mailing list archives

meli community discussions

⚠️ if something does not work as intended when interracting with the mailing lists,
reach out Github mirror Gitea repo @epilys:matrix.org

[Imap-protocol] ACL: GETACL and "always granted" rights

E-mail headers
From: Dan Karp <dkarp@zimbra.com>
To: imap-protocol@u.washington.edu
Date: Fri, 08 Jun 2018 12:34:39 -0000
Message-ID: 1766087308.133811176240507094.JavaMail.root@dogfood.liquidsys.com permalink / raw / eml / mbox 
If a user has rights that "will always be granted" on a mailbox (e.g. that show up in the first rights set in a LISTRIGHTS untagged response), is that user/rights pair to be listed in the GETACL response on that mailbox?

   The GETACL command returns the access control list for mailbox in an
   untagged ACL response.

   The LISTRIGHTS response occurs as a result of a LISTRIGHTS command.
   The first two strings are the mailbox name and identifier for which
   this rights list applies.  Following the identifier is a string
   containing the (possibly empty) set of rights the identifier will
   always be granted in the mailbox.
Reply
E-mail headers
From: dave@cridland.net
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:39 -0000
Message-ID: 6701.1176288711.978094@peirce.dave.cridland.net permalink / raw / eml / mbox 
On Tue Apr 10 22:28:27 2007, Dan Karp wrote:
> If a user has rights that "will always be granted" on a mailbox 
> (e.g. that show up in the first rights set in a LISTRIGHTS untagged 
> response), is that user/rights pair to be listed in the GETACL 
> response on that mailbox?
> 
> 
In principle, that would be a reasonable reading of RFC4314, and you 
would not be non-compliant for doing so.

In practise, it might be silly under some circumstances.

The LISTRIGHTS response tells you two things - and note I'm 
deliberately using a different wording:

1) The groups of rights that may be granted to the identifier.

2) The set of inalienable rights the identifier implicitly has.

I'd personally say that you should examine *why* the identifiers have 
these implicit rights, and decide on that basis whether to include 
them in the ACL - and in some cases, whether to admit they have 
implicit rights in LISTRIGHTS.

I don't think you'd confuse clients by having a degree of discrepency 
between LISTRIGHTS and GETACL, but you might confuse clients by 
including entries in the ACL if they're not really needed. (For 
example, Thunderbird decides whether a mailbox is shared according to 
the contents of the ACL.)

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Reply
E-mail headers
From: dkarp@zimbra.com
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:39 -0000
Message-ID: 1998622862.168451176303885705.JavaMail.root@dogfood.liquidsys.com permalink / raw / eml / mbox 
> > If a user has rights that "will always be granted" on a mailbox 
> > (e.g. that show up in the first rights set in a LISTRIGHTS untagged
> > response), is that user/rights pair to be listed in the GETACL 
> > response on that mailbox?
> 
> I don't think you'd confuse clients by having a degree of discrepency
> between LISTRIGHTS and GETACL, but you might confuse clients by 
> including entries in the ACL if they're not really needed. (For 
> example, Thunderbird decides whether a mailbox is shared according to
> the contents of the ACL.)

OK.  So a reasonable implementation might, say, fail to include the authenticated user's default rights on their own mailboxes?
Reply
E-mail headers
From: dave@cridland.net
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:39 -0000
Message-ID: 6701.1176304592.256996@peirce.dave.cridland.net permalink / raw / eml / mbox 
On Wed Apr 11 16:04:45 2007, Dan Karp wrote:
> > > If a user has rights that "will always be granted" on a mailbox 
> > > (e.g. that show up in the first rights set in a LISTRIGHTS 
> untagged
> > > response), is that user/rights pair to be listed in the GETACL 
> > > response on that mailbox?
> > > I don't think you'd confuse clients by having a degree of 
> discrepency
> > between LISTRIGHTS and GETACL, but you might confuse clients by > 
> including entries in the ACL if they're not really needed. (For > 
> example, Thunderbird decides whether a mailbox is shared according 
> to
> > the contents of the ACL.)
> 
> OK.  So a reasonable implementation might, say, fail to include the 
> authenticated user's default rights on their own mailboxes?

Actually, you probably want to include that. I'd not be surprised if 
Thunderbird would get confused otherwise. It's other things you 
probably don't want to include, such as any rights that 
administrative users or system users have.

Arguably, you don't want those to be listed in LISTRIGHTS either.

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Reply