mirror of
https://github.com/paperless-ngx/paperless-ngx.git
synced 2026-07-06 12:05:09 +00:00
Fix: correctly scope mail account enumeration (#12636)
This commit is contained in:
@@ -2,6 +2,7 @@ from django.utils.translation import gettext as _
|
|||||||
from rest_framework import serializers
|
from rest_framework import serializers
|
||||||
from rest_framework.exceptions import PermissionDenied
|
from rest_framework.exceptions import PermissionDenied
|
||||||
|
|
||||||
|
from documents.permissions import get_objects_for_user_owner_aware
|
||||||
from documents.permissions import has_perms_owner_aware
|
from documents.permissions import has_perms_owner_aware
|
||||||
from documents.serialisers import CorrespondentField
|
from documents.serialisers import CorrespondentField
|
||||||
from documents.serialisers import DocumentTypeField
|
from documents.serialisers import DocumentTypeField
|
||||||
@@ -59,7 +60,18 @@ class MailAccountSerializer(OwnedObjectSerializer):
|
|||||||
|
|
||||||
class AccountField(serializers.PrimaryKeyRelatedField):
|
class AccountField(serializers.PrimaryKeyRelatedField):
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
return MailAccount.objects.all().order_by("-id")
|
user = getattr(self.context.get("request"), "user", None)
|
||||||
|
if user is None:
|
||||||
|
user = getattr(self.root, "user", None)
|
||||||
|
|
||||||
|
if user is None:
|
||||||
|
return MailAccount.objects.none()
|
||||||
|
|
||||||
|
return get_objects_for_user_owner_aware(
|
||||||
|
user,
|
||||||
|
"change_mailaccount",
|
||||||
|
MailAccount,
|
||||||
|
).order_by("-id")
|
||||||
|
|
||||||
|
|
||||||
class MailRuleSerializer(OwnedObjectSerializer):
|
class MailRuleSerializer(OwnedObjectSerializer):
|
||||||
|
|||||||
@@ -632,7 +632,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
|
|||||||
self.assertEqual(returned_rule1.name, "Updated Name 1")
|
self.assertEqual(returned_rule1.name, "Updated Name 1")
|
||||||
self.assertEqual(returned_rule1.action, MailRule.MailAction.DELETE)
|
self.assertEqual(returned_rule1.action, MailRule.MailAction.DELETE)
|
||||||
|
|
||||||
def test_create_mail_rule_forbidden_for_unpermitted_account(self):
|
def test_create_mail_rule_scopes_accounts(self):
|
||||||
other_user = User.objects.create_user(username="mail-owner")
|
other_user = User.objects.create_user(username="mail-owner")
|
||||||
foreign_account = MailAccount.objects.create(
|
foreign_account = MailAccount.objects.create(
|
||||||
name="ForeignEmail",
|
name="ForeignEmail",
|
||||||
@@ -660,8 +660,26 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
|
|||||||
"attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
|
"attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
missing_response = self.client.post(
|
||||||
|
self.ENDPOINT,
|
||||||
|
data={
|
||||||
|
"name": "Rule1",
|
||||||
|
"account": foreign_account.pk + 1000,
|
||||||
|
"folder": "INBOX",
|
||||||
|
"filter_from": "from@example.com",
|
||||||
|
"maximum_age": 30,
|
||||||
|
"action": MailRule.MailAction.MARK_READ,
|
||||||
|
"assign_title_from": MailRule.TitleSource.FROM_SUBJECT,
|
||||||
|
"assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING,
|
||||||
|
"order": 0,
|
||||||
|
"attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
self.assertEqual(missing_response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
self.assertEqual(response.data["account"][0].code, "does_not_exist")
|
||||||
|
self.assertEqual(missing_response.data["account"][0].code, "does_not_exist")
|
||||||
self.assertEqual(MailRule.objects.count(), 0)
|
self.assertEqual(MailRule.objects.count(), 0)
|
||||||
|
|
||||||
def test_create_mail_rule_allowed_for_granted_account_change_permission(self):
|
def test_create_mail_rule_allowed_for_granted_account_change_permission(self):
|
||||||
@@ -736,7 +754,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
|
|||||||
data={"account": foreign_account.pk},
|
data={"account": foreign_account.pk},
|
||||||
)
|
)
|
||||||
|
|
||||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
rule1.refresh_from_db()
|
rule1.refresh_from_db()
|
||||||
self.assertEqual(rule1.account, own_account)
|
self.assertEqual(rule1.account, own_account)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user