JAMES-2182 Fix rights for APPEND, MOVE, COPY

mailbox/store/src/main/java/org/apache/james/mailbox/store/StoreMessageManager.java

@@ -63,6 +63,7 @@
 import org.apache.james.mailbox.MetadataWithMailboxId;
 import org.apache.james.mailbox.ModSeq;
 import org.apache.james.mailbox.events.MailboxIdRegistrationKey;
+import org.apache.james.mailbox.exception.InsufficientRightsException;
 import org.apache.james.mailbox.exception.MailboxException;
 import org.apache.james.mailbox.exception.ReadOnlyException;
 import org.apache.james.mailbox.exception.UnsupportedRightException;
@@ -408,6 +409,9 @@ private Mono<AppendResult> appendMessage(Content msgIn, Date internalDate, final
             if (!isWriteable(mailboxSession)) {
                 throw new ReadOnlyException(getMailboxPath());
             }
+            if (!storeRightManager.myRights(mailbox, mailboxSession).contains(MailboxACL.Right.Insert)) {
+                throw new InsufficientRightsException("Append messages requires 'i' right");
+            }
 
             try (InputStream contentStream = msgIn.getInputStream();
                  UnsynchronizedFilterInputStream bufferedContentStream = UnsynchronizedBufferedInputStream.builder()
@@ -733,6 +737,9 @@ public Flux<MessageRange> copyTo(MessageRange set, StoreMessageManager toMailbox
         if (!toMailbox.isWriteable(session)) {
             return Flux.error(new ReadOnlyException(toMailbox.getMailboxPath()));
         }
+        if (!storeRightManager.myRights(toMailbox.mailbox, session).contains(MailboxACL.Right.Insert)) {
+            return Flux.error(new InsufficientRightsException("Append messages requires 'i' right"));
+        }
         //TODO lock the from mailbox too, in a non-deadlocking manner - how?
         return Flux.from(locker.executeReactiveWithLockReactive(toMailbox.getMailboxPath(),
             copy(set, toMailbox, session)
@@ -747,9 +754,15 @@ public Flux<MessageRange> moveTo(MessageRange set, StoreMessageManager toMailbox
         if (!isWriteable(session)) {
             return Flux.error(new ReadOnlyException(toMailbox.getMailboxPath()));
         }
+        if (!storeRightManager.myRights(mailbox, session).contains(MailboxACL.Right.PerformExpunge)) {
+            return Flux.error(new InsufficientRightsException("Deleting messages requires 'e' right"));
+        }
         if (!toMailbox.isWriteable(session)) {
             return Flux.error(new ReadOnlyException(toMailbox.getMailboxPath()));
         }
+        if (!storeRightManager.myRights(toMailbox.mailbox, session).contains(MailboxACL.Right.Insert)) {
+            return Flux.error(new InsufficientRightsException("Append messages requires 'i' right"));
+        }
         //TODO lock the from mailbox too, in a non-deadlocking manner - how?
         return Flux.from(locker.executeReactiveWithLockReactive(toMailbox.getMailboxPath(),
             move(set, toMailbox, session)

mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRS.test

@@ -54,9 +54,10 @@ S: \* OK \[PERMANENTFLAGS \(.*\)\] Limited
 S: \* OK \[HIGHESTMODSEQ .*\] Highest
 S: \* OK \[UIDNEXT .*\] Predicted next UID
 S: a4 OK \[READ-WRITE\] SELECT completed.
-# TODO WTF I do not have 'i' right but I can copy?
+
 C: a4 COPY 1:* #user.boby.mailbox-lrs
-S: a4 OK .* COPY completed.
+S: a4 NO COPY processing failed.
+
 C: a6 UNSELECT
 S: a6 OK UNSELECT completed.
 

mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRT.test

@@ -54,9 +54,10 @@ S: \* OK \[PERMANENTFLAGS \(.*\)\] Limited
 S: \* OK \[HIGHESTMODSEQ .*\] Highest
 S: \* OK \[UIDNEXT .*\] Predicted next UID
 S: a4 OK \[READ-WRITE\] SELECT completed.
-# TODO WTF I do not have 'i' right but I can copy?
+
 C: a4 COPY 1:* #user.boby.mailbox-lrt
-S: a4 OK .* COPY completed.
+S: a4 NO COPY processing failed.
+
 C: a6 UNSELECT
 S: a6 OK UNSELECT completed.
 

mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRTE.test

@@ -54,9 +54,10 @@ S: \* OK \[PERMANENTFLAGS \(.*\)\] Limited
 S: \* OK \[HIGHESTMODSEQ .*\] Highest
 S: \* OK \[UIDNEXT .*\] Predicted next UID
 S: a4 OK \[READ-WRITE\] SELECT completed.
-# TODO WTF I do not have 'i' right but I can copy?
+
 C: a4 COPY 1:* #user.boby.mailbox-lrte
-S: a4 OK .* COPY completed.
+S: a4 NO COPY processing failed.
+
 C: a6 UNSELECT
 S: a6 OK UNSELECT completed.
 
@@ -104,5 +105,5 @@ S: F11 OK FETCH completed.
 
 C: F15 EXPUNGE
 S: \* 1 EXPUNGE
-S: \* 19 RECENT
+S: \* 9 RECENT
 S: F15 OK EXPUNGE completed.

mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRW.test

@@ -54,9 +54,10 @@ S: \* OK \[PERMANENTFLAGS \(.*\)\] Limited
 S: \* OK \[HIGHESTMODSEQ .*\] Highest
 S: \* OK \[UIDNEXT .*\] Predicted next UID
 S: a4 OK \[READ-WRITE\] SELECT completed.
-# TODO WTF I do not have 'i' right but I can copy?
+
 C: a4 COPY 1:* #user.boby.mailbox-lrw
-S: a4 OK .* COPY completed.
+S: a4 NO COPY processing failed.
+
 C: a6 UNSELECT
 S: a6 OK UNSELECT completed.
 

mpt/impl/imap-mailbox/core/src/main/resources/org/apache/james/imap/scripts/SharingAccessLRX.test

@@ -54,12 +54,13 @@ S: \* OK \[PERMANENTFLAGS \(.*\)\] Limited
 S: \* OK \[HIGHESTMODSEQ .*\] Highest
 S: \* OK \[UIDNEXT .*\] Predicted next UID
 S: a4 OK \[READ-WRITE\] SELECT completed.
+
 C: a4 COPY 1:* #user.boby.mailbox-lrx
 S: a4 NO COPY processing failed.
+
 C: a6 UNSELECT
 S: a6 OK UNSELECT completed.
 
-
 C: a5 SETACL #user.boby.mailbox-lrx imapuser lra
 S: a5 NO SETACL You need the Administer right to perform command SETACL on mailbox #user.boby.mailbox-lrx.