Cyrus reviews
Greg Banks
gnb at fastmail.fm
Tue Jan 24 01:54:12 EST 2012
On Tue, Jan 24, 2012, at 07:25 AM, Bron Gondwana wrote:
> On Tue, Jan 24, 2012 at 01:49:52PM +1100, Greg Banks wrote:
> > I've been told I should do reviews more openly. Ok, here goes.
> >
> > commit "rename: ensure user owns both source and dest for Bug #3586 workaround"
> >
> > Ok, but why?
>
> CMU had somebody issue "rename $sharedroot INBOX.Trash". Since they
> had no permissions on $sharedroot, the lower level returns
> IMAP_MAILBOX_NONEXISTENT. Since "submailboxes" are done as admin,
> there were no ACL checks. It was only the quota which stopped their
> entire shared heirarchy being renamed under INBOX.Trash of one user.
Gah! Still, checking for the same user is a rather ugly hack when what we
actually want is to do an ACL check.
--
Greg.
More information about the Cyrus-devel
mailing list