6.0.0-git
2019-03-23

[#10091] ACLs courier-imap
Summary ACLs courier-imap
Queue IMP
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester rsalmon (at) mbpgroup (dot) com
Created 2011-05-17 (2867 days ago)
Due
Updated 2011-05-20 (2864 days ago)
Assigned 2011-05-17 (2867 days ago)
Resolved 2011-05-20 (2864 days ago)
Milestone
Patch No

History
2011-05-20 07:48:30 Jan Schneider Comment #16
State ⇒ Resolved
Reply to this comment
Here too.
2011-05-20 07:35:23 rsalmon (at) mbpgroup (dot) com Comment #15 Reply to this comment
This is now working correctly for me on RFC 2086 servers.
Looks good over here too.
Thanks.
2011-05-19 17:42:39 Michael Slusarz Comment #14 Reply to this comment
This is now working correctly for me on RFC 2086 servers.
2011-05-19 17:41:29 Git Commit Comment #13 Reply to this comment
Changes have been made in Git for this ticket:

Bug #10091: Improve ACL UI (especially for RFC 2086 servers)

  2 files changed, 56 insertions(+), 88 deletions(-)
http://git.horde.org/horde-git/-/commit/c384e738d4d7a3c3b723b8a1e992af4e02fc7412
2011-05-18 08:52:30 Jan Schneider Comment #12 Reply to this comment
Changes have been made in Git for this ticket:

Bug #10091: These rights don't exist

  1 files changed, 0 insertions(+), 14 deletions(-)
http://git.horde.org/horde-git/-/commit/60b22c34f0cbd486ddee76cc55e18c2c57d83c90
This broke the ACL screen for me. I have 3 Administration columns now.
2011-05-18 08:28:06 rsalmon (at) mbpgroup (dot) com Comment #11 Reply to this comment
Everytime a user change an ACL, he gets the following error :
Couldn't remove from user "administrators" these rights for the
mailbox "INBOX.Bug": kxte
This is an issue with Courier - it should ignore rights it doesn't 
know about.
It isn't about the rights, it is about the system user.
the following unix command doesn't return an error :
[]# maildiracl -set ~/Maildir INBOX.Bug user=ronan +azertyuiopqsdfghjklmwxcvbn
[]#

this one does return an error :
[]# maildiracl -set /home/rsalmon/Maildir INBOX.Bug administrators -e
Trying to set invalid access rights for administrators
[]#

Actually, from maildiracl man page :
IRREVOCABLE ACCESS RIGHTS
The owner of the mailbox must always have the ?a? amd ?l? access 
rights. The administrators group must always have all access rights to 
all folders. Attempts to set access control lists, that do not include 
these minimum access rights, will be rejected.

2011-05-18 08:06:51 Jan Schneider Comment #10 Reply to this comment
Everytime a user change an ACL, he gets the following error :
Couldn't remove from user "administrators" these rights for the
mailbox "INBOX.Bug": kxte
This is an issue with Courier - it should ignore rights it doesn't 
know about.  So I will have to work around this.
FWIW Cyrus is doing exactly the same. It has an implicit adminstrator 
user (usually "cyrus") that you can't revoke ACLs from, and you get an 
error message as soon as you save a folder's ACLs.
2011-05-18 07:50:40 Michael Slusarz Comment #9 Reply to this comment
Everytime a user change an ACL, he gets the following error :
Couldn't remove from user "administrators" these rights for the 
mailbox "INBOX.Bug": kxte
This is an issue with Courier - it should ignore rights it doesn't 
know about.  So I will have to work around this.
I think you should revert your patch and make the two ACL available 
for modification (like it was perfectly working in IMP 4) to avoid 
end users/admins asking about those errors.
NO NO NO.  As mentioned in RFC 4314, the CREATE and DELETE rights are 
badly broken in RFC 2086.  So a user should *never* be allowed to 
directly set those rights.  Instead, they should set the RFC 4314 
rights, which should be translated (as necessary) before sending to 
the server.
2011-05-18 07:44:04 rsalmon (at) mbpgroup (dot) com Comment #8 Reply to this comment
I'm having second thoughts about being Ok with a error message being 
thrown to the user.

Everytime a user change an ACL, he gets the following error :
Couldn't remove from user "administrators" these rights for the 
mailbox "INBOX.Bug": kxte

This is going to be really disturbing for end users.

IMP is trying to unset ACLs that are not displayed in UI, but set on 
the server (which make sense).

I think you should revert your patch and make the two ACL available 
for modification (like it was perfectly working in IMP 4) to avoid end 
users/admins asking about those errors.



2011-05-18 07:25:38 rsalmon (at) mbpgroup (dot) com Comment #7 Reply to this comment

[Show Quoted Text - 10 lines]
Ideally, I would have like "administrators" ACL to be hidden from 
users. but if this is specific to only one IMAP server then this is 
probably too much work/hack.
And since users can't modify it anyway, I guess I'm ok with an error 
being displayed.
But this patch should completely remove the other two "disabled" UI 
elements.  Does this work better?
No, but the following patch helps :

--- 
framework/Imap_Client/lib/Horde/Imap/Client/Base.php.org        2011-05-18 
09:01:42.000000000 +0200
+++ framework/Imap_Client/lib/Horde/Imap/Client/Base.php        2011-05-18 
09:01:50.000000000 +0200
@@ -2595,11 +2595,7 @@
              return array_merge($rights, str_split(reset($capability)));
          }

-        // Add RFC 2086 rights (DEPRECATED)
-        return array_merge($rights, array(
-            Horde_Imap_Client::ACL_CREATE,
-            Horde_Imap_Client::ACL_DELETE
-        ));
+        return $rights;
      }

I've seen traces of those two ACL const in 
framework/Imap_Client/lib/Horde/Imap/Client/Data/AclCommon.php.
May be you want to remove them ?



2011-05-17 23:15:41 Michael Slusarz Comment #6 Reply to this comment
first, courier-imap doesn't wnat anybody to play/mess with the
"administrators" user. Is this specific to courier-imap ? If not,
should there be a check for not modifying this user's ACLs ?
This is specific to Courier, I guess. "administrators" is no more 
special than any other users so there is no reason to lock access to 
it.
So I have no problem with errors being thrown by the IMAP server if 
their rights are attempted to be altered and they are not supposed to.

But this patch should completely remove the other two "disabled" UI 
elements.  Does this work better?
2011-05-17 23:14:03 Michael Slusarz Comment #5
Assigned to Michael Slusarz
State ⇒ Feedback
Reply to this comment
first, courier-imap doesn't wnat anybody to play/mess with the 
"administrators" user. Is this specific to courier-imap ? If not, 
should there be a check for not modifying this user's ACLs ?
This is specific to Courier, I guess. "administrators" is no more 
special than any other users so there is no reason to lock access to it.
second, IMP doesn't seam to detect all ACL attribute since both of 
the following are disabled in the UI : Create Folder, Delete/Purge. 
To the question "is this related to ticket #10079" ? I don't know as 
this has been a while since I tested ACL on IMP 5. (this is working 
fine on IMP 4 though).
I actually need to delete those two from the Prefs UI.  They should 
NEVER show up.  They are "virtual rights" and we abstract them out 
when dealing with old RFC 2086 servers (because they are broken in the 
RFC 2086 limitation).
2011-05-17 23:13:59 Git Commit Comment #4 Reply to this comment
Changes have been made in Git for this ticket:

Bug #10091: These rights don't exist

  1 files changed, 0 insertions(+), 14 deletions(-)
http://git.horde.org/horde-git/-/commit/60b22c34f0cbd486ddee76cc55e18c2c57d83c90
2011-05-17 20:09:07 rsalmon (at) mbpgroup (dot) com Comment #3 Reply to this comment
Most likely a duplicate of Ticket #10079.
I saw Ticket #10079 before reporting this issue, but Jan original's 
issue seams to be solved and I don't have any issue with deleting 
emails.

here I think the are 2 issues:
first, courier-imap doesn't wnat anybody to play/mess with the 
"administrators" user. Is this specific to courier-imap ? If not, 
should there be a check for not modifying this user's ACLs ?

second, IMP doesn't seam to detect all ACL attribute since both of the 
following are disabled in the UI : Create Folder, Delete/Purge. To the 
question "is this related to ticket #10079" ? I don't know as this has 
been a while since I tested ACL on IMP 5. (this is working fine on IMP 
4 though).



2011-05-17 17:01:51 Michael Slusarz Comment #2 Reply to this comment
Most likely a duplicate of Ticket #10079.
2011-05-17 07:28:21 rsalmon (at) mbpgroup (dot) com Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ ACLs courier-imap
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
New Attachment: imaplog.txt Download
Reply to this comment
using courier-imap 4.8.1

1. I can't set the following rights (UI disabled) : Create Folder, 
Delete/Purge.

2. when ever I change ACLs on a folder, I get the following error :
ERR: HORDE [imp] IMAP error: Cannot modify ACLs on this mailbox. [pid 
27021 on line 343 of "/var/www/html/hordetest/imp/lib/Imap.php"]
DEBUG: HORDE [imp] Couldn't remove from user "administrators" these 
rights for the mailbox "INBOX.bug": kxte [pid 27021 on line 27 of 
"/var/www/html/hordetest/libs/Horde/Core/Notification/Handler/Decorator/Hordelog.php"]
DEBUG: HORDE [imp] ACL rights for "ronan" updated for the mailbox 
"bug". [pid 27021 on line 27 of 
"/var/www/html/hordetest/libs/Horde/Core/Notification/Handler/Decorator/Hordelog.php"]



Since options  "Create Folder" and "Delete/Purge" are disabled in UI, 
when I save the ACLs, IMP is trying to modify  administrator's rights, 
and apparently courier-imap doesn't like it. attached is the imap trace.



Saved Queries