setacl broken: user with admin right can remove "a" right of mailbox owner

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

A user having administrative right on another mailbox can remove all
rights (including implicite ones) to the owner's mailbox.
I don't things is an expected feature!
Right ?


A buggy(*) test try to prevent to owner to remove its own right but
don't apply for other non admin user !

*buggy because the test compare the userid with the mailbox name, and
both use different syntax
regarding the use of "." and "^"
This work for "mailbox@xxxxxxxxxxx" == "mailbox@xxxxxxxxxxx" but
dont work for "foo.bar@xxxxxxxxxxx" == "foo^bar@xxxxxxxxxxx"

Also the test compare the userid (aka the login of the user) with the
owner of the  mailbox
to "activate" the implicit ACL instead of comparing the identifier (in
the setacl command) and the owner !

user3 is to remove "a" right of user2 on mailbox of user1, because user2!=user1
But should not be able to remove "a" right of user1 on user1's mailbox
because user1==user1.

I was on the way of correcting the foo.bar@xxxxxxxxxxx" ==
"foo^bar@xxxxxxxxxxx" test
but found the mismatch between userid and identifier and wouldlike to
be sure this is a bug
and not a feature.

Regards.

-- 
Alain Spineux
aspineux gmail com
May the sources be with you
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux