Respect add mailaccount perms

src-ui/src/app/components/manage/mail/mail.component.html

@@ -14,12 +14,12 @@
       <i-bs name="plus-circle"></i-bs>&nbsp;<ng-container i18n>Add Account</ng-container>
     </button>
     @if (gmailOAuthUrl) {
-      <a class="btn btn-sm btn-outline-secondary ms-2" [href]="gmailOAuthUrl">
+      <a class="btn btn-sm btn-outline-secondary ms-2" [href]="gmailOAuthUrl" *pngxIfPermissions="{ action: PermissionAction.Add, type: PermissionType.MailAccount }">
         <i-bs name="google"></i-bs>&nbsp;<ng-container i18n>Connect Gmail Account</ng-container>
       </a>
     }
     @if (outlookOAuthUrl) {
-      <a class="btn btn-sm btn-outline-secondary ms-2" [href]="outlookOAuthUrl">
+      <a class="btn btn-sm btn-outline-secondary ms-2" [href]="outlookOAuthUrl" *pngxIfPermissions="{ action: PermissionAction.Add, type: PermissionType.MailAccount }">
         <i-bs name="microsoft"></i-bs>&nbsp;<ng-container i18n>Connect Outlook Account</ng-container>
       </a>
     }

src/paperless_mail/tests/test_mail_oauth.py

@@ -2,6 +2,7 @@ from datetime import timedelta
 from unittest import mock
 
 from django.conf import settings
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.test import TestCase
 from django.test import override_settings
@@ -20,6 +21,14 @@ class TestMailOAuth(
 ):
     def setUp(self) -> None:
         self.user = User.objects.create_user("testuser")
+        self.user.user_permissions.add(
+            *Permission.objects.filter(
+                codename__in=[
+                    "add_mailaccount",
+                ],
+            ),
+        )
+        self.user.save()
         self.client.force_login(self.user)
         self.mail_account_handler = MailAccountHandler()
         # Mock settings
@@ -82,7 +91,7 @@ class TestMailOAuth(
     @mock.patch(
         "paperless_mail.oauth.PaperlessMailOAuth2Manager.get_outlook_access_token",
     )
-    def test_oauth_callback_view(
+    def test_oauth_callback_view_success(
         self,
         mock_get_outlook_access_token,
         mock_get_gmail_access_token,
@@ -128,29 +137,8 @@ class TestMailOAuth(
             MailAccount.objects.filter(imap_server="outlook.office365.com").exists(),
         )
 
-    def test_oauth_callback_view_no_code(self):
-        """
-        GIVEN:
-            - Mocked settings for Gmail and Outlook OAuth client IDs and secrets
-        WHEN:
-            - OAuth callback is called without a code
-        THEN:
-            - 400 bad request returned, no mail accounts are created
-        """
-
-        response = self.client.get(
-            "/api/oauth/callback/",
-        )
-        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
-        self.assertFalse(
-            MailAccount.objects.filter(imap_server="imap.gmail.com").exists(),
-        )
-        self.assertFalse(
-            MailAccount.objects.filter(imap_server="outlook.office365.com").exists(),
-        )
-
     @mock.patch("httpx_oauth.oauth2.BaseOAuth2.get_access_token")
-    def test_oauth_callback_view_error(self, mock_get_access_token):
+    def test_oauth_callback_view_fails(self, mock_get_access_token):
         """
         GIVEN:
             - Mocked settings for Gmail and Outlook OAuth client IDs and secrets
@@ -185,6 +173,57 @@ class TestMailOAuth(
 
             self.assertIn("Error getting access token: test_error", cm.output[0])
 
+    def test_oauth_callback_view_insufficient_permissions(self):
+        """
+        GIVEN:
+            - Mocked settings for Gmail and Outlook OAuth client IDs and secrets
+            - User without add_mailaccount permission
+        WHEN:
+            - OAuth callback is called
+        THEN:
+            - 400 bad request returned, no mail accounts are created
+        """
+        self.user.user_permissions.remove(
+            *Permission.objects.filter(
+                codename__in=[
+                    "add_mailaccount",
+                ],
+            ),
+        )
+        self.user.save()
+
+        response = self.client.get(
+            "/api/oauth/callback/?code=test_code&scope=https://mail.google.com/",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertFalse(
+            MailAccount.objects.filter(imap_server="imap.gmail.com").exists(),
+        )
+        self.assertFalse(
+            MailAccount.objects.filter(imap_server="outlook.office365.com").exists(),
+        )
+
+    def test_oauth_callback_view_no_code(self):
+        """
+        GIVEN:
+            - Mocked settings for Gmail and Outlook OAuth client IDs and secrets
+        WHEN:
+            - OAuth callback is called without a code
+        THEN:
+            - 400 bad request returned, no mail accounts are created
+        """
+
+        response = self.client.get(
+            "/api/oauth/callback/",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertFalse(
+            MailAccount.objects.filter(imap_server="imap.gmail.com").exists(),
+        )
+        self.assertFalse(
+            MailAccount.objects.filter(imap_server="outlook.office365.com").exists(),
+        )
+
     @mock.patch("paperless_mail.mail.get_mailbox")
     @mock.patch(
         "httpx_oauth.oauth2.BaseOAuth2.refresh_token",

src/paperless_mail/views.py

@@ -99,6 +99,13 @@ class OauthCallbackView(GenericAPIView):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):
+        if not (
+            request.user and request.user.has_perms(["paperless_mail.add_mailaccount"])
+        ):
+            return HttpResponseBadRequest(
+                "You do not have permission to add mail accounts",
+            )
+
         logger = logging.getLogger("paperless_mail")
         code = request.query_params.get("code")
         # Gmail passes scope as a query param, Outlook does not