[Dovecot] v1.2: can't access other users shared INBOX
Bernhard Herzog
bh at intevation.de
Mon Mar 30 19:50:34 EEST 2009
On 25.03.2009, Bernhard Herzog wrote:
> On 19.03.2009, Bernhard Herzog wrote:
> > The reason for that is maildir_fill_readdir always adds the virtual name
> > of the INBOX even when MAILBOX_LIST_ITER_VIRTUAL_NAMES isn't set. In
> > lines 260ff of mailbox-list-maildir-iter.c, rev. 5284f45c249a it
> > unconditionally adds the prefix to "INBOX" when adding it to the tree:
> >
> > node = mailbox_tree_get(ctx->tree_ctx,
> > t_strconcat(ns->prefix, "INBOX", NULL), NULL);
> >
> >
> > The patch below fixes this, by only adding the virtual name of the INBOX
> > if virtual_names is true, basically in the same way as earlier in the
> > loop. I'm not sure whether it's really the correct fix, but in my tests
> > so far it seems to work correctly.
>
> As it turns out, there is one problem the patch doesn't address.
There's one other problem that the patch doesn't fix. If user fred gives dave
read permission on INBOX but not on any other folder and the inbox has
children, the INBOX is not always listed for dave. OTOH, if dave has read
permissions on one of the children, or the INBOX does not have children at
all, the INBOX is listed.
What happens is that if INBOX has children maildir_fill_readdir will add INBOX
to the tree indirectly when it encounters the children and later when the
INBOX special cases are handled, INBOX is already in the tree and it won't be
matched against the mailbox name pattern and thus it's MAILBOX_MATCHED flag
will not be set. If INBOX is the only visible mailbox that would match the
search pattern, no mailbox in the tree has the MAILBOX_MATCHED flag, and
dovecot will consider the whole users/fred namespace invisible to dave.
The patch below addresses this.
Bernhard
diff -r 643a96aec996 src/lib-storage/list/mailbox-list-maildir-iter.c
--- a/src/lib-storage/list/mailbox-list-maildir-iter.c Thu Mar 26 18:36:36
2009 -0400
+++ b/src/lib-storage/list/mailbox-list-maildir-iter.c Fri Mar 27 17:46:53
2009 +0200
@@ -250,16 +250,29 @@ maildir_fill_readdir(struct maildir_list
if (!update_only)
node->flags |= MAILBOX_MATCHED;
}
- } else if (mailbox_tree_lookup(ctx->tree_ctx, "INBOX") == NULL &&
- imap_match(glob, "INBOX") == IMAP_MATCH_YES) {
+ } else {
+ const char * inbox_name;
+ if (!virtual_names) {
+ inbox_name = "INBOX";
+ } else {
+ inbox_name = mail_namespace_get_vname(ns, mailbox,
+ "INBOX");
+ }
+
/* see if INBOX exists. */
ret = ctx->ctx.list->v.
- iter_is_mailbox(&ctx->ctx, ctx->dir, "", "INBOX",
- MAILBOX_LIST_FILE_TYPE_UNKNOWN, &flags);
- if (ret > 0) {
- node = mailbox_tree_get(ctx->tree_ctx,
- t_strconcat(ns->prefix, "INBOX", NULL), NULL);
- node->flags = MAILBOX_NOCHILDREN | MAILBOX_MATCHED;
+ iter_is_mailbox(&ctx->ctx, ctx->dir, "",
+ "INBOX",
+ MAILBOX_LIST_FILE_TYPE_UNKNOWN,
+ &flags);
+ if (ret > 0 && imap_match(glob, inbox_name) == IMAP_MATCH_YES) {
+
+ node = mailbox_tree_get(ctx->tree_ctx, inbox_name,
+ &created);
+ if (created)
+ node->flags = MAILBOX_NOCHILDREN;
+
+ node->flags |= MAILBOX_MATCHED;
}
}
return 0;
--
Bernhard Herzog | ++49-541-335 08 30 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090330/9d698354/attachment-0001.bin
More information about the dovecot
mailing list