receive().getMessage();
+        assertThat(message, containsString("The group permission '" + sw.toString() + "' was granted to your account."));
     }
 
     @Test
     public void testRemoveUserGroup() throws MalformedURLException, IOException {
-        executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "removeGroup&groupToModify=supporter", 0);
+        executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "removeGroup&groupToModify=" + URLEncoder.encode(Group.SUPPORTER.getDatabaseName(), "UTF-8"), 0);
 
+        StringWriter sw = new StringWriter();
+        PrintWriter pw = new PrintWriter(sw);
+        Group.SUPPORTER.getName().output(pw, Language.getInstance(Locale.ENGLISH), new HashMap<String, Object>());
+
+        // mail to support
         String message = getMailReceiver().receive().getMessage();
-        assertThat(message, containsString("The group permission supporter was revoked."));
+        assertThat(message, containsString("The group permission '" + sw.toString() + "' was revoked."));
+        // mail to user
+        message = getMailReceiver().receive().getMessage();
+        assertThat(message, containsString("The group permission '" + sw.toString() + "' was revoked from your account."));
     }
 
     @Test
-    public void testRevokeCertificates() throws MalformedURLException, IOException {
+    public void testRevokeAllCertificates() throws MalformedURLException, IOException {
         executeBasicWebInteraction(cookie, SupportUserDetailsPage.PATH + targetID + "/", "revokeall", 1);
+        User user = User.getById(targetID);
 
+        // mail to support
         String message = getMailReceiver().receive().getMessage();
-        assertThat(message, containsString("All certificates in the account have been revoked."));
-
+        assertThat(message, containsString("All certificates in the account " + user.getPreferredName().toString()));
+        // mail to user
+        message = getMailReceiver().receive().getMessage();
+        assertThat(message, containsString("All certificates in your account have been revoked."));
     }
 }
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
index 08541dec..e9b31abb 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageDetails.java
@@ -27,8 +27,9 @@ import org.junit.Test;
 
 public class TestSEAdminPageDetails extends ClientTest {
 
-    public TestSEAdminPageDetails() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminPageDetails() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }
 
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
index d1916c10..57c5c15c 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserDomainSearch.java
@@ -32,7 +32,8 @@ public class TestSEAdminPageUserDomainSearch extends ClientTest {
     private int tid;
 
     public TestSEAdminPageUserDomainSearch() throws IOException, GigiApiException {
-        grant(email, Group.SUPPORTER);
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
 
         String mail = createUniqueName() + "@example.com";
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
index 71dfeaee..29918b5a 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminPageUserMailSearch.java
@@ -22,8 +22,9 @@ import org.junit.Test;
 
 public class TestSEAdminPageUserMailSearch extends ClientTest {
 
-    public TestSEAdminPageUserMailSearch() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminPageUserMailSearch() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
         assertEquals(302, post(cookie, SupportEnterTicketPage.PATH, "ticketno=a20140808.8&setTicket=action", 0).getResponseCode());
     }
 
diff --git a/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java b/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
index 62d89de2..01e17b3c 100644
--- a/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
+++ b/tests/org/cacert/gigi/pages/admin/TestSEAdminTicketSetting.java
@@ -6,6 +6,7 @@ import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.pages.admin.support.FindUserByDomainPage;
 import org.cacert.gigi.pages.admin.support.FindUserByEmailPage;
@@ -15,8 +16,9 @@ import org.junit.Test;
 
 public class TestSEAdminTicketSetting extends ClientTest {
 
-    public TestSEAdminTicketSetting() throws IOException {
-        grant(email, Group.SUPPORTER);
+    public TestSEAdminTicketSetting() throws IOException, GigiApiException {
+        grant(u, Group.SUPPORTER);
+        cookie = login(email, TEST_PASSWORD);
     }
 
     @Test
diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java b/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
index d1b930db..b24bb83e 100644
--- a/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
+++ b/tests/org/cacert/gigi/pages/orga/TestOrgDomain.java
@@ -13,7 +13,7 @@ import org.junit.Test;
 
 public class TestOrgDomain extends OrgTest {
 
-    public TestOrgDomain() throws IOException {
+    public TestOrgDomain() throws IOException, GigiApiException {
 
     }
 
diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java b/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
index 760ca198..65951dc8 100644
--- a/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
+++ b/tests/org/cacert/gigi/pages/orga/TestOrgManagement.java
@@ -26,7 +26,7 @@ import org.junit.Test;
 
 public class TestOrgManagement extends OrgTest {
 
-    public TestOrgManagement() throws IOException {
+    public TestOrgManagement() throws IOException, GigiApiException {
 
