Calendar and addressbook sharing and reconstruct

Bron Gondwana brong at
Tue May 12 20:41:43 EDT 2015

I just discovered that reconstruct wiped the existing ACLs on calendar and addressbook mailboxes.

Actually, I'd seen it before, but I only just tracked it down:!user.masteruser_brongnet.#calendars.Default: update acl from header admin	lrswipkxtecdan	anyone	p	masteruser_brongnet at	lrwixtecda9	brong at	lrwited9	 => masteruser_brongnet at	lrswipkxtecdn	adminlrswipkxtecdan	anyone	p	

There I go losing my ACL again.  It turns out that the reason was API abuse:

 * Change the ACL for mailbox 'name'.  We already have it locked
 * and have written the backup copy to the header, so there's
 * nothing left but to write the mailboxes.db.
 * 1. Start transaction
 * 2. Set db entry
 * 3. Commit transaction
 * 4. Change mupdate entry 
mboxlist_sync_setacls(const char *name, const char *newacl)


Except, we weren't writing the backup copy to the header.  Over in sync_support we do:

    /* always take the ACL from the master, it's not versioned */
    if (strcmp(mailbox->acl, acl)) {
>-------mailbox_set_acl(mailbox, acl, 0);
>-------r = mboxlist_sync_setacls(mboxname, acl);
>-------if (r) goto done;

And of course in mboxlist_set_acl we call mailbox_set_acl, but we were missing it from the DAV code.

The fix is simple:

commit ddae480b906f7652b36634654a47e89273b76a22
Author: Bron Gondwana <brong at>
Date:   Wed May 13 09:49:29 2015 +1000

    dav: set ACLs down to mailbox cyrus.header as well as mboxlist

diff --git a/imap/http_dav.c b/imap/http_dav.c
index 4a83e51..79e93fe 100644
--- a/imap/http_dav.c
+++ b/imap/http_dav.c
@@ -2993,6 +2993,7 @@ int meth_acl(struct transaction_t *txn, void *params)
+    mailbox_set_acl(mailbox, buf_cstring(&acl), 1);
     r = mboxlist_sync_setacls(txn->req_tgt.mbentry->name, buf_cstring(&acl));
     if (r) {
        syslog(LOG_ERR, "mboxlist_setacl(%s) failed: %s",


And now I need to fix all FastMail's production.  Anyone else who has used the DAV ACL
commands will have to do the same.  My planned fix is to just go over every mailbox and
read the existing ACL and write it back.  This will cause a read from mailboxes.db followed
by a write to both mailboxes.db AND cyrus.header.


  Bron Gondwana
  brong at

More information about the Cyrus-devel mailing list