On 09/18/2011 08:52 PM, Reindl Harald wrote:
> i was not sure if there possibly anything breaks if they have passwords
> because i do not see how they are used, but if the core-developer says
> "give them one" it's ok :-)
Looking at the code, since I really haven't given this any thought in a
long time:
the __public__ user is required as owner of all mailboxes in the #Public
namespace. The login code explicitly checks against this userid during
authentication.
the 'anyone' user is just the owner of the acl records, and of the
global filter rules. The authorization code does not explicitely
preclude logging in as 'anyone'. And even though I'm not too concerned
about that because that user will not own any mailboxes or messages, I'm
also well aware I'm not a security expert.
So blocking the authentication with the trick I mentioned is a harmless
safety precaution.
--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, skype, linkedin
* Premium Hosting Services and Web Application Consultancy *
www.nfg.nl/[email protected]/+31.85.877.99.97
________________________________________________________________
_______________________________________________
DBmail mailing list
[email protected]
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
