[Dovecot] v1.2 can't set ACL to empty string
Hi *,
according to RfC4314 the rights argument to the setacl command might be an empty string ("zero right characters"):
The third argument is a string containing an optional plus ("+") or
minus ("-") prefix, followed by zero or more rights characters.existing clients (horde in particular) actually use this to remove all rights from an user.
Currently dovecot 1.2 does not accept an empty rights string as argument to setacl. Bernhard Herzog will look into this.
cheers sascha
Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
On 18.02.2009, Sascha Wilde wrote:
according to RfC4314 the rights argument to the setacl command might be an empty string ("zero right characters"):
The third argument is a string containing an optional plus ("+") or minus ("-") prefix, followed by zero or more rights characters.
existing clients (horde in particular) actually use this to remove all rights from an user.
Currently dovecot 1.2 does not accept an empty rights string as argument to setacl. Bernhard Herzog will look into this.
Below is a patch that fixes this. SETACL with an empty string as rights will be equivalent to DELETEACL with the same identifier. While testing this, I noticed two other problems in the imap-acl plugin, both related to negative ACL entries. If an ACL contains both negative and positive entries for the same identifier, no space is output in the the GETACL response, leading to something like e.g. * ACL "INBOX/foo" "someuser" lrs-"someuser" w The second problem is that the "-" is not inside the double quotes. Bernhard Here's the patch (not an attachment to avoid a mailman bug that breaks signatures): diff -r 13e1c379ab63 src/plugins/imap-acl/imap-acl-plugin.c --- a/src/plugins/imap-acl/imap-acl-plugin.c Thu Feb 19 13:08:50 2009 -0500 +++ b/src/plugins/imap-acl/imap-acl-plugin.c Fri Feb 20 17:08:33 2009 +0100 @@ -375,7 +375,7 @@ static bool cmd_setacl(struct client_com bool negative = FALSE; if (!client_read_string_args(cmd, 3, &mailbox, &identifier, &rights) || - *identifier == '\0' || *rights == '\0') { + *identifier == '\0') { client_send_command_error(cmd, "Invalid arguments."); return TRUE; } @@ -414,7 +414,19 @@ static bool cmd_setacl(struct client_com if (box == NULL) return TRUE; - if (negative) { + if (update.rights.rights[0] == NULL) { + if (negative) { + update.modify_mode = 0; + update.rights.rights = NULL; + update.neg_modify_mode = ACL_MODIFY_MODE_CLEAR; + update.rights.neg_rights = NULL; + } else { + update.modify_mode = ACL_MODIFY_MODE_CLEAR; + update.rights.rights = NULL; + update.neg_modify_mode = 0; + update.rights.neg_rights = NULL; + } + } else if (negative) { update.neg_modify_mode = update.modify_mode; update.modify_mode = ACL_MODIFY_MODE_REMOVE; update.rights.neg_rights = update.rights.rights; -- Bernhard Herzog | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
On Fri, 2009-02-20 at 17:48 +0100, Bernhard Herzog wrote:
On 18.02.2009, Sascha Wilde wrote:
according to RfC4314 the rights argument to the setacl command might be an empty string ("zero right characters"):
The third argument is a string containing an optional plus ("+") or minus ("-") prefix, followed by zero or more rights characters.existing clients (horde in particular) actually use this to remove all rights from an user.
Currently dovecot 1.2 does not accept an empty rights string as argument to setacl. Bernhard Herzog will look into this.
Below is a patch that fixes this. SETACL with an empty string as rights will be equivalent to DELETEACL with the same identifier.
Committed.
While testing this, I noticed two other problems in the imap-acl plugin, both related to negative ACL entries. If an ACL contains both negative and positive entries for the same identifier, no space is output in the the GETACL response, leading to something like e.g.
- ACL "INBOX/foo" "someuser" lrs-"someuser" w
Fixed.
The second problem is that the "-" is not inside the double quotes.
Fixed.
participants (3)
-
Bernhard Herzog
-
Sascha Wilde
-
Timo Sirainen