(james-project) 33/37: JAMES-2182 Fix rights for SETACL

rcordier Tue, 29 Oct 2024 20:41:45 -0700

This is an automated email from the ASF dual-hosted git repository.

rcordier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


commit 8c517dd981c00f0fbd5911ad5b34546079886798
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Thu Oct 17 10:47:45 2024 +0200

    JAMES-2182 Fix rights for SETACL
---
 .../org/apache/james/mailbox/MailboxManagerTest.java | 20 ++++++++++++++++++++
 .../james/mailbox/store/StoreRightManager.java       |  7 ++++---
 .../apache/james/imap/scripts/SharingAccessLRA.test  |  4 +---
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git 
a/mailbox/api/src/test/java/org/apache/james/mailbox/MailboxManagerTest.java 
b/mailbox/api/src/test/java/org/apache/james/mailbox/MailboxManagerTest.java
index 3f851fa6e7..bbe3df11e6 100644
--- a/mailbox/api/src/test/java/org/apache/james/mailbox/MailboxManagerTest.java
+++ b/mailbox/api/src/test/java/org/apache/james/mailbox/MailboxManagerTest.java
@@ -3134,6 +3134,26 @@ public abstract class MailboxManagerTest<T extends 
MailboxManager> {
 
         @Test
         void setRightsByIdShouldThrowWhenNotOwner() throws Exception {
+            MailboxPath mailboxPath = MailboxPath.forUser(USER_2, "mailbox");
+            MailboxId id = mailboxManager.createMailbox(mailboxPath, 
session2).get();
+            mailboxManager.setRights(id,  
MailboxACL.EMPTY.apply(MailboxACL.command()
+                .key(MailboxACL.EntryKey.createUserEntryKey(USER_1))
+                .rights(new MailboxACL.Rfc4314Rights(MailboxACL.Right.Lookup, 
MailboxACL.Right.Administer, MailboxACL.Right.Read))
+                .asAddition()), session2);
+
+            mailboxManager.setRights(id, MailboxACL.EMPTY.apply(
+                MailboxACL.command()
+                    .key(MailboxACL.EntryKey.createUserEntryKey(USER_1))
+                    .rights(MailboxACL.FULL_RIGHTS)
+                    .asAddition()), session);
+
+            assertThat(mailboxManager.getMailbox(mailboxPath, session2)
+                
.getMailboxEntity().getACL().getEntries().get(MailboxACL.EntryKey.createUserEntryKey(USER_1)))
+                
.isEqualTo(MailboxACL.Rfc4314Rights.fromSerializedRfc4314Rights("aeiklprstwx"));
+        }
+
+        @Test
+        void setRightsByIdShouldThrowWhenNotAdministrator() throws Exception {
             MailboxId id = 
mailboxManager.createMailbox(MailboxPath.forUser(USER_2, "mailbox"), 
session2).get();
             mailboxManager.setRights(id,  
MailboxACL.EMPTY.apply(MailboxACL.command()
                 .key(MailboxACL.EntryKey.createUserEntryKey(USER_1))
diff --git 
a/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreRightManager.java
 
b/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreRightManager.java
index 5eab78dc2f..1a22ae328e 100644
--- 
a/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreRightManager.java
+++ 
b/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreRightManager.java
@@ -275,10 +275,11 @@ public class StoreRightManager implements RightManager {
 
     private void assertHaveAccessTo(Mailbox mailbox, MailboxSession session) 
throws InsufficientRightsException, MailboxNotFoundException {
         if (!mailbox.generateAssociatedPath().belongsTo(session)) {
-            if 
(mailbox.getACL().getEntries().containsKey(EntryKey.createUserEntryKey(session.getUser())))
 {
-                throw new InsufficientRightsException("Setting ACL is only 
permitted to the owner of the mailbox");
-            } else {
+            Rfc4314Rights acl = 
mailbox.getACL().getEntries().get(EntryKey.createUserEntryKey(session.getUser()));
+            if (acl == null) {
                 throw new MailboxNotFoundException(mailbox.getMailboxId());
+            } else if (!acl.contains(Right.Administer)) {
+                throw new InsufficientRightsException("Setting ACL is only 
permitted to the owner and admins of the mailbox");
             }
         }
     }
diff --git 
a/mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRA.test
 
b/mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRA.test
index c08191f132..5b98e9458a 100644
--- 
a/mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRA.test
+++ 
b/mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRA.test
@@ -62,10 +62,8 @@ S: a6 OK UNSELECT completed.
 C: a5 DELETE #user.boby.mailbox-lra
 S: a5 NO DELETE processing failed.
 
-# TODO if I have 'a' right I shall be able to administer!
-# org.apache.james.mailbox.exception.InsufficientRightsException: Setting ACL 
is only permitted to the owner of the mailbox
 C: a5 SETACL #user.boby.mailbox-lra imapuser lra
-S: a5 NO SETACL processing failed.
+S: a5 OK SETACL completed.
 
 C: a7 CREATE #user.boby.mailbox-lra.evev
 S: a7 NO CREATE processing failed.


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org

(james-project) 33/37: JAMES-2182 Fix rights for SETACL

Reply via email to