From afc2ae0fc414fe596613bca789a880e580ff854c Mon Sep 17 00:00:00 2001
From: Ricardo Signes <rjbs@semiotic.systems>
Date: Wed, 15 Jan 2025 14:58:11 -0500
Subject: [PATCH] httpd.c: apply implicit owner rights in httpd_myrights

This will (for example) cause mayAdmin to appear in the JMAP API when
"a" comes from implicit rights.
---
 cassandane/tiny-tests/JMAPMailbox/mailbox_set |  1 +
 changes/next/http_implicit_acls               | 21 +++++++++++++++++++
 imap/httpd.c                                  | 12 +++++++++++
 3 files changed, 34 insertions(+)
 create mode 100644 changes/next/http_implicit_acls

diff --git a/cassandane/tiny-tests/JMAPMailbox/mailbox_set b/cassandane/tiny-tests/JMAPMailbox/mailbox_set
index 722e175d10..bee7b4eb5f 100644
--- a/cassandane/tiny-tests/JMAPMailbox/mailbox_set
+++ b/cassandane/tiny-tests/JMAPMailbox/mailbox_set
@@ -43,6 +43,7 @@ sub test_mailbox_set
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayCreateChild});
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayRename});
     $self->assert_equals(JSON::true, $mbox->{myRights}->{mayDelete});
+    $self->assert_equals(JSON::true, $mbox->{myRights}->{mayAdmin});
     $self->assert_num_equals(0, $mbox->{totalEmails});
     $self->assert_num_equals(0, $mbox->{unreadEmails});
     $self->assert_num_equals(0, $mbox->{totalThreads});
diff --git a/changes/next/http_implicit_acls b/changes/next/http_implicit_acls
new file mode 100644
index 0000000000..ace92cae0e
--- /dev/null
+++ b/changes/next/http_implicit_acls
@@ -0,0 +1,21 @@
+Description:
+
+The `implicit_owner_rights` ACLs were previously ignored when considering ACLs
+on resources accessed over HTTP, including over JMAP.  This led to inconsistent
+reporting of access control based by protocol, and has been fixed.  The
+implicit rights are now respected on HTTP protocools.
+
+
+Config changes:
+
+None.
+
+
+Upgrade instructions:
+
+None required.
+
+
+GitHub issue:
+
+None.
diff --git a/imap/httpd.c b/imap/httpd.c
index f763c3f131..4681284b5a 100644
--- a/imap/httpd.c
+++ b/imap/httpd.c
@@ -5229,6 +5229,18 @@ EXPORTED int httpd_myrights(struct auth_state *authstate, const mbentry_t *mbent
     if (mbentry && mbentry->acl) {
         rights = cyrus_acl_myrights(authstate, mbentry->acl);
 
+        /* Add in implicit rights */
+        if (httpd_userisadmin) {
+            rights |= ACL_LOOKUP|ACL_ADMIN;
+        }
+        else if (mboxname_isscheduledmailbox(mbentry->name, MBTYPE_EMAIL)) {
+            /* This seems maybe not *quite* right, but: do not apply implicit
+             * owner ACL to \Scheduled, because it is weird. */
+        }
+        else if (mboxname_userownsmailbox(httpd_userid, mbentry->name)) {
+            rights |= config_implicitrights;
+        }
+
         if (mbtype_isa(mbentry->mbtype) == MBTYPE_CALENDAR &&
             (rights & DACL_READ) == DACL_READ) {
             rights |= DACL_READFB;