dovecot-2.2: acl: Mailbox creation ignored ACLs (due to API chan...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/11712979c8ab
changeset: 16327:11712979c8ab
user:      Timo Sirainen <tss at iki.fi>
date:      Mon May 06 14:58:55 2013 +0300
description:
acl: Mailbox creation ignored ACLs (due to API changes in v2.2).
The created mailbox couldn't have been accessed however.

diffstat:

 src/plugins/acl/acl-mailbox.c |  19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diffs (29 lines):

diff -r aefdf65442cc -r 11712979c8ab src/plugins/acl/acl-mailbox.c
--- a/src/plugins/acl/acl-mailbox.c	Fri May 03 17:17:15 2013 +0300
+++ b/src/plugins/acl/acl-mailbox.c	Mon May 06 14:58:55 2013 +0300
@@ -118,8 +118,23 @@
 	struct acl_mailbox *abox = ACL_CONTEXT(box);
 	int ret;
 
-	/* we already checked permissions in list.mailbox_create_dir().
-	   ignore ACLs in this mailbox until creation is complete, because
+	/* we're looking up CREATE permission from our parent's rights */
+	ret = acl_mailbox_list_have_right(box->list, box->name, TRUE,
+					  ACL_STORAGE_RIGHT_CREATE, NULL);
+	if (ret <= 0) {
+		if (ret < 0) {
+			mail_storage_set_internal_error(box->storage);
+			return -1;
+		}
+		/* Note that if user didn't have LOOKUP permission to parent
+		   mailbox, this may reveal the mailbox's existence to user.
+		   Can't help it. */
+		mail_storage_set_error(box->storage, MAIL_ERROR_PERM,
+				       MAIL_ERRSTR_NO_PERMISSION);
+		return -1;
+	}
+
+	/* ignore ACLs in this mailbox until creation is complete, because
 	   super.create() may call e.g. mailbox_open() which will fail since
 	   we haven't yet copied ACLs to this mailbox. */
 	abox->skip_acl_checks = TRUE;