Affects Version/s: EJBCA 7.0.0
Fix Version/s: EJBCA 7.0.0
Issue discovered during:Testing
Sprint:EJBCA Team Alice - 2018 w48
Discovered while exploratory testing
- disallow delete_end_entity access rule in your admin role
- Go and try to create an End Entity in RA web https://localhost:8443/ejbca/ra/enrollmakenewrequest.xhtml
success message "End entity with username 'user1' has been added successfully"
and log entry:
[org.ejbca.core.model.era.RaMasterApiSessionBean] (default task-80) Missing */delete_end_entity rights for user 'CN=anything,O=EE' to be able to add an end entity (Delete is only needed for clean-up if something goes wrong after an end-entity has been added)
failure message on RA Web enrollmakenewrequest page.