I just committed code for IMAP ACL support based on the code from Kolab people. I did quite large changes though.
I also changed how global ACLs are handled. Previously local ACLs could override global ACLs, but now that users are able to modify the ACLs I think it should be the other way around. From what I've heard global ACLs are typically added for things like 1) disallowing user from doing something in specific mailboxes such as expunge messages, 2) giving a specific master user access to some mailboxes ONLY, such as voicemail.
For 1) case a user really shouldn't be able to grant himself privileges back but still should be able to share the mailbox to others (so the global ACL should have 'a' privilege). For 2) case a user shouldn't be able to remove privileges from the voicemail.
So now the user can freely update the local ACLs in whatever way he wants. But in the end if there are any global ACLs, all the local ACLs for those identifiers are ignored. Also local negative identifiers are ignored, so that e.g. global "user=foo lr" can't be disabled by a local "-user=foo lr" ACL.
I guess I should update the Wiki ACL page about how exactly the ACLs are applied now that they're well in my memory. :)
One thing I'm not really sure about is the "owner" handling. IMAP ACL specifications have no such concept. I think many/most other servers simply add a default ACL for the user name directly. It's a useful concept though, especially with the global ACLs. So currently Dovecot replies:
x getacl inbox
- ACL "inbox" "owner" lrwstiekxacd x OK Getacl completed.
But should it just internally convert "owner" to "username" when replying? But then again if there's a separate rule directly for the "username" it breaks.
Do any of the existing ACL-capable IMAP clients want to see the username in the ACL reply or can they handle "owner" just fine?
Also what about global ACLs? The current code just lists them twice with local ACLs, which is definitely wrong:
x getacl foo
- ACL "foo" "xx" w "xx" lr "owner" lrwstiekxacd x OK Getacl completed.
Perhaps the global ACLs could have a prefix character? Maybe '#'? Which reminds me, the current dovecot-acl file is mapped to IMAP ACLs like this:
dovecot-acl : IMAP ACL
- anyone : anyone
- authenticated : authenticated
- owner : owner
- user=name : name
- group=name : $name
- group-override=name : !$name
So all global ACLs would get the # prefix, like #anyone, #name, #!$name.
Any thoughts?
BTW. Listing shared mailboxes still doesn't work. I guess we'll see tomorrow if I still have energy to get that done.