On Wed, 2007-05-09 at 11:15 -0400, Matt Zukowski wrote:
Perhaps adopting Courier-IMAP's ACL specification might make sense? Tab is the delimiter instead of space, so spaces are allowed in identifiers.
This can't be changed anymore without breaking backwards compatibility. There could of course be some new setting or maybe the file format could be changed in a way that it allows spaces in identifiers but is still backwards compatible, but I'm not sure what would be the best way to do it.
Also, negative permissions are possible (i.e. +r to grant read access, -r to disable it).
This should work with Dovecot too.
Also, I believe precedence is based on the order of the rules in the file, so you could have the group permissions override the user permissions by placing the group constraint further down.
I don't think this is a good idea. Especially after I add support for IMAP ACL extension. It doesn't support ordering rules. group-override=xx is for that.
Anyway, there's also probably some benefit in using a common ACL format... interoperability is a good thing (unless you're Microsoft).
I thought the dovecot-acl file was compatible with Courier, but I guess not if I missed the TAB separator thing. :)
Regarding the group permissions not working, am I to understand that as of now they are implemented but don't actually do anything? i.e. how can I make use of the group constraints?
The code looks like this (src/plugins/acl/acl-storage.c):
backend = acl_backend_init(acl_env, storage, user_env, NULL,
owner_username);The NULL in there is the list of groups the user is in. So if you wanted to use groups, you'd have to set it somehow. Perhaps this would work:
backend = acl_backend_init(acl_env, storage, user_env,
getenv("GROUPS") == NULL ? NULL : t_strsplit(getenv("GROUPS", ","),
owner_username);Then you'll need to return "groups=a,b,c,d" from userdb. I'm not yet sure how I want this to work in Dovecot v1.1.