Fri, 10 Apr 2026 13:16:46 +0000 https://bugs.horde.org/ticket/10091 ACLs courier-imap using courier-imap 4.8.1 1. I can't set the following rights (UI disabled) : Create Folder, Delete/Purge. 2. when ever I change ACLs on a folder, I get the following error : ERR: HORDE [imp] IMAP error: Cannot modify ACLs on this mailbox. [pid 27021 on line 343 of "/var/www/html/hordetest/imp/lib/Imap.php"] DEBUG: HORDE [imp] Couldn't remove from user "administrators" these rights for the mailbox "INBOX.bug": kxte [pid 27021 on line 27 of "/var/www/html/hordetest/libs/Horde/Core/Notification/Handler/Decorator/Hordelog.php"] DEBUG: HORDE [imp] ACL rights for "ronan" updated for the mailbox "bug". [pid 27021 on line 27 of "/var/www/html/hordetest/libs/Horde/Core/Notification/Handler/Decorator/Hordelog.php"] Since options "Create Folder" and "Delete/Purge" are disabled in UI, when I save the ACLs, IMP is trying to modify administrator's rights, and apparently courier-imap doesn't like it. attached is the imap trace. Tue, 17 May 2011 07:28:21 +0000 https://bugs.horde.org/ticket/10091#t64719 Most likely a duplicate of Ticket #10079. Tue, 17 May 2011 17:01:51 +0000 https://bugs.horde.org/ticket/10091#t64742 > Most likely a duplicate of Ticket #10079. I saw Ticket #10079 before reporting this issue, but Jan original's issue seams to be solved and I don't have any issue with deleting emails. here I think the are 2 issues: first, courier-imap doesn't wnat anybody to play/mess with the "administrators" user. Is this specific to courier-imap ? If not, should there be a check for not modifying this user's ACLs ? second, IMP doesn't seam to detect all ACL attribute since both of the following are disabled in the UI : Create Folder, Delete/Purge. To the question "is this related to ticket #10079" ? I don't know as this has been a while since I tested ACL on IMP 5. (this is working fine on IMP 4 though). Tue, 17 May 2011 20:09:07 +0000 https://bugs.horde.org/ticket/10091#t64743 Changes have been made in Git for this ticket: Bug #10091: These rights don't exist 1 files changed, 0 insertions(+), 14 deletions(-) http://git.horde.org/horde-git/-/commit/60b22c34f0cbd486ddee76cc55e18c2c57d83c90 Tue, 17 May 2011 23:13:59 +0000 https://bugs.horde.org/ticket/10091#t64746 > first, courier-imap doesn't wnat anybody to play/mess with the > "administrators" user. Is this specific to courier-imap ? If not, > should there be a check for not modifying this user's ACLs ? This is specific to Courier, I guess. "administrators" is no more special than any other users so there is no reason to lock access to it. > second, IMP doesn't seam to detect all ACL attribute since both of > the following are disabled in the UI : Create Folder, Delete/Purge. > To the question "is this related to ticket #10079" ? I don't know as > this has been a while since I tested ACL on IMP 5. (this is working > fine on IMP 4 though). I actually need to delete those two from the Prefs UI. They should NEVER show up. They are "virtual rights" and we abstract them out when dealing with old RFC 2086 servers (because they are broken in the RFC 2086 limitation). Tue, 17 May 2011 23:14:03 +0000 https://bugs.horde.org/ticket/10091#t64747 >> first, courier-imap doesn't wnat anybody to play/mess with the >> "administrators" user. Is this specific to courier-imap ? If not, >> should there be a check for not modifying this user's ACLs ? > > This is specific to Courier, I guess. "administrators" is no more > special than any other users so there is no reason to lock access to > it. So I have no problem with errors being thrown by the IMAP server if their rights are attempted to be altered and they are not supposed to. But this patch should completely remove the other two "disabled" UI elements. Does this work better? Tue, 17 May 2011 23:15:41 +0000 https://bugs.horde.org/ticket/10091#t64748 >>> first, courier-imap doesn't wnat anybody to play/mess with the >>> "administrators" user. Is this specific to courier-imap ? If not, >>> should there be a check for not modifying this user's ACLs ? >> >> This is specific to Courier, I guess. "administrators" is no more >> special than any other users so there is no reason to lock access to >> it. > > So I have no problem with errors being thrown by the IMAP server if > their rights are attempted to be altered and they are not supposed to. Ideally, I would have like "administrators" ACL to be hidden from users. but if this is specific to only one IMAP server then this is probably too much work/hack. And since users can't modify it anyway, I guess I'm ok with an error being displayed. > But this patch should completely remove the other two "disabled" UI > elements. Does this work better? No, but the following