From 0391b4b3314242b6fc3cf1c8bebdc7ad33891e76 Mon Sep 17 00:00:00 2001
From: Yurii <yurikuzn@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:00:50 +0200
Subject: [PATCH] more import eml attachment check

---
 application/Espo/Entities/Attachment.php           | 10 ++++++++++
 application/Espo/Tools/Email/Api/PostImportEml.php | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/application/Espo/Entities/Attachment.php b/application/Espo/Entities/Attachment.php
index 8c213d4d97..b0971e4e57 100644
--- a/application/Espo/Entities/Attachment.php
+++ b/application/Espo/Entities/Attachment.php
@@ -29,6 +29,7 @@
 
 namespace Espo\Entities;
 
+use Espo\Core\Field\Link;
 use Espo\Core\Name\Field;
 use Espo\Core\ORM\Entity;
 
@@ -215,4 +216,13 @@ class Attachment extends Entity
 
         return $this;
     }
+
+    /**
+     * @since 9.3.5
+     */
+    public function getCreatedBy(): ?Link
+    {
+        /** @var ?Link */
+        return $this->getValueObject(Field::CREATED_BY);
+    }
 }
diff --git a/application/Espo/Tools/Email/Api/PostImportEml.php b/application/Espo/Tools/Email/Api/PostImportEml.php
index 2e11ac09e1..4ae5e2cd3d 100644
--- a/application/Espo/Tools/Email/Api/PostImportEml.php
+++ b/application/Espo/Tools/Email/Api/PostImportEml.php
@@ -48,6 +48,8 @@ use Espo\Tools\Email\ImportEmlService;
  */
 class PostImportEml implements Action
 {
+    private const string RELATED_TYPE = 'ImportEml';
+
     public function __construct(
         private Acl $acl,
         private User $user,
@@ -88,6 +90,14 @@ class PostImportEml implements Action
             throw new Forbidden("No access to attachment.");
         }
 
+        if ($attachment->getCreatedBy()?->getId() !== $this->user->getId()) {
+            throw new Forbidden("Attachment is not owned.");
+        }
+
+        if ($attachment->getRelatedType() !== self::RELATED_TYPE) {
+            throw new Forbidden("Attachment is not for import EML.");
+        }
+
         return $attachment;
     }