On Thu, 2008-09-11 at 18:18 +0200, Matvey Soloviev wrote:
Did you also notice my "Initial support for shared mailboxes" message from yesterday? No, unfortunately I didn't; I only joined the mailing list on the day I sent this message. It sounds like it could be relevant to the topic though; could you provide me with a breakdown of what it is about?
http://dovecot.org/list/dovecot/2008-September/033464.html - basically the ability to access other users' mailboxes.
Would a facility to modify global ACLs through IMAP commands be required or of any use at all?
I'd say it wouldn't be of any use.
From what I gather, nothing like that is mentioned anywhere in the RFC. As it is now, I am having the writing commands influence only the referenced mailboxes' local ACLs - however, should global ACLs be present, this is bound to result in somewhat irrational-seeming behaviour - should I go through with my current approach of storing the ACL data as present in acl_object_vfile.rights into the local dovecot-acl file, global ACLs would, on the one hand, wind up being copied into it - on the other hand, from the client's perspective, the ACLs defined by the global file would appear to be irremovable. What should I do about this?
Hmm. Let's think about the use cases for global ACLs:
ACLs that actually restrict what user can do, for example force the mailbox to be read-only. These would also remove the admin-right from the user and this wouldn't be an issue.
ACLs that allow a special account to access the mailbox (e.g. backup, voicemail, ..). A user must not be able to remove these rights.
Default ACLs for some mailbox that tries to prevent user from doing something accidentally, but allows a user to override the behavior by overriding the ACL.
I don't know if anyone uses 3) for anything. I'm not really even sure what it could be used for really. For 1) and 2) I'd actually argue that the user shouldn't even see the global ACLs (and certainly not override them), only how they affect the user's rights. 2) might actually need to be some kind of a "global for all mailbxes" ACL, at least for backup.
So I'm thinking that if possible don't let the user see or override the global ACLs. If that's too much work just ignore the problem for now and assume the user won't have admin-right to such mailboxes anyway.