[Dovecot] v1.2: can't access other users shared INBOX

Bernhard Herzog bh at intevation.de
Thu Mar 19 21:54:57 EET 2009 

On 17.03.2009, Bernhard Herzog wrote:
> That's A's INBOX, most likely, so it should be accessible.  That it's
> listed but not accessible is AFAICT a combination of two bugs.  One is that
> the INBOX's ACL is used as default, so if B as l-permission in A's INBOX
> all of A's mailboxes that do not set an ACL for B are listed.  The other is
> that dovecot does not determine B's permissions correctly when it comes to
> A's INBOX.

Even if this is fixed (e.g. with the patch from the above post), there's still 
one other problem with the INBOX.  If A gives B list rights in A's INBOX but 
not on any other folder, B doesn't see A's INBOX when doing a LIST.

The reason for that is maildir_fill_readdir always adds the virtual name of 
the INBOX even when MAILBOX_LIST_ITER_VIRTUAL_NAMES isn't set.  In lines 
260ff of mailbox-list-maildir-iter.c, rev. 5284f45c249a  it unconditionally 
adds the prefix to "INBOX" when adding it to the tree:

		node = mailbox_tree_get(ctx->tree_ctx,
			t_strconcat(ns->prefix, "INBOX", NULL), NULL);


The patch below fixes this, by only adding the virtual name of the INBOX if 
virtual_names is true, basically in the same way as earlier in the loop.
I'm not sure whether it's really the correct fix, but in my tests so far it 
seems to work correctly.

Regards,

   Bernhard


diff -r 5284f45c249a src/lib-storage/list/mailbox-list-maildir-iter.c
--- a/src/lib-storage/list/mailbox-list-maildir-iter.c	Sun Mar 15 20:06:45 
2009 -0400
+++ b/src/lib-storage/list/mailbox-list-maildir-iter.c	Thu Mar 19 20:29:19 
2009 +0100
@@ -257,8 +257,17 @@ maildir_fill_readdir(struct maildir_list
 			iter_is_mailbox(&ctx->ctx, ctx->dir, "", "INBOX",
 					MAILBOX_LIST_FILE_TYPE_UNKNOWN, &flags);
 		if (ret > 0) {
-			node = mailbox_tree_get(ctx->tree_ctx,
-				t_strconcat(ns->prefix, "INBOX", NULL), NULL);
+			if (!virtual_names) {
+				str_truncate(mailbox, 0);
+				str_append(mailbox, "INBOX");
+				mailbox_name = str_c(mailbox);
+			} else {
+				mailbox_name =
+					mail_namespace_get_vname(ns, mailbox,
+								 "INBOX");
+			}
+			node = mailbox_tree_get(ctx->tree_ctx, mailbox_name,
+						NULL);
 			node->flags = MAILBOX_NOCHILDREN | MAILBOX_MATCHED;
 		}
 	}



-- 
Bernhard Herzog  |  ++49-541-335 08 30  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090319/32315165/attachment.bin

More information about the dovecot mailing list