Details
-
Sub-task
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
None
-
None
Description
It seems we are not checking that base mandatory capabilities are present in the request when processing the methods :
- urn:ietf:params:jmap:core
- urn:ietf:params:jmap:mail
We need to make sure we reject requests in our apis missing those (mailbox/get, mailbox/set, vacationresponse/get, vacationresponse/set... even core/echo with core capability?)
It would be ideal to handle this in a generic fashion: the methods declare which capabilities they need and the API routes ensure these capabilities are there before calling the methods themselves.
DoD
- Add integration tests showing that requests with missing mandatory capabilities are being rejected in our existing APIs