View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001348SOGoWeb Preferencespublic2011-06-26 19:132011-07-05 17:14
Reporterbear-cave Assigned Toludovic  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.7a 
Target Version1.3.8Fixed in Version1.3.8 
Summary0001348: Mailbox share ACLs - implement groups
Description

When selecting the user to which to apply share permissions, it is possible to choose a group, not a user. Since it is possible to configure Dovecot to act on group ACLs, it ought to be possible to have this work.

Currently it does not work, because group names are reported to Dovecot using the '@' prefix used within SOGo. Dovecot is hard-wired to use '$' as a prefix to names to indicate they are a group name.

Additional Information

RFC4314 does reserves undecorated names for user IDs (apart from the special case 'anyone'), but explicitly leaves names with leading non-alphanumeric decoration available for implementation-dependent action. It then gives examples where group names are indicated with a '$' prefix.

Dovecot uses this as implicit authority for its policy of treating usernames in ACLs as group names if prefixed with '$'. In other words, an ACL for user '$developers' is treated in Dovecot as an ACL for a group 'developers'.
So, by checking for the SOGo '@' prefix and amending it we can implement group ACLs.

TagsNo tags attached.

Activities

2011-06-26 19:13

 

groupacl.patch (3,275 bytes)    
--- SoObjects/Mailer/SOGoMailFolder.m	old
+++ SoObjects/Mailer/SOGoMailFolder.m	new
@@ -943,6 +943,15 @@
   return imapAcls;
 }
 
+- (NSString *) _sogoAclUidToImapUid: (NSString *) uid
+{
+  if ([uid hasPrefix: @"@"])
+    return [[[[context activeUser] domainDefaults] imapAclGroupIdPrefix]
+             stringByAppendingString: [uid substringFromIndex: 1]];
+  else
+    return uid;
+}
+
 - (void) _removeIMAPExtUsernames
 {
   NSMutableDictionary *newIMAPAcls;
@@ -963,6 +972,32 @@
   mailboxACL = newIMAPAcls;
 }
 
+- (void) _convertIMAPGroupnames
+{
+  NSMutableDictionary *newIMAPAcls;
+  NSEnumerator *usernames;
+  NSString *username;
+  NSString *newUsername;
+  NSString *imapPrefix;
+
+  imapPrefix = [[[context activeUser] domainDefaults] imapAclGroupIdPrefix];
+
+  newIMAPAcls = [NSMutableDictionary new];
+
+  usernames = [[mailboxACL allKeys] objectEnumerator];
+  while ((username = [usernames nextObject]))
+    {
+      if ([username hasPrefix: imapPrefix])
+        newUsername = [@"@" stringByAppendingString: [username substringFromIndex: [imapPrefix length]]];
+      else
+        newUsername = username;
+      [newIMAPAcls setObject: [mailboxACL objectForKey: username]
+		   forKey: newUsername];
+    }
+  [mailboxACL release];
+  mailboxACL = newIMAPAcls;
+}
+
 - (void) _readMailboxACL
 {
   [mailboxACL release];
@@ -970,6 +1005,7 @@
   mailboxACL = [[self imap4Connection] aclForMailboxAtURL: [self imap4URL]];
   [mailboxACL retain];
 
+  [self _convertIMAPGroupnames];
   if ([[self mailAccountFolder] imapAclConformsToIMAPExt])
     [self _removeIMAPExtUsernames];
 }
@@ -1061,7 +1097,7 @@
 
   uids = [users objectEnumerator];
   while ((currentUID = [uids nextObject]))
-    [client deleteACL: folderName uid: currentUID];
+    [client deleteACL: folderName uid: [self _sogoAclUidToImapUid: currentUID]];
   [mailboxACL release];
   mailboxACL = nil;
 }
@@ -1073,7 +1109,7 @@
 
   acls = [self _sogoAclsToImapAcls: roles];
   folderName = [[self imap4Connection] imap4FolderNameForURL: [self imap4URL]];
-  [[imap4 client] setACL: folderName rights: acls uid: uid];
+  [[imap4 client] setACL: folderName rights: acls uid: [self _sogoAclUidToImapUid: uid]];
 
   [mailboxACL release];
   mailboxACL = nil;
--- SoObjects/SOGo/SOGoDefaults.plist	old
+++ SoObjects/SOGo/SOGoDefaults.plist	new
@@ -5,6 +5,7 @@
     WOPidFile = "/var/run/sogo/sogo.pid";
 
     NGImap4ConnectionStringSeparator = "/";
+    NGImap4ConnectionGroupIdPrefix = "$";
     NGImap4DisableIMAP4Pooling = YES;
 
     SOGoZipPath = "/usr/bin/zip";
--- SoObjects/SOGo/SOGoDomainDefaults.h	old
+++ SoObjects/SOGo/SOGoDomainDefaults.h	new
@@ -43,6 +43,7 @@
 - (NSString *) imapServer;
 - (NSString *) sieveServer;
 - (NSString *) imapAclStyle;
+- (NSString *) imapAclGroupIdPrefix;
 - (NSString *) imapFolderSeparator;
 - (BOOL) imapAclConformsToIMAPExt;
 - (BOOL) forceIMAPLoginWithEmail;
--- SoObjects/SOGo/SOGoDomainDefaults.m	old
+++ SoObjects/SOGo/SOGoDomainDefaults.m	new
@@ -124,6 +124,11 @@
   return [self stringForKey: @"SOGoIMAPAclStyle"];
 }
 
+- (NSString *) imapAclGroupIdPrefix
+{
+  return [self stringForKey: @"NGImap4ConnectionGroupIdPrefix"];
+}
+
 - (NSString *) imapFolderSeparator
 {
   return [self stringForKey: @"NGImap4ConnectionStringSeparator"];
groupacl.patch (3,275 bytes)   
bear-cave

bear-cave

2011-06-26 19:16

reporter   ~0002640

The attached patch implements this simple substitution, replacing '@' with a configurable prefix. The prefix, configuration NGImap4ConnectionGroupIdPrefix, defaults to '$'.

On my SOGo install, this produces Dovecot ACLs with group permissions ('group=' instead of 'user=' in the ACL files in the mailboxes).
ludovic

ludovic

2011-07-02 18:06

administrator   ~0002647

Could you also provide documentation to be included in the installation & configuration guide for the NGImap4ConnectionGroupIdPrefix parameter?
bear-cave

bear-cave

2011-07-04 09:14

reporter   ~0002649

I'm not sure whether I should supply a modified .odt or some sort of attempt at a patch. I don't know any standard patch format for .odts, so here's a manual one.

In the section "IMAP Server Configuration", after NGImap4ConnectionStringSeparator add another System (S) configuration parameter.

Name:
NGImap4ConnectionGroupPrefix

Description:
Prefix to prepend to names in IMAP ACL transactions, to indicate the name is a group name not a user name. RFC4314 gives examples where group names are prefixed with '$'. Dovecot, for one, follows this scheme, and will, for example, apply permissions for '$admins' to all users in group 'admins' in the absence of specific permissions for the individual user. The default prefix is '$'.
ludovic

ludovic

2011-07-05 17:14

administrator   ~0002655

Fixed: http://mtn.inverse.ca/revision/diff/47472b0ffbf55e9b5e6cddcaacbb75eaba65843c/with/48a1bab369727c086d0425d59fd2cf0ffc63b71c

Many thanks for your patch!

Issue History

Date Modified Username Field Change
2011-06-26 19:13 bear-cave New Issue
2011-06-26 19:13 bear-cave File Added: groupacl.patch
2011-06-26 19:16 bear-cave Note Added: 0002640
2011-06-27 13:51 ludovic Target Version => 1.3.8
2011-07-02 18:06 ludovic Note Added: 0002647
2011-07-04 09:14 bear-cave Note Added: 0002649
2011-07-05 17:14 ludovic Note Added: 0002655
2011-07-05 17:14 ludovic Status new => resolved
2011-07-05 17:14 ludovic Fixed in Version => 1.3.8
2011-07-05 17:14 ludovic Resolution open => fixed
2011-07-05 17:14 ludovic Assigned To => ludovic