As the accesses are solely managed by ACLs, we can easily reuse the removeMember method in TeamMailboxRepository that does exactly this.
The session used in the method is already a system session with the "team mailbox user" (team-mailbox@domain). And because with JMAP we already check that the accountId corresponds to the user, then there should be no risk of removing other users of a team mailbox than yourself right?
We should be careful to not allow delegated users to access this method on a delegated account, like we did for some other methods!
quantranhong1999
commented
1 year ago
With https://github.com/linagora/tmail-backend/issues/567 defined, we can write the implementation for it.
As the accesses are solely managed by ACLs, we can easily reuse the
removeMembermethod inTeamMailboxRepositorythat does exactly this.The session used in the method is already a system session with the "team mailbox user" (team-mailbox@domain). And because with JMAP we already check that the accountId corresponds to the user, then there should be no risk of removing other users of a team mailbox than yourself right?
We should be careful to not allow delegated users to access this method on a delegated account, like we did for some other methods!
DoD: Integration tests