[Dovecot] v1.2 can't set ACL to empty string

Bernhard Herzog bh at intevation.de
Fri Feb 20 18:48:52 EET 2009 

On 18.02.2009, Sascha Wilde wrote:
> according to RfC4314 the rights argument to the setacl command might be
> an empty string ("zero right characters"):
>
>     The third argument is a string containing an optional plus ("+") or
>     minus ("-") prefix, followed by zero or more rights characters.
>
> existing clients (horde in particular) actually use this to remove all
> rights from an user.
>
> Currently dovecot 1.2 does not accept an empty rights string as argument
> to setacl.  Bernhard Herzog will look into this.

Below is a patch that fixes this.  SETACL with an empty string as rights will 
be equivalent to DELETEACL with the same identifier.

While testing this, I noticed two other problems in the imap-acl plugin, both 
related to negative ACL entries.  If an ACL contains both negative and 
positive entries for the same identifier, no space is output in the the 
GETACL response, leading to something like e.g.

* ACL "INBOX/foo" "someuser" lrs-"someuser" w 

The second problem is that the "-" is not inside the double quotes.

  Bernhard

Here's the patch (not an attachment to avoid a mailman bug that breaks 
signatures):


diff -r 13e1c379ab63 src/plugins/imap-acl/imap-acl-plugin.c
--- a/src/plugins/imap-acl/imap-acl-plugin.c	Thu Feb 19 13:08:50 2009 -0500
+++ b/src/plugins/imap-acl/imap-acl-plugin.c	Fri Feb 20 17:08:33 2009 +0100
@@ -375,7 +375,7 @@ static bool cmd_setacl(struct client_com
 	bool negative = FALSE;
 
 	if (!client_read_string_args(cmd, 3, &mailbox, &identifier, &rights) ||
-	    *identifier == '\0' || *rights == '\0') {
+	    *identifier == '\0') {
 		client_send_command_error(cmd, "Invalid arguments.");
 		return TRUE;
 	}
@@ -414,7 +414,19 @@ static bool cmd_setacl(struct client_com
 	if (box == NULL)
 		return TRUE;
 
-	if (negative) {
+	if (update.rights.rights[0] == NULL) {
+		if (negative) {
+			update.modify_mode = 0;
+			update.rights.rights = NULL;
+			update.neg_modify_mode = ACL_MODIFY_MODE_CLEAR;
+			update.rights.neg_rights = NULL;
+		} else {
+			update.modify_mode = ACL_MODIFY_MODE_CLEAR;
+			update.rights.rights = NULL;
+			update.neg_modify_mode = 0;
+			update.rights.neg_rights = NULL;
+		}
+	} else if (negative) {
 		update.neg_modify_mode = update.modify_mode;
 		update.modify_mode = ACL_MODIFY_MODE_REMOVE;
 		update.rights.neg_rights = update.rights.rights;



-- 
Bernhard Herzog  |  ++49-541-335 08 30  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090220/d3a59eeb/attachment.bin

More information about the dovecot mailing list