Hi *, The problem is most noticeable when a user shares his INBOX[0][1] with others:
User A sets his INBOX acls to "eilprwtsd" Now User B can see _all_ sub mailboxes and sub sub [...] mailboxes and their contents of User A: User A: g getacl INBOX * ACL "INBOX" "[email protected]" akxeilprwtscd "[email protected]" eilprwtsd "[email protected]" lrwstipekxacd g OK Getacl completed. g getacl INBOX/foobar * ACL "INBOX/foobar" "[email protected]" lrwstipekxacd User B: l list "" "*" * LIST (\Noselect \HasChildren) "/" "user" * LIST (\Noselect \HasChildren) "/" "user/[email protected]" * LIST (\HasChildren) "/" "INBOX" * LIST (\HasNoChildren) "/" "INBOX/Gesendet" * LIST (\HasChildren) "/" "user/[email protected]/foobar" * LIST (\HasNoChildren) "/" "user/[email protected]/foobar/barbaaz" * LIST (\HasNoChildren) "/" "user/[email protected]/INBOX" l OK List completed. The RfC is not to verbose on this topic of scope, but I think the following excerpt from RfC4314: 2. Access Control [...] An access control list is a set of <access identifier,rights> pairs. An ACL applies to a mailbox name. indicates that ACLs are only valid for individual mailboxes (name) and not for sub mailboxes. cheers sascha [0] Yes, there are really actual users wanting to do this. [1] There is actually another bug in this context I'll report in my next mail... -- Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
pgpXWJPCkmElf.pgp
Description: PGP signature
