Am 26.11.2010 06:59, schrieb Timo Sirainen:
On 26.11.2010, at 5.49, Timo Sirainen wrote:
Plan #2: Add support for per-user default namespace ACLs. In the mail root directory if "dovecot-default-acl" file exists, it's used as the default ACLs. I'm not entirely sure what should happen if it conflicts with the global ACLs. Probably they both should be simply merged, since both can only be created by an admin. Probably the per-user ACL should be allowed to override the global ACLs.
Oh, a thought: A default ACL is about what ACLs are applied to a mailbox that doesn't yet have any ACL (or copying ACLs to a newly created mailbox on namespace root level). But would it be also useful to have ACLs that are always added on top of existing ACLs for a mailbox, even if it already has some ACLs set for it? Global ACLs already do this, but would it be useful to have also per-namespace "global" ACLs that acted that way? Possibly not.. But how useful would default ACLs be either? Maybe global ACLs with support for wildcards are all that is needed.
Hi Timo, features are nice to have, but in real i dont think global acls are a widely used feature. So if it does not break something it might be welcome in principal
In real world scenario root can ever set user acl by script at mailbox creation time i.e postfixadmin has a create hook ,if needed, for sure this can be overrided by the user later ( which might not be liked by admins, anyway this can be corrected with a script i.e by cron too), but it should be enough for setting acls to i.e. postmaster for a pub namespace folder , which can be admined forcing administrate to users to subfolders later
for other stuff there is the master user feature, which should allow setting users acls whatever for admins like the real user is able too do
the only real problem i see, is like on fileservers, permissions/acls "get wild" over the time, and people lost overview what acls are users/ globals etc. ( but this is a problem ever )
after all whatever method you might implement it should work with dict mysql like users acls now do
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria