Merge pull request #5219 from rjbs/cyr-1504-mayAdmin

apply implicit owner rights in JMAP API

cassandane/tiny-tests/JMAPMailbox/mailbox_set

@@ -43,6 +43,7 @@ sub test_mailbox_set
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayCreateChild});
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayRename});
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayDelete});
+    $self->assert_equals(JSON::true, $mbox->{myRights}->{mayAdmin});
     $self->assert_num_equals(0, $mbox->{totalEmails});
     $self->assert_num_equals(0, $mbox->{unreadEmails});
     $self->assert_num_equals(0, $mbox->{totalThreads});

changes/next/http_implicit_acls

@@ -0,0 +1,21 @@
+Description:
+
+The `implicit_owner_rights` ACLs were previously ignored when considering ACLs
+on resources accessed over HTTP, including over JMAP.  This led to inconsistent
+reporting of access control based by protocol, and has been fixed.  The
+implicit rights are now respected on HTTP protocools.
+
+
+Config changes:
+
+None.
+
+
+Upgrade instructions:
+
+None required.
+
+
+GitHub issue:
+
+None.

imap/httpd.c

@@ -5229,6 +5229,18 @@ EXPORTED int httpd_myrights(struct auth_state *authstate, const mbentry_t *mbent
     if (mbentry && mbentry->acl) {
         rights = cyrus_acl_myrights(authstate, mbentry->acl);
 
+        /* Add in implicit rights */
+        if (httpd_userisadmin) {
+            rights |= ACL_LOOKUP|ACL_ADMIN;
+        }
+        else if (mboxname_isscheduledmailbox(mbentry->name, MBTYPE_EMAIL)) {
+            /* This seems maybe not *quite* right, but: do not apply implicit
+             * owner ACL to \Scheduled, because it is weird. */
+        }
+        else if (mboxname_userownsmailbox(httpd_userid, mbentry->name)) {
+            rights |= config_implicitrights;
+        }
+
         if (mbtype_isa(mbentry->mbtype) == MBTYPE_CALENDAR &&
             (rights & DACL_READ) == DACL_READ) {
             rights |= DACL_READFB;