On 6.12.2010, at 17.32, Mike Abbott wrote: >> Something similar could be done about submit_user too. Instead of >> sending "submit_user=x", send both "master_user=x" and "submit". > > We chose not to overload master_user=x in this way so that code/plugins that > check master_user without knowing about or checking the submit flag don't > behave incorrectly. Accidentally granting a mere submit user all of a master > user's powers would be unsafe.
Master user doesn't really have any special powers. Compared to a regular login, it just has less powers, because when ACL plugin is loaded the master user by default has no permissions to any mailbox. So if some part of the code doesn't check for submit_user, it assumes the user itself logged in, which could be worse than assuming a master user logged in. The master user feature was originally written so that there could be pretty restricted master users logging in, such as spam learners accessing only spam mailbox or voicemail software accessing voicemail box. I think that's pretty similar to what submit user is. Maybe "master user" should have been named something more neutral, like "authentication user" or something..
