Fix: correctly scope mail account enumeration (#12636)

2026-04-25 02:19:55 -04:00 · 2026-04-24 10:15:59 -07:00 · 2026-04-24 10:15:59 -07:00 · e5561ba06f
commit e5561ba06f
parent 1692c916f8
2 changed files with 34 additions and 4 deletions
--- a/src/paperless_mail/serialisers.py
+++ b/src/paperless_mail/serialisers.py
@ -2,6 +2,7 @@ from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import PermissionDenied

+from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
 from documents.serialisers import CorrespondentField
 from documents.serialisers import DocumentTypeField
@ -59,7 +60,18 @@ class MailAccountSerializer(OwnedObjectSerializer):

 class AccountField(serializers.PrimaryKeyRelatedField):
    def get_queryset(self):
-        return MailAccount.objects.all().order_by("-id")
+        user = getattr(self.context.get("request"), "user", None)
+        if user is None:
+            user = getattr(self.root, "user", None)
+
+        if user is None:
+            return MailAccount.objects.none()
+
+        return get_objects_for_user_owner_aware(
+            user,
+            "change_mailaccount",
+            MailAccount,
+        ).order_by("-id")


 class MailRuleSerializer(OwnedObjectSerializer):
--- a/src/paperless_mail/tests/test_api.py
+++ b/src/paperless_mail/tests/test_api.py
@ -632,7 +632,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
        self.assertEqual(returned_rule1.name, "Updated Name 1")
        self.assertEqual(returned_rule1.action, MailRule.MailAction.DELETE)

-    def test_create_mail_rule_forbidden_for_unpermitted_account(self):
+    def test_create_mail_rule_scopes_accounts(self):
        other_user = User.objects.create_user(username="mail-owner")
        foreign_account = MailAccount.objects.create(
            name="ForeignEmail",
@ -660,8 +660,26 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
                "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
            },
        )
+        missing_response = self.client.post(
+            self.ENDPOINT,
+            data={
+                "name": "Rule1",
+                "account": foreign_account.pk + 1000,
+                "folder": "INBOX",
+                "filter_from": "from@example.com",
+                "maximum_age": 30,
+                "action": MailRule.MailAction.MARK_READ,
+                "assign_title_from": MailRule.TitleSource.FROM_SUBJECT,
+                "assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING,
+                "order": 0,
+                "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
+            },
+        )

-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(missing_response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(response.data["account"][0].code, "does_not_exist")
+        self.assertEqual(missing_response.data["account"][0].code, "does_not_exist")
        self.assertEqual(MailRule.objects.count(), 0)

    def test_create_mail_rule_allowed_for_granted_account_change_permission(self):
@ -736,7 +754,7 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
            data={"account": foreign_account.pk},
        )

-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
        rule1.refresh_from_db()
        self.assertEqual(rule1.account, own_account)