1 #ifndef ACL_API_H 2 #define ACL_API_H 3 4 #include <sys/stat.h> 5 6 struct mailbox_list; 7 struct mail_storage; 8 struct mailbox; 9 struct acl_object; 10 11 /* Show mailbox in mailbox list. Allow subscribing to it. */ 12 #define MAIL_ACL_LOOKUP "lookup" 13 /* Allow opening mailbox for reading */ 14 #define MAIL_ACL_READ "read" 15 /* Allow permanent flag changes (except for seen/deleted). 16 If not set, doesn't allow save/copy to set any flags either. */ 17 #define MAIL_ACL_WRITE "write" 18 /* Allow permanent seen-flag changes */ 19 #define MAIL_ACL_WRITE_SEEN "write-seen" 20 /* Allow permanent deleted-flag changes */ 21 #define MAIL_ACL_WRITE_DELETED "write-deleted" 22 /* Allow saving and copying mails into the mailbox */ 23 #define MAIL_ACL_INSERT "insert" 24 /* Allow posting mails to the mailbox (e.g. Sieve fileinto) */ 25 #define MAIL_ACL_POST "post" 26 /* Allow expunging mails */ 27 #define MAIL_ACL_EXPUNGE "expunge" 28 /* Allow creating child mailboxes */ 29 #define MAIL_ACL_CREATE "create" 30 /* Allow deleting this mailbox */ 31 #define MAIL_ACL_DELETE "delete" 32 /* Allow changing ACL state in this mailbox */ 33 #define MAIL_ACL_ADMIN "admin" 34 35 #define MAILBOX_ATTRIBUTE_PREFIX_ACL \ 36 MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT"acl/" 37 38 /* ACL identifiers in override order */ 39 enum acl_id_type { 40 /* Anyone's rights, including anonymous's. 41 identifier name is ignored. */ 42 ACL_ID_ANYONE, 43 /* Authenticate users' rights. identifier name is ignored. */ 44 ACL_ID_AUTHENTICATED, 45 /* Group's rights */ 46 ACL_ID_GROUP, 47 /* Owner's rights, