On Tue, Jan 24, 2012 at 01:49:52PM +1100, Greg Banks wrote: > I've been told I should do reviews more openly. Ok, here goes. > > commit "rename: ensure user owns both source and dest for Bug #3586 > workaround" > > Ok, but why?
CMU had somebody issue "rename $sharedroot INBOX.Trash". Since they had no permissions on $sharedroot, the lower level returns IMAP_MAILBOX_NONEXISTENT. Since "submailboxes" are done as admin, there were no ACL checks. It was only the quota which stopped their entire shared heirarchy being renamed under INBOX.Trash of one user. (... the rest is Ken's stuff) Bron.
