[ https://issues.apache.org/jira/browse/JAMES-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276364#comment-15276364 ]
Matthieu Baechler commented on JAMES-1734: ------------------------------------------ backticks don't work on JIRA, you have to use {noformat}{code}{noformat} > As an authenticated JMAP user, I can prentend to be someone else in the mails > I send > ------------------------------------------------------------------------------------ > > Key: JAMES-1734 > URL: https://issues.apache.org/jira/browse/JAMES-1734 > Project: James Server > Issue Type: Bug > Components: JMAP > Affects Versions: Trunk > Reporter: Tellier Benoit > Assignee: Tellier Benoit > Fix For: Trunk > > > Scenario : > Bob and Alice are together an happy couple. William is jaleaous of this. He > decides to send a mail to Alice, with Bob identity to tell her Bob decided to > brake up. > To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He > then uses bob address in the from field. > Alice will receive a mail from bob saying they broke up. And she will believe > it, cry all the night and meet William. > Code snipsets : failing test : > ``` > @Test > public void test() throws Exception { > > jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE, > username, "sent"); > jmapServer.serverProbe().addUser("b...@domain.tld", "1234"); > jmapServer.serverProbe().addUser("al...@domain.tld", "1234"); > String requestBody = "[" + > " [" + > " \"setMessages\","+ > " {" + > " \"create\": { \"user|inbox|1\" : {" + > " \"from\": { \"email\": \"b...@domain.tld\"}," + > " \"to\": [{ \"name\": \"Alice\", \"email\": > \"al...@domain.tld\"}]," + > " \"cc\": [{ \"name\": \"ALICE\"}]," + > " \"subject\": \"Alice, I break up with you !\"," + > " \"textBody\": \"In this mail usern...@domain.tld > pretends to be us...@domain.tld, and takes advantage of it\"," + > " \"mailboxIds\": [\"" + getOutboxId() + "\"]" + > " }}" + > " }," + > " \"#0\"" + > " ]" + > "]"; > // Given > given() > .accept(ContentType.JSON) > .contentType(ContentType.JSON) > .header("Authorization", accessToken.serialize()) > .body(requestBody) > // When > .when() > .post("/jmap") > .prettyPeek(); > // Then > AccessToken user2AccessToken = accessToken = > JmapAuthentication.authenticateJamesUser("al...@domain.tld", "1234"); > > Thread.sleep(10000); > with() > .accept(ContentType.JSON) > .contentType(ContentType.JSON) > .header("Authorization", user2AccessToken.serialize()) > .body("[[\"getMessageList\", {\"fetchMessages\":true, > \"fetchMessageProperties\":[\"from\", \"subject\", \"textBody\"]}, \"#0\"]]") > .when() > .post("/jmap") > .prettyPeek(); > } > ``` > Jmap responses : > William : > ``` > [ > [ > "messagesSet", > { > "accountId": null, > "oldState": null, > "newState": null, > "created": { > "user|inbox|1": { > "id": "usern...@domain.tld|outbox|1", > "blobId": "1", > "threadId": "usern...@domain.tld|outbox|1", > "mailboxIds": [ > "cf265170-1299-11e6-9382-c5a352d114a2" > ], > "inReplyToMessageId": null, > "isUnread": false, > "isFlagged": false, > "isAnswered": false, > "isDraft": false, > "hasAttachment": false, > "headers": { > "cc": " ", > "date": "Thu, 5 May 2016 15:17:29 +0700", > "bcc": " ", > "sender": "b...@domain.tld", > "subject": "Alice, I break up with you !", > "message-id": "user|inbox|1", > "from": "b...@domain.tld", > "to": "Alice <al...@domain.tld>", > "reply-to": " " > }, > "from": { > "name": "b...@domain.tld", > "email": "b...@domain.tld" > }, > "to": [ > { > "name": "Alice", > "email": "al...@domain.tld" > } > ], > "cc": [ > > ], > "bcc": [ > > ], > "replyTo": [ > > ], > "subject": "Alice, I break up with you !", > "date": "2016-05-05T08:17:29.974Z", > "size": 297, > "preview": "In this mail usern...@domain.tld pretends to > be us...@domain.tld, and takes advantage of it", > "textBody": "In this mail usern...@domain.tld pretends to > be us...@domain.tld, and takes advantage of it", > "htmlBody": null, > "attachments": [ > > ], > "attachedMessages": { > > } > } > }, > "updated": [ > > ], > "destroyed": [ > > ], > "notCreated": { > > }, > "notUpdated": { > > }, > "notDestroyed": { > > } > }, > "#0" > ] > ] > ``` > Alice : > ``` > [ > [ > "messageList", > { > "accountId": null, > "filter": null, > "sort": [ > > ], > "collapseThreads": false, > "state": null, > "canCalculateUpdates": false, > "position": 0, > "total": 0, > "threadIds": [ > > ], > "messageIds": [ > "al...@domain.tld|INBOX|1" > ] > }, > "#0" > ], > [ > "messages", > { > "notFound": [ > > ], > "list": [ > { > "id": "al...@domain.tld|INBOX|1", > "from": { > "name": "b...@domain.tld", > "email": "b...@domain.tld" > }, > "subject": "Alice, I break up with you !", > "textBody": "In this mail usern...@domain.tld pretends to > be us...@domain.tld, and takes advantage of it" > } > ] > }, > "#0" > ] > ] > ``` -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org