setacl broken: user with admin right can remove "a" right of mailbox owner

Alain Spineux aspineux at
Thu Nov 8 07:49:20 EST 2007


A user having administrative right on another mailbox can remove all
rights (including implicite ones) to the owner's mailbox.
I don't things is an expected feature!
Right ?

A buggy(*) test try to prevent to owner to remove its own right but
don't apply for other non admin user !

*buggy because the test compare the userid with the mailbox name, and
both use different syntax
regarding the use of "." and "^"
This work for "mailbox at" == "mailbox at" but
dont work for " at" == "foo^bar at"

Also the test compare the userid (aka the login of the user) with the
owner of the  mailbox
to "activate" the implicit ACL instead of comparing the identifier (in
the setacl command) and the owner !

user3 is to remove "a" right of user2 on mailbox of user1, because user2!=user1
But should not be able to remove "a" right of user1 on user1's mailbox
because user1==user1.

I was on the way of correcting the at" ==
"foo^bar at" test
but found the mismatch between userid and identifier and wouldlike to
be sure this is a bug
and not a feature.


Alain Spineux
aspineux gmail com
May the sources be with you

More information about the Info-cyrus mailing list