     }
 
diff --git a/tests/org/cacert/gigi/pages/wot/TestTTP.java b/tests/org/cacert/gigi/pages/wot/TestTTP.java
index 34b0ca6d..560d1b56 100644
--- a/tests/org/cacert/gigi/pages/wot/TestTTP.java
+++ b/tests/org/cacert/gigi/pages/wot/TestTTP.java
@@ -21,13 +21,13 @@ public class TestTTP extends ClientTest {
     public void testTTPApply() throws IOException {
         String ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
         assertThat(ttp, containsString("<form"));
-        executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0");
+        assertNull(executeBasicWebInteraction(cookie, RequestTTPPage.PATH, "country=0"));
 
         ttp = IOUtils.readURL(get(RequestTTPPage.PATH));
         assertThat(ttp, not(containsString("<form")));
         ObjectCache.clearAllCaches();
         u = User.getById(u.getId());
-        assertTrue(u.isInGroup(Group.getByString("ttp-applicant")));
+        assertTrue(u.isInGroup(Group.TTP_APPLICANT));
     }
 
     @Test
diff --git a/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java b/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
index 31b0e51b..12430b7c 100644
--- a/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
+++ b/tests/org/cacert/gigi/pages/wot/TestTTPAdmin.java
@@ -5,6 +5,7 @@ import static org.junit.Assert.*;
 import java.io.IOException;
 import java.net.MalformedURLException;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.pages.admin.TTPAdminPage;
@@ -20,20 +21,20 @@ public class TestTTPAdmin extends ClientTest {
     }
 
     @Test
-    public void testHasRight() throws IOException {
+    public void testHasRight() throws IOException, GigiApiException {
         testTTPAdmin(true);
     }
 
     @Test
-    public void testHasNoRight() throws IOException {
+    public void testHasNoRight() throws IOException, GigiApiException {
         testTTPAdmin(false);
     }
 
-    public void testTTPAdmin(boolean hasRight) throws IOException {
+    public void testTTPAdmin(boolean hasRight) throws IOException, GigiApiException {
         if (hasRight) {
-            grant(email, Group.getByString("ttp-assurer"));
+            grant(u, Group.TTP_ASSURER);
         }
-        grant(u.getEmail(), TTPAdminPage.TTP_APPLICANT);
+        grant(u, TTPAdminPage.TTP_APPLICANT);
         cookie = login(u.getEmail(), TEST_PASSWORD);
 
         assertEquals( !hasRight ? 403 : 200, fetchStatusCode(TTPAdminPage.PATH));
diff --git a/tests/org/cacert/gigi/testUtils/BusinessTest.java b/tests/org/cacert/gigi/testUtils/BusinessTest.java
index cc095e30..db888c03 100644
--- a/tests/org/cacert/gigi/testUtils/BusinessTest.java
+++ b/tests/org/cacert/gigi/testUtils/BusinessTest.java
@@ -15,8 +15,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.cacert.gigi.GigiApiException;
+import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.dbObjects.Domain;
 import org.cacert.gigi.dbObjects.EmailAddress;
+import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.NamePart;
 import org.cacert.gigi.dbObjects.NamePart.NamePartType;
 import org.cacert.gigi.dbObjects.User;
@@ -155,4 +157,21 @@ public abstract class BusinessTest extends ConfiguredTest {
     public MailReceiver getMailReceiver() {
         return InVMEmail.getInstance();
     }
+
+    private User supporter;
+
+    public User getSupporter() throws GigiApiException, IOException {
+        if (supporter != null) {
+            return supporter;
+        }
+        supporter = createVerifiedUser();
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+            ps.setInt(1, supporter.getId());
+            ps.setString(2, Group.SUPPORTER.getDatabaseName());
+            ps.setInt(3, supporter.getId());
+            ps.execute();
+        }
+        supporter.refreshGroups();
+        return supporter;
+    }
 }
diff --git a/tests/org/cacert/gigi/testUtils/ManagedTest.java b/tests/org/cacert/gigi/testUtils/ManagedTest.java
index a0228f16..22da1eab 100644
--- a/tests/org/cacert/gigi/testUtils/ManagedTest.java
+++ b/tests/org/cacert/gigi/testUtils/ManagedTest.java
@@ -42,7 +42,6 @@ import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Job;
 import org.cacert.gigi.dbObjects.ObjectCache;
 import org.cacert.gigi.dbObjects.User;
-import org.cacert.gigi.pages.Manager;
 import org.cacert.gigi.pages.account.MyDetails;
 import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.testUtils.TestEmailReceiver.TestMail;
@@ -289,11 +288,9 @@ public class ManagedTest extends ConfiguredTest {
         }
     }
 
-    public static void grant(String email, Group g) throws IOException {
-        HttpURLConnection huc = (HttpURLConnection) new URL("https://" + getServerName() + Manager.PATH).openConnection();
-        huc.setDoOutput(true);
-        huc.getOutputStream().write(("addpriv=y&priv=" + URLEncoder.encode(g.getDatabaseName(), "UTF-8") + "&email=" + URLEncoder.encode(email, "UTF-8")).getBytes("UTF-8"));
-        assertEquals(200, huc.getResponseCode());
+    public static void grant(User u, Group g) throws IOException, GigiApiException {
+        u.grantGroup(getSupporter(), g);
+        clearCaches();
     }
 
