From 7dbf8bdd4aff6ceb4eedd8a4aba7652978d1dc74 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Sat, 21 Mar 2026 00:44:28 -0700 Subject: [PATCH] Fix: enforce permissions when attaching accounts to mail rules --- src/paperless_mail/serialisers.py | 15 ++++ src/paperless_mail/tests/test_api.py | 108 +++++++++++++++++++++++++++ 2 files changed, 123 insertions(+) diff --git a/src/paperless_mail/serialisers.py b/src/paperless_mail/serialisers.py index b38c8e78c..aff3e75da 100644 --- a/src/paperless_mail/serialisers.py +++ b/src/paperless_mail/serialisers.py @@ -1,5 +1,8 @@ +from django.utils.translation import gettext as _ from rest_framework import serializers +from rest_framework.exceptions import PermissionDenied +from documents.permissions import has_perms_owner_aware from documents.serialisers import CorrespondentField from documents.serialisers import DocumentTypeField from documents.serialisers import OwnedObjectSerializer @@ -127,6 +130,18 @@ class MailRuleSerializer(OwnedObjectSerializer): return attrs + def validate_account(self, account): + if self.user is not None and has_perms_owner_aware( + self.user, + "change_mailaccount", + account, + ): + return account + + raise PermissionDenied( + _("Insufficient permissions."), + ) + def validate_maximum_age(self, value): if value > 36500: # ~100 years raise serializers.ValidationError("Maximum mail age is unreasonably large.") diff --git a/src/paperless_mail/tests/test_api.py b/src/paperless_mail/tests/test_api.py index cbfe0f9a4..905509ec1 100644 --- a/src/paperless_mail/tests/test_api.py +++ b/src/paperless_mail/tests/test_api.py @@ -632,6 +632,114 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase): self.assertEqual(returned_rule1.name, "Updated Name 1") self.assertEqual(returned_rule1.action, MailRule.MailAction.DELETE) + def test_create_mail_rule_forbidden_for_unpermitted_account(self): + other_user = User.objects.create_user(username="mail-owner") + foreign_account = MailAccount.objects.create( + name="ForeignEmail", + username="username1", + password="password1", + imap_server="server.example.com", + imap_port=443, + imap_security=MailAccount.ImapSecurity.SSL, + character_set="UTF-8", + owner=other_user, + ) + + response = self.client.post( + self.ENDPOINT, + data={ + "name": "Rule1", + "account": foreign_account.pk, + "folder": "INBOX", + "filter_from": "from@example.com", + "maximum_age": 30, + "action": MailRule.MailAction.MARK_READ, + "assign_title_from": MailRule.TitleSource.FROM_SUBJECT, + "assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING, + "order": 0, + "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY, + }, + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(MailRule.objects.count(), 0) + + def test_create_mail_rule_allowed_for_granted_account_change_permission(self): + other_user = User.objects.create_user(username="mail-owner") + foreign_account = MailAccount.objects.create( + name="ForeignEmail", + username="username1", + password="password1", + imap_server="server.example.com", + imap_port=443, + imap_security=MailAccount.ImapSecurity.SSL, + character_set="UTF-8", + owner=other_user, + ) + assign_perm("change_mailaccount", self.user, foreign_account) + + response = self.client.post( + self.ENDPOINT, + data={ + "name": "Rule1", + "account": foreign_account.pk, + "folder": "INBOX", + "filter_from": "from@example.com", + "maximum_age": 30, + "action": MailRule.MailAction.MARK_READ, + "assign_title_from": MailRule.TitleSource.FROM_SUBJECT, + "assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING, + "order": 0, + "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY, + }, + ) + + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + self.assertEqual(MailRule.objects.get().account, foreign_account) + + def test_update_mail_rule_forbidden_for_unpermitted_account(self): + own_account = MailAccount.objects.create( + name="Email1", + username="username1", + password="password1", + imap_server="server.example.com", + imap_port=443, + imap_security=MailAccount.ImapSecurity.SSL, + character_set="UTF-8", + ) + other_user = User.objects.create_user(username="mail-owner") + foreign_account = MailAccount.objects.create( + name="ForeignEmail", + username="username2", + password="password2", + imap_server="server.example.com", + imap_port=443, + imap_security=MailAccount.ImapSecurity.SSL, + character_set="UTF-8", + owner=other_user, + ) + rule1 = MailRule.objects.create( + name="Rule1", + account=own_account, + folder="INBOX", + filter_from="from@example.com", + maximum_age=30, + action=MailRule.MailAction.MARK_READ, + assign_title_from=MailRule.TitleSource.FROM_SUBJECT, + assign_correspondent_from=MailRule.CorrespondentSource.FROM_NOTHING, + order=0, + attachment_type=MailRule.AttachmentProcessing.ATTACHMENTS_ONLY, + ) + + response = self.client.patch( + f"{self.ENDPOINT}{rule1.pk}/", + data={"account": foreign_account.pk}, + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + rule1.refresh_from_db() + self.assertEqual(rule1.account, own_account) + def test_get_mail_rules_owner_aware(self): """ GIVEN: