Fix: correctly scope mail account enumeration (#12636)

diff --git a/src/paperless_mail/serialisers.py b/src/paperless_mail/serialisers.py
index aff3e75daa19fa80386a45a102471debbc5e46a6..d84041f4570680d6851cba03fa6bf2c93991f67e 100644 (file)
--- a/src/paperless_mail/serialisers.py
+++ b/src/paperless_mail/serialisers.py
@@ -2,6 +2,7 @@ from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import PermissionDenied
 
+from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
 from documents.serialisers import CorrespondentField
 from documents.serialisers import DocumentTypeField
@@ -59,7 +60,18 @@ class MailAccountSerializer(OwnedObjectSerializer):
 
 class AccountField(serializers.PrimaryKeyRelatedField):
     def get_queryset(self):
-        return MailAccount.objects.all().order_by("-id")
+        user = getattr(self.context.get("request"), "user", None)
+        if user is None:
+            user = getattr(self.root, "user", None)
+
+        if user is None:
+            return MailAccount.objects.none()
+
+        return get_objects_for_user_owner_aware(
+            user,
+            "change_mailaccount",
+            MailAccount,
+        ).order_by("-id")
 
 
 class MailRuleSerializer(OwnedObjectSerializer):

diff --git a/src/paperless_mail/tests/test_api.py b/src/paperless_mail/tests/test_api.py
index 905509ec1e6bba9e299a17529867c373722a4962..23972da35ceb2f77295d4c0f817d0a1e543bddc3 100644 (file)
--- a/src/paperless_mail/tests/test_api.py
+++ b/src/paperless_mail/tests/test_api.py
@@ -632,7 +632,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
         self.assertEqual(returned_rule1.name, "Updated Name 1")
         self.assertEqual(returned_rule1.action, MailRule.MailAction.DELETE)
 
-    def test_create_mail_rule_forbidden_for_unpermitted_account(self):
+    def test_create_mail_rule_scopes_accounts(self):
         other_user = User.objects.create_user(username="mail-owner")
         foreign_account = MailAccount.objects.create(
             name="ForeignEmail",
@@ -660,8 +660,26 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
                 "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
             },
         )
+        missing_response = self.client.post(
+            self.ENDPOINT,
+            data={
+                "name": "Rule1",
+                "account": foreign_account.pk + 1000,
+                "folder": "INBOX",
+                "filter_from": "from@example.com",
+                "maximum_age": 30,
+                "action": MailRule.MailAction.MARK_READ,
+                "assign_title_from": MailRule.TitleSource.FROM_SUBJECT,
+                "assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING,
+                "order": 0,
+                "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
+            },
+        )
 
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(missing_response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.data["account"][0].code, "does_not_exist")
+        self.assertEqual(missing_response.data["account"][0].code, "does_not_exist")
         self.assertEqual(MailRule.objects.count(), 0)
 
     def test_create_mail_rule_allowed_for_granted_account_change_permission(self):
@@ -736,7 +754,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
             data={"account": foreign_account.pk},
         )
 
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         rule1.refresh_from_db()
         self.assertEqual(rule1.account, own_account)