On Mon, 2008-09-08 at 15:14 +0200, Matvey Soloviev wrote:
Hello,
I am working on implementing support for the RFC4314 ACL management commands and responses in the ACL plugin included with dovecot 1.1.2.
Sounds great. :) Did you also notice my "Initial support for shared mailboxes" message from yesterday?
(I verified the error persists with 1.1.3 though.) While the described objective is still in the works, I have stumbled upon what I believe to be a critical issue with the handling of negative rights in the present ACL plugin - to be precise, the cache component of it handles them in the exact same way as it does positive rights, thus granting rather than retracting the individual privileges.
I think the ACL plugin has currently been used only for some very basic configurations and it's not very well tested. I guess test cases would be nice, but the framework for easily doing that is still missing. Once you've implemented support for the IMAP ACL commands I could add test cases to imaptest (http://imapwiki.org/ImapTest).
To fix this, go to src/plugins/acl/acl-cache.c:391. The line and the one following it should read p[j] |= obj_cache->my_neg_rights[i]->mask[j]; Replace that to read p[j] &= ~obj_cache->my_neg_rights[i]->mask[j];
Thanks, fixed in v1.[012] code trees.