[ https://issues.apache.org/jira/browse/MAILBOX-219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tellier Benoit updated MAILBOX-219: ----------------------------------- Attachment: 0001-JWC-102-Mailbox-with-private-namespace-are-not-group.patch Patch still contributed by Antoine Duprat First patch about logical OR used in place of a AND was hiding an other bug. This other bug is that your own mailbox is considered as a group mailbox. Hence, your default rights can not be applied, dening you access to your mailbox. Both patch should be applied one after the other. First JWC-101 Then JWC-102 Patch contributed by Antoine Duprat. > A user with any right on a mailbox gets full rights on the given mailbox. > ------------------------------------------------------------------------- > > Key: MAILBOX-219 > URL: https://issues.apache.org/jira/browse/MAILBOX-219 > Project: James Mailbox > Issue Type: Bug > Components: api > Affects Versions: 0.5 > Reporter: Tellier Benoit > Attachments: > 0001-JWC-101-Replace-logical-OR-by-a-logical-AND-in-RFC43.patch, > 0001-JWC-102-Mailbox-with-private-namespace-are-not-group.patch > > > James uses binary operation code in order to store user's ACL on a single int. > This was buggy as a or was used to see if the user have a given right. A and > should have been used. > So, as a consequence, setting any write to a user gives him full rights on > the given mailbox, wich is a major security issue. > All mailbox implementations are affected. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org