     /**
@@ -486,4 +483,21 @@ public class ManagedTest extends ConfiguredTest {
         return openConnection;
     }
 
+    private static User supporter;
+
+    public static User getSupporter() throws GigiApiException, IOException {
+        if (supporter != null) {
+            return supporter;
+        }
+        int i = createVerifiedUser("fn", "ln", createUniqueName() + "@email.com", TEST_PASSWORD);
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+            ps.setInt(1, i);
+            ps.setString(2, Group.SUPPORTER.getDatabaseName());
+            ps.setInt(3, i);
+            ps.execute();
+        }
+        clearCaches();
+        supporter = User.getById(i);
+        return supporter;
+    }
 }
diff --git a/tests/org/cacert/gigi/testUtils/OrgTest.java b/tests/org/cacert/gigi/testUtils/OrgTest.java
index 2a9f5da7..5a42a4a6 100644
--- a/tests/org/cacert/gigi/testUtils/OrgTest.java
+++ b/tests/org/cacert/gigi/testUtils/OrgTest.java
@@ -10,9 +10,9 @@ import org.cacert.gigi.dbObjects.Organisation;
 
 public class OrgTest extends ClientTest {
 
-    public OrgTest() throws IOException {
+    public OrgTest() throws IOException, GigiApiException {
         makeAssurer(u.getId());
-        u.grantGroup(u, Group.ORGASSURER);
+        u.grantGroup(getSupporter(), Group.ORGASSURER);
         clearCaches();
         cookie = login(email, TEST_PASSWORD);
     }
diff --git a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
index 2301b0ae..e4ec22b9 100644
--- a/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
+++ b/tests/org/cacert/gigi/testUtils/RestrictedApiTest.java
@@ -39,7 +39,7 @@ public class RestrictedApiTest extends ClientTest {
         initEnvironment();
         try {
             User u = User.getById(createAssuranceUser("f", "l", createUniqueName() + "@email.com", TEST_PASSWORD));
-            grant(u.getEmail(), Group.ORGASSURER);
+            grant(u, Group.ORGASSURER);
             clearCaches();
             u = User.getById(u.getId());
             Organisation o = new Organisation(Organisation.SELF_ORG_NAME, Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "NA", "NA", "contact@cacert.org", "", "", u);
diff --git a/util-testing/org/cacert/gigi/pages/Manager.java b/util-testing/org/cacert/gigi/pages/Manager.java
index a2435c95..2fd78ba7 100644
--- a/util-testing/org/cacert/gigi/pages/Manager.java
+++ b/util-testing/org/cacert/gigi/pages/Manager.java
@@ -96,6 +96,28 @@ public class Manager extends Page {
         }
     }
 
+    public User getSupporter() {
+        if (supporter != null) {
+            return supporter;
+        }
+        try {
+            User u = createAssurer( -1);
+            if ( !u.isInGroup(Group.SUPPORTER)) {
+                try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
+                    ps.setInt(1, u.getId());
+                    ps.setString(2, Group.SUPPORTER.getDatabaseName());
+                    ps.setInt(3, u.getId());
+                    ps.execute();
+                }
+                u.refreshGroups();
+            }
+            supporter = u;
+        } catch (ReflectiveOperationException | GigiApiException e) {
+            e.printStackTrace();
+        }
+        return supporter;
+    }
+
     public User getAssurer(int i) {
         if (assurers[i] != null) {
             return assurers[i];
@@ -261,6 +283,8 @@ public class Manager extends Page {
 
     User[] assurers = new User[25];
 
+    User supporter;
+
     @Override
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         if (req.getParameter("create") != null) {
@@ -273,7 +297,11 @@ public class Manager extends Page {
                 return;
             }
             if (req.getParameter("addpriv") != null) {
-                u.grantGroup(u, Group.getByString(req.getParameter("priv")));
+                try {
+                    u.grantGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
+                } catch (GigiApiException e) {
+                    throw new Error(e);
+                }
                 resp.getWriter().println("Privilege granted");
             } else {
                 u.revokeGroup(u, Group.getByString(req.getParameter("priv")));
diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java
index 6b498988..9a2fb107 100644
--- a/util-testing/org/cacert/gigi/util/SimpleSigner.java
+++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java
@@ -28,6 +28,7 @@ import java.text.SimpleDateFormat;
 import java.util.Base64;
 import java.util.Calendar;
 import java.util.Date;
+import java.util.GregorianCalendar;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
@@ -327,7 +328,8 @@ public class SimpleSigner {
                     PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
                     pk = p10.getSubjectPublicKeyInfo();
                 }
-                String ca = caP.getProperty("ca") + "_2015_1";
+                Calendar cal = GregorianCalendar.getInstance();
+                String ca = caP.getProperty("ca") + "_" + cal.get(Calendar.YEAR) + (cal.get(Calendar.MONTH) >= 6 ? "_2" : "_1");
                 File parent = new File("signer/ca");
                 File[] caFiles = parent.listFiles();
                 if (null == caFiles) {