RFC patch: Deny removal of folder owner ACLs
Guilherme Maciel Ferreira
guilherme.maciel.ferreira at intra2net.com
Thu Mar 31 04:49:46 EDT 2011
On Wednesday 30 March 2011 10:05:27 Bron Gondwana wrote:
> I'd like to put this into 2.4.7 - but I'm still confused by a few things!
> 1) ACL_MODE_ADD - it's now not being checked for any more, only
> ACL_MODE_SET and ACL_MODE_REMOVE. I guess the theory is that ADD can
> never remove a permission...
The previous code checked if the mode was different from ACL_MODE_ADD, which
is equivalent to test if mode is equal to the others, ACL_MODE_SET and
The SETACL command must fail if the ACL_MODE_REMOVE string contains the admin
rights or if the ACL_MODE_SET doesn't have. The previous code assumed that
both modes should not contain admin rights, which is ok for ACL_MODE_SET, but
inverse for ACL_MODE_REMOVE.
> 2) how does this interact with mboxlist_ensureOwnerRights - which looks
> like it enforces pretty much the same thing, just doesn't complain about
You are right, mboxlist_ensureOwnerRights also ensures the mailbox owner keeps
its admin rights.
However, this code issues permission denied when attempting to remove the
admin rights, on the other hand, the check from mboxlist_ensureOwnerRights
does not complain like you said. IMHO I think it is better to complain, what
do you think?
More information about the Cyrus-devel