On Mon, 2010-01-25 at 11:57 +0100, Amon Ott wrote:
http://wiki.dovecot.org/ACL says that "a" or "admin" covers "Administration rights to the mailbox". However, removing "a" from owner acl (using "lr") does not help, the user can still change all acl flags for all users with imap. Write accesses to mails are forbidden as they should.
Is this intended or a bug?
Looks like it was intended, to avoid users from accidentally removing admin privileges from their own mailboxes. But there's already other code in SETACL handling that tries to prevent the same thing, so that should be enough.
v2.0 now allows removing admin right manually from dovecot-acl file: http://hg.dovecot.org/dovecot-2.0/rev/667fea930ec3
I probably don't want to do the same change to v1.2, since it might break someone's setup.. Maybe you could use global ACLs to remove the admin right? If it's always the same mailbox name for every user.