Bug 40037

Summary: Unable to remove/move mails from shared folder
Product: UCS Reporter: Sönke Schwardt-Krummrich <schwardt>
Component: MailAssignee: Sönke Schwardt-Krummrich <schwardt>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P5 CC: stoeckigt, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.0-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): External feedback
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 40038    

Description Sönke Schwardt-Krummrich univentionstaff 2015-11-19 16:26:25 CET 
Ticket #2015111121001141

The dovecot shared folder listener module does not set the "expunge" permission if "write" or "all" is selected in UDM for IMAP ACLs.
Due to the missing "expunge" permission, users are unable to remove mails from shared folder or to move mails from a shared folder to a different folder. The user gets "permission denied".
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2015-12-08 21:59:35 CET 
The "expunge" permission has been added. To add expunge permission on existing dovecot shared folder, the script reapply_shared_folder_acls is called in univention-mail-dovecot's join script. reapply_shared_folder_acls may be found in
/usr/share/univention-mail-dovecot/ and can be called at any time as user root to reapply the IMAP ACLs.

univention-mail-dovecot (1.0.1-1):
r66188 | Bug #40037: add IMAP permission expunge if shared folder permission write or all has been selected

univention-mail-dovecot.yaml:
r66189 | Bug #40037: updated yaml
r66187 | Bug #40037: added yaml

For test commands see bug #40038.
Comment 2 Daniel Tröder univentionstaff 2015-12-09 10:00:34 CET 
OK: code review
OK: advisory
OK: manual tests:

root@dc2000:~# eval $(ucr shell)
root@dc2000:~# udm mail/folder create --position cn=folder,cn=mail,$ldap_base --set name=pub1 --set mailDomain=$domainname --set mailHomeServer=$hostname.$domainname --append sharedFolderUserACL="test1m@uni.dtr write" --append sharedFolderUserACL="test2m@uni.dtr all" --append sharedFolderUserACL="test3m@uni.dtr read"
Object created: cn=pub1@uni.dtr,cn=folder,cn=mail,dc=uni,dc=dtr
root@dc2000:~# udm mail/folder create --position cn=folder,cn=mail,$ldap_base --set name=pub2 --set mailDomain=$domainname --set mailHomeServer=$hostname.$domainname --append sharedFolderUserACL="test1m@uni.dtr write" --append sharedFolderUserACL="test2m@uni.dtr all" --append sharedFolderUserACL="test3m@uni.dtr read" --set mailPrimaryAddress=pub2m@uni.dtr
Object created: cn=pub2@uni.dtr,cn=folder,cn=mail,dc=uni,dc=dtr

root@dc2000:~# cp /var/spool/dovecot/public/uni.dtr/pub1/.INBOX/dovecot-acl pub1-before
root@dc2000:~# cp /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl pub2m-before
root@dc2000:~# diff pub1-before pub2m-before

root@dc2000:~# univention-upgrade

root@dc2000:~# grep univention-mail-dovecot /var/univention-join/status
univention-mail-dovecot v1 successful
univention-mail-dovecot v2 successful
root@dc2000:~# cat /var/log/univention/reapply_shared_folder_acls.log
02.12.15 13:40:05.495  DEBUG_INIT
02.12.15 13:40:05.499  MAIN        ( INFO    ) : Initialising reapply_shared_folder_acls...
02.12.15 13:40:05.535  MAIN        ( INFO    ) : Looking for objects matching to following LDAP filter:
   (&(objectClass=univentionMailSharedFolder)(univentionMailHomeServer=dc2000.uni.dtr))
02.12.15 13:40:05.538  MAIN        ( PROCESS ) : DN: 'cn=pub1@uni.dtr,cn=folder,cn=mail,dc=uni,dc=dtr'
02.12.15 13:40:06.478  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Updated shared mailbox configuration.
02.12.15 13:40:06.609  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Set ACLs on 'pub1@uni.dtr'.
02.12.15 13:40:06.609  MAIN        ( PROCESS ) : ACLs updated
02.12.15 13:40:06.609  MAIN        ( PROCESS ) : DN: 'cn=pub2@uni.dtr,cn=folder,cn=mail,dc=uni,dc=dtr'
02.12.15 13:40:06.688  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Set ACLs on 'pub2m@uni.dtr'.
02.12.15 13:40:06.688  MAIN        ( PROCESS ) : ACLs updated
02.12.15 13:40:06.688  MAIN        ( PROCESS ) : Done

root@dc2000:~# diff pub1-before /var/spool/dovecot/public/uni.dtr/pub1/.INBOX/dovecot-acl 
1,2c1,2
< user=test1m@uni.dtr ilprwts
< user=test2m@uni.dtr ailprwts
---
> user=test1m@uni.dtr eilprwts
> user=test2m@uni.dtr aeilprwts
root@dc2000:~# diff pub2m-before /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl
1,2c1,2
< user=test1m@uni.dtr ilprwts
< user=test2m@uni.dtr ailprwts
---
> user=test1m@uni.dtr eilprwts
> user=test2m@uni.dtr aeilprwts
root@dc2000:~# diff /var/spool/dovecot/public/uni.dtr/pub1/.INBOX/dovecot-acl /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl

* Manual tests with Horde webmail worked as expected.
Comment 3 Janek Walkenhorst univentionstaff 2016-01-20 13:44:36 CET 
<http://errata.software-univention.de/ucs/4.0/388.html>