mail::ACCOUNT::setRights — Change access control lists
#include <libmail/sync.H>
mail::ACCOUNT *mail;
mail::folder *folder;
bool
ok=mail->setRights( |
mail::folder *folder, |
| std::string &errorIdentifier, | |
| std::vector<std::string> &errorRights, | |
| std::string identifier, | |
std::string rights); |
This function implements folder access control lists
(ACLs). Access control lists define who is allowed to do
certain operations on a folder, or on messages in the folder.
Folder ACLs are implement only for IMAP accounts on IMAP
servers that implement access control lists. This function
will fail if folder
is not a folder on an IMAP server that supports access
control lists.
This function changes folder's access control list
entry for identifier. Any existing
access rights for identifier are replaced by
rights. If the
access control list does not have an entry for identifier, one is created.
With some servers, setting identifier's rights to an
empty string automatically removes identifier from the access
control list.
Not all servers support every one of the following access control list identifiers. See the server's documentation to check which access control list identifiers are implemented by the server:
anonymous”, or
“anyone”This identifier refers to universal access rights given to everyone, including anonymous users (if supported by server).
authuser”Same as “anyone”, except for anonymous users. If the server does not implement anonymous access, then “anonymous”, “anyone”, and “authuser” are equivalent.
owner”The owner of the mailbox that contains the folder.
administrators”Any member of a group that's defined as an administrator group, in an implementation-defined way.
user=username”A single system user, identified by username.
group=groupname”Any system user that's part of a group identified
by groupname. Groups are
created and managed by IMAP server-specific tools.
See the server's documentation for information on
creating and managing groups (if the groups are even
implemented by the server in the first place).
identifier”An access control list identifier may be prefixed
by a “-”, which refers to a
“negative
right”. Negative rights explicitly
revoke the associated access rights from the
identifier
instead of granting the right.
Negative rights are not implemented by all servers. See the server's documentation to check if the server implements negative access rights.
username and
groupname must
specified using the UTF-8
character set.
At this time, the following access rights are supported:
a”Administrator access: view and change folder access control lists.
c”Create subfolders.
e”Expunge deleted messages from the folder.
i”Insert, or add messages to the folder.
l”List, or view the folder's existence. If a folder
does not have the “l”
access right, the server will not include this folder
when it's asked to list all folders in the folder
directory. However, if the “r” access right is
present, the folder may be opened if the folder's
name is known.
r”Read, or open the folder. An attempt to open the
folder will fail without the “r” access right, even
if the folder's name is known.
p”“Post messages” to the folder. This access right is currently listed in the ACL specification; however its intention is not clear, and most servers do not do anything useful with this access right. It is listed here for information purposes only.
s”Allow changing the read/unread status of messages
in the folder. The server will not automatically
clear the unread message status
flag on messages after they are read, or let this
status flag be explicitly changed, without the
“s” access right.
t”Allow tagging of messages as deleted or undeleted.
The server will prohibit changing the messages'
deleted
message status flag without the “t” access right.
w”Allow changing the draft, replied, and
marked
message status flags. The server will not allow
changes to these flags without the “w” access right.
x”Allow this folder to be removed. The server will
not this folder to be deleted without the
“x” access right.
If rights
begins with “+”, the remaining access rights are
added to any existing rights that identifier already has. If
rights begins
with “-”, the remaining access rights are
removed from identifier existing access
rights.
Most IMAP servers have restrictions on which combinations of access rights are valid for which folders. See the IMAP server's documentation to check for any access rights restrictions. The most common restriction is that the “e”, “t”, and “x” access rights must either be set together, as a group, or not. The server will reject or ignore an attempt to set prohibited combinations of access rights for a given folder.
Some IMAP servers implement an extended form of the
access control list protocol which makes it possible to
obtain the server's restrictions. When an attempt to set an
invalid access right combination is rejected, errorIdentifier will be set
to indicate which identifier's access right combination was
rejected (usually it will be set to the same value as
identifier.
errorRights
will be set to an array of strings, each strings consisting
of one or more access rights. The first array element,
errorRights[0]
will contain the minimum access rights required for this
folder (which may be an empty string if the folder does not
require any minimum access rights for the identifier). Each
remaining string lists an optional access right allowed for
this folder. If a string contains more than one access
right, it means that these access rights must be added or
removed from the access control list together, as a
group.