more import eml attachment check

application/Espo/Entities/Attachment.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Entities;
 
+use Espo\Core\Field\Link;
 use Espo\Core\Name\Field;
 use Espo\Core\ORM\Entity;
 
@@ -215,4 +216,13 @@ class Attachment extends Entity
 
         return $this;
     }
+
+    /**
+     * @since 9.3.5
+     */
+    public function getCreatedBy(): ?Link
+    {
+        /** @var ?Link */
+        return $this->getValueObject(Field::CREATED_BY);
+    }
 }

application/Espo/Tools/Email/Api/PostImportEml.php

@@ -48,6 +48,8 @@ use Espo\Tools\Email\ImportEmlService;
  */
 class PostImportEml implements Action
 {
+    private const string RELATED_TYPE = 'ImportEml';
+
     public function __construct(
         private Acl $acl,
         private User $user,
@@ -88,6 +90,14 @@ class PostImportEml implements Action
             throw new Forbidden("No access to attachment.");
         }
 
+        if ($attachment->getCreatedBy()?->getId() !== $this->user->getId()) {
+            throw new Forbidden("Attachment is not owned.");
+        }
+
+        if ($attachment->getRelatedType() !== self::RELATED_TYPE) {
+            throw new Forbidden("Attachment is not for import EML.");
+        }
+
         return $attachment;
     }