patch helps : --- framework/Imap_Client/lib/Horde/Imap/Client/Base.php.org 2011-05-18 09:01:42.000000000 +0200 +++ framework/Imap_Client/lib/Horde/Imap/Client/Base.php 2011-05-18 09:01:50.000000000 +0200 @@ -2595,11 +2595,7 @@ return array_merge($rights, str_split(reset($capability))); } - // Add RFC 2086 rights (DEPRECATED) - return array_merge($rights, array( - Horde_Imap_Client::ACL_CREATE, - Horde_Imap_Client::ACL_DELETE - )); + return $rights; } I've seen traces of those two ACL const in framework/Imap_Client/lib/Horde/Imap/Client/Data/AclCommon.php. May be you want to remove them ? Wed, 18 May 2011 07:25:38 +0000 https://bugs.horde.org/ticket/10091#t64758 I'm having second thoughts about being Ok with a error message being thrown to the user. Everytime a user change an ACL, he gets the following error : Couldn't remove from user "administrators" these rights for the mailbox "INBOX.Bug": kxte This is going to be really disturbing for end users. IMP is trying to unset ACLs that are not displayed in UI, but set on the server (which make sense). I think you should revert your patch and make the two ACL available for modification (like it was perfectly working in IMP 4) to avoid end users/admins asking about those errors. Wed, 18 May 2011 07:44:04 +0000 https://bugs.horde.org/ticket/10091#t64760 > Everytime a user change an ACL, he gets the following error : > Couldn't remove from user "administrators" these rights for the > mailbox "INBOX.Bug": kxte This is an issue with Courier - it should ignore rights it doesn't know about. So I will have to work around this. > I think you should revert your patch and make the two ACL available > for modification (like it was perfectly working in IMP 4) to avoid > end users/admins asking about those errors. NO NO NO. As mentioned in RFC 4314, the CREATE and DELETE rights are badly broken in RFC 2086. So a user should *never* be allowed to directly set those rights. Instead, they should set the RFC 4314 rights, which should be translated (as necessary) before sending to the server. Wed, 18 May 2011 07:50:40 +0000 https://bugs.horde.org/ticket/10091#t64762 >> Everytime a user change an ACL, he gets the following error : >> Couldn't remove from user "administrators" these rights for the >> mailbox "INBOX.Bug": kxte > > This is an issue with Courier - it should ignore rights it doesn't > know about. So I will have to work around this. FWIW Cyrus is doing exactly the same. It has an implicit adminstrator user (usually "cyrus") that you can't revoke ACLs from, and you get an error message as soon as you save a folder's ACLs. Wed, 18 May 2011 08:06:51 +0000 https://bugs.horde.org/ticket/10091#t64769 >> Everytime a user change an ACL, he gets the following error : >> Couldn't remove from user "administrators" these rights for the >> mailbox "INBOX.Bug": kxte > > This is an issue with Courier - it should ignore rights it doesn't > know about. It isn't about the rights, it is about the system user. the following unix command doesn't return an error : []# maildiracl -set ~/Maildir INBOX.Bug user=ronan +azertyuiopqsdfghjklmwxcvbn []# this one does return an error : []# maildiracl -set /home/rsalmon/Maildir INBOX.Bug administrators -e Trying to set invalid access rights for administrators []# Actually, from maildiracl man page : IRREVOCABLE ACCESS RIGHTS The owner of the mailbox must always have the ?a? amd ?l? access rights. The administrators group must always have all access rights to all folders. Attempts to set access control lists, that do not include these minimum access rights, will be rejected. Wed, 18 May 2011 08:28:06 +0000 https://bugs.horde.org/ticket/10091#t64774 > Changes have been made in Git for this ticket: > > Bug #10091: These rights don't exist > > 1 files changed, 0 insertions(+), 14 deletions(-) > http://git.horde.org/horde-git/-/commit/60b22c34f0cbd486ddee76cc55e18c2c57d83c90 This broke the ACL screen for me. I have 3 Administration columns now. Wed, 18 May 2011 08:52:30 +0000 https://bugs.horde.org/ticket/10091#t64777 Changes have been made in Git for this ticket: Bug #10091: Improve ACL UI (especially for RFC 2086 servers) 2 files changed, 56 insertions(+), 88 deletions(-) http://git.horde.org/horde-git/-/commit/c384e738d4d7a3c3b723b8a1e992af4e02fc7412 Thu, 19 May 2011 17:41:29 +0000 https://bugs.horde.org/ticket/10091#t64858 This is now working correctly for me on RFC 2086 servers. Thu, 19 May 2011 17:42:39 +0000 https://bugs.horde.org/ticket/10091#t64859 > This is now working correctly for me on RFC 2086 servers. Looks good over here too. Thanks. Fri, 20 May 2011 07:35:23 +0000 https://bugs.horde.org/ticket/10091#t64890 Here too. Fri, 20 May 2011 07:48:30 +0000 https://bugs.horde.org/ticket/10091#t64892