Add basic queryset filtering for StoredMessage (not yet good enough)

This is not secure. A user might change their email to that of someone else, and then see the messages. Need a verified email class.

Add basic queryset filtering for StoredMessage (not yet good enough)
This is not secure. A user might change their email to that of someone else, and then see the messages. Need a verified email class.
88f9ec3c · Jean-Sébastien Caux · 689f34a4 · 88f9ec3c · 88f9ec3c · 88f9ec3c
Commit 88f9ec3c authored 5 years ago by Jean-Sébastien Caux
--- a/apimail/api/views.py
+++ b/apimail/api/views.py
@@ -32,7 +32,9 @@ class StoredMessageListAPIView(ListAPIView):


 class StoredMessageRetrieveAPIView(RetrieveAPIView):
-    queryset = StoredMessage.objects.all()
    permission_classes = (IsAdminUser,)
    serializer_class = StoredMessageSerializer
    lookup_field = 'uuid'
+
+    def get_queryset(self):
+        return StoredMessage.objects.filter_for_user(self.request.user)
--- a/apimail/managers.py
+++ b/apimail/managers.py
+__copyright__ = "Copyright © Stichting SciPost (SciPost Foundation)"
+__license__ = "AGPL v3"
+
+
+from django.db import models
+
+
+class StoredMessageQuerySet(models.QuerySet):
+    """
+    All StoredMessage querysets are always filtered for the user.
+    """
+    def filter_for_user(self, request):
+        """
+        Either su or staff, or user's email addresses overlap with sender/recipients.
+        """
+        if not request.user.is_authenticated:
+            return self.none()
+        elif request.user.is_superuser or request.user.is_admin:
+            return self
+        emails = [request.user.email,] if request.user.email else []
+        if request.user.contributor:
+            for pe in request.user.contributor.profile.emails.all():
+                emails.append(pe.email)
+        return self.filter_for_emails(emails=emails)
+
+    def filter_for_emails(self, emails):
+        """
+        Ensure overlap of the emails in emails kwarg with those in sender or recipients.
+        """
+        emails_used = emails
+        if not isinstance(emails, list):
+            emails_used = [emails]
+        emails_lower = [e.lower() for e in emails_used]
+        return self.filter(
+            models.Q(data__sender__in=emails_lower) |
+            models.Q(data__recipients__in=emails_lower) | # if recipients is a single entry
+            models.Q(data__recipients__overlap=emails_lower)) # if recipients is a list
--- a/apimail/models/stored_message.py
+++ b/apimail/models/stored_message.py
@@ -10,6 +10,7 @@ from django.urls import reverse

 from scipost.storage import SecureFileStorage

+from ..managers import StoredMessageQuerySet
 from ..validators import validate_max_email_attachment_file_size


@@ -23,6 +24,8 @@ class StoredMessage(models.Model):
        editable=False)
    data = JSONField(default=dict)

+    objects = StoredMessageQuerySet.as_manager()
+
    class Meta:
        ordering = ['-data__Date',]