Ensure RT-Attach headers are validated when they are configured

Previously, we did not verify whether these attachment ids exist or if the
current user has permission to view them. Although RT::Action::SendEmail
performs similar checks, it is still beneficial to validate them beforehand.

Author: sunnavy

lib/RT/Ticket.pm

@@ -1718,9 +1718,22 @@ sub _RecordNote {
         $args{'AttachExisting'} = [$args{'AttachExisting'}]
             if not ref $args{'AttachExisting'} eq 'ARRAY';
 
-        for my $attach (@{$args{'AttachExisting'}}) {
-            next if $attach =~ /\D/;
-            $args{'MIMEObj'}->head->add( 'RT-Attach' => $attach );
+        for my $attach_id (@{$args{'AttachExisting'}}) {
+            next if !$attach_id || $attach_id =~ /\D/;
+            my $attach = RT::Attachment->new( $self->CurrentUser );
+            $attach->Load($attach_id);
+            if ( $attach->Id ) {
+                if ( $attach->CurrentUserCanSee ) {
+                    $args{'MIMEObj'}->head->add( 'RT-Attach' => $attach_id );
+                }
+                else {
+                    RT->Logger->warning(
+                        'User ' . $self->CurrentUser->Name . " does not have permission to view attachment #$attach_id" );
+                }
+            }
+            else {
+                RT->Logger->warning("Couldn't load attachment #$attach_id");
+            }
         }
     }
 

t/web/attach-from-txn.t

@@ -1,7 +1,8 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 70;
+use RT::Test tests => undef;
+use Test::Warn;
 
 my $LogoName    = 'image.png';
 my $ImageName   = 'owls.jpg';
@@ -172,13 +173,18 @@ my $ticket = RT::Ticket->new($peter);
 $ticket->Load(1);
 ok $ticket->Id, "loaded ticket";
 
-my ($ok, $msg, $txn) = $ticket->Correspond( AttachExisting => $LogoId, Content => 'Hi' );
+my ( $ok, $msg );
+warnings_like {
+    ( $ok, $msg ) = $ticket->Correspond( AttachExisting => $LogoId, Content => 'Hi' );
+} [qr/User peter does not have permission to view attachment #$LogoId/], 'Invalid attachment';
 ok $ok, $msg;
 
 # check mail that went out doesn't contain the logo
 @mails = RT::Test->fetch_caught_mails;
 is scalar @mails, 1, "got one outgoing email";
 $mail = shift @mails;
-like $mail, qr/RT-Attach: $LogoId/, "found header we expected";
+unlike $mail, qr/RT-Attach: $LogoId/, "lacks header we expected";
 unlike $mail, qr/RT-Attachment: \d+\/\d+\/$LogoId/, "lacks RT-Attachment header";
 unlike $mail, qr/filename=.?\Q$LogoName\E.?/, "lacks filename";
+
+done_testing;