setacl broken: user with admin right can remove "a" right of mailbox owner
aspineux at gmail.com
Thu Nov 8 07:49:20 EST 2007
A user having administrative right on another mailbox can remove all
rights (including implicite ones) to the owner's mailbox.
I don't things is an expected feature!
A buggy(*) test try to prevent to owner to remove its own right but
don't apply for other non admin user !
*buggy because the test compare the userid with the mailbox name, and
both use different syntax
regarding the use of "." and "^"
This work for "mailbox at example.com" == "mailbox at example.com" but
dont work for "foo.bar at example.com" == "foo^bar at example.com"
Also the test compare the userid (aka the login of the user) with the
owner of the mailbox
to "activate" the implicit ACL instead of comparing the identifier (in
the setacl command) and the owner !
user3 is to remove "a" right of user2 on mailbox of user1, because user2!=user1
But should not be able to remove "a" right of user1 on user1's mailbox
I was on the way of correcting the foo.bar at example.com" ==
"foo^bar at example.com" test
but found the mismatch between userid and identifier and wouldlike to
be sure this is a bug
and not a feature.
aspineux gmail com
May the sources be with you
More information about the Info-cyrus