[SOGo] IMAP ACL problems

Sauro Saltini sogo@opengroupware.org
Tue, 18 Dec 2007 11:20:14 +0100 

I've started to implement SOGo in a test environment as I'm very
intrested in using TB / Lightning as "fat" client to relpace Outlook /
Exchange duo.

I've done a fresh install from sources on a Slackware server and, after
some initial problems the whole thing is working like a charm (at least
the web interface).

My IMAP server (also installed from sources on the same host for testing
purposes) was Cyrus 2.2.12 (latest stable) authenticating users on
OpenLDAP, SOGo also authenticates via LDAP.

I've soon realized, playing with the IMAP ACL's for folder sharing, that
SOGo follows RFC 4314 for rights, so some of the ACL righs won't be
read/set correctly with my Cyrus-imap version (checkboxes remains always
unset) - I've also noticed that even the "inverse" demo site suffers the
same bug.

Replacing Cyrus-imap with 2.3.9 (testing version) which implements
RFC4314 ACL's the permission manager for imap folders worked well,
except for the "Remove this folder" and "Erase mails from this folder"
checkboxes:

- Setting "Remove this folder" and applying will result in "t" acl
instead of "x" and reopening the form you have:
Remove this folder (x) -> unchecked
Erase mails from this folder (t) -> checked

- Setting "Erase mails from this folder" and applying will result in an
empty acl and reopening the form will show:
Erase mails from this folder (t) -> unchecked

After some search through the sourcecode I've finally found that the
Template file (wox) for the form sets uncorrectly the checkbox names
(which was my initial guess, but took me some time to work out as I've
never looked at a GNUstep application before!).

In UI/Templates/MailerUI/UIxMailUserRightsEditor.wox I've changed the
checkbox named: "ObjectEraser" to "FolderEraser" and the one named
"MailMessageEraser" to "ObjectEraser" according to the rest of logic in
"SOGoMailFolder" (_sogoAclsToImapAcls and _imapAclsToSOGoAcls methods)

In the meantime I've found some other inconsistencies between
"SOGoPermissions.h" declarations and the "SOGoPermissions.m" assignments:

in SOGoPermissions.h the "MailRoles" declared are:
extern NSString *SOGoMailRole_SeenKeeper;
extern NSString *SOGoMailRole_Writer;
extern NSString *SOGoMailRole_Poster;
extern NSString *SOGoMailRole_Expunger;
extern NSString *SOGoMailRole_Creator;
extern NSString *SOGoMailRole_Administrator;

instead in SOGoPermissions.m I can see:
NSString *SOGoMailRole_SeenKeeper = @"MailSeenKeeper";
NSString *SOGoMailRole_Writer = @"MailWriter";
NSString *SOGoMailRole_Poster = @"MailPoster";
NSString *SOGoMailRole_Expunger = @"MailExpunger";
NSString *SOGoMailRole_Administrator = @"MailAdministrator";
NSString *SOGoMailRole_MessageEraser = @"MailMessageEraser";

i.e no value assigned for SOGoMailRole_Creator and no declaration for
SOGoMailRole_MessageEraser (which is one of the problematic roles  used
in the template file I've changed)

I don't know which is the current direction of development regarding the
"role names", in fact the whole thing can be patched exactly in the
opposite way.

The point is only about how you want to call in SOGo the "x" and "t"
IMAP rights:
x -> MailMessageEraser or ObjectEraser
t -> ObjectEraser or FolderEraser

I hope this can be useful for someone.

I'll go on testing SOGo as I think it can be a great solution.
I'm sorry I can't help with the development as I know quite nothing
about GNUstep and Objective-C.

Sauro Saltini.