You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by ad...@apache.org on 2017/11/16 13:20:30 UTC

[3/8] james-project git commit: JAMES-2219 User should not be able to delete a mailbox he doesn't own

JAMES-2219 User should not be able to delete a mailbox he doesn't own


Project: http://git-wip-us.apache.org/repos/asf/james-project/repo
Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/472447d4
Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/472447d4
Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/472447d4

Branch: refs/heads/master
Commit: 472447d423b3e00348517987f4b790b8640008fa
Parents: 4897901
Author: Antoine Duprat <ad...@linagora.com>
Authored: Wed Nov 15 23:12:38 2017 +0100
Committer: Antoine Duprat <ad...@linagora.com>
Committed: Thu Nov 16 14:19:16 2017 +0100

----------------------------------------------------------------------
 .../mailbox/store/StoreMailboxManager.java      |  1 +
 .../cucumber/SetMailboxesMethodStepdefs.java    | 24 ++++++++++++++++++++
 .../resources/cucumber/GetMailboxes.feature     |  9 ++++++++
 3 files changed, 34 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/james-project/blob/472447d4/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMailboxManager.java
----------------------------------------------------------------------
diff --git a/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMailboxManager.java b/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMailboxManager.java
index 6a72340..88c1aea 100644
--- a/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMailboxManager.java
+++ b/mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMailboxManager.java
@@ -523,6 +523,7 @@ public class StoreMailboxManager implements MailboxManager {
     @Override
     public void deleteMailbox(final MailboxPath mailboxPath, final MailboxSession session) throws MailboxException {
         LOGGER.info("deleteMailbox " + mailboxPath);
+        assertIsOwner(session.getUser(), mailboxPath);
         final MailboxMapper mapper = mailboxSessionMapperFactory.getMailboxMapper(session);
 
         Mailbox mailbox = mapper.execute((Mapper.Transaction<Mailbox>) () -> {

http://git-wip-us.apache.org/repos/asf/james-project/blob/472447d4/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/java/org/apache/james/jmap/methods/integration/cucumber/SetMailboxesMethodStepdefs.java
----------------------------------------------------------------------
diff --git a/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/java/org/apache/james/jmap/methods/integration/cucumber/SetMailboxesMethodStepdefs.java b/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/java/org/apache/james/jmap/methods/integration/cucumber/SetMailboxesMethodStepdefs.java
index 59c1fbd..9d35294 100644
--- a/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/java/org/apache/james/jmap/methods/integration/cucumber/SetMailboxesMethodStepdefs.java
+++ b/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/java/org/apache/james/jmap/methods/integration/cucumber/SetMailboxesMethodStepdefs.java
@@ -166,6 +166,23 @@ public class SetMailboxesMethodStepdefs {
         renamingMailbox(userStepdefs.getConnectedUser(), actualMailboxName, newMailboxName);
     }
 
+    @When("^\"([^\"]*)\" deletes the mailbox \"([^\"]*)\" owned by \"([^\"]*)\"$")
+    public void deletesMailbox(String user, String mailboxName, String owner) throws Throwable {
+        Mailbox mailbox = mainStepdefs.mailboxProbe.getMailbox("#private", owner, mailboxName);
+        String mailboxId = mailbox.getMailboxId().serialize();
+        userStepdefs.connectUser(user);
+        String requestBody =
+                "[" +
+                    "  [ \"setMailboxes\"," +
+                    "    {" +
+                    "      \"destroy\": [ \"" + mailboxId + "\" ]" +
+                    "    }," +
+                    "    \"#0\"" +
+                    "  ]" +
+                    "]";
+        httpClient.post(requestBody);
+    }
+
     @When("^moving mailbox \"([^\"]*)\" to \"([^\"]*)\"$")
     public void movingMailbox(String actualMailboxPath, String newParentMailboxPath) throws Throwable {
         String username = userStepdefs.getConnectedUser();
@@ -229,4 +246,11 @@ public class SetMailboxesMethodStepdefs {
         assertThat(httpClient.jsonPath.<Map<String, String>>read("[0][1].notUpdated"))
             .containsOnlyKeys(mailbox.getMailboxId().serialize());
     }
+
+    @Then("^mailbox \"([^\"]*)\" owned by \"([^\"]*)\" is not destroyed$")
+    public void assertNotDestroyed(String mailboxName, String owner) throws Exception {
+        Mailbox mailbox = mainStepdefs.mailboxProbe.getMailbox(MailboxConstants.USER_NAMESPACE, owner, mailboxName);
+        assertThat(httpClient.jsonPath.<Map<String, String>>read("[0][1].notDestroyed"))
+            .containsOnlyKeys(mailbox.getMailboxId().serialize());
+    }
 }

http://git-wip-us.apache.org/repos/asf/james-project/blob/472447d4/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/resources/cucumber/GetMailboxes.feature
----------------------------------------------------------------------
diff --git a/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/resources/cucumber/GetMailboxes.feature b/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/resources/cucumber/GetMailboxes.feature
index 34278c3..9ec81e9 100644
--- a/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/resources/cucumber/GetMailboxes.feature
+++ b/server/protocols/jmap-integration-testing/jmap-integration-testing-common/src/test/resources/cucumber/GetMailboxes.feature
@@ -277,3 +277,12 @@ Feature: GetMailboxes method
   Scenario: A sharee should receive a not updated response when trying to rename a shared mailbox
     Given "bob@domain.tld" renames the mailbox, owned by "alice@domain.tld", "shared" to "mySharedMailbox"
     Then mailbox "shared" owned by "alice@domain.tld" is not updated
+
+  Scenario: A sharee should receive a not destroyed response when trying to destroy a shared mailbox
+    Given "bob@domain.tld" deletes the mailbox "shared" owned by "alice@domain.tld"
+    Then mailbox "shared" owned by "alice@domain.tld" is not destroyed
+
+  Scenario: A sharee should not be able to delete a shared mailbox
+    Given "bob@domain.tld" deletes the mailbox "shared" owned by "alice@domain.tld"
+    When "alice@domain.tld" lists mailboxes
+    Then the mailboxes should contain "shared" in "Personal" namespace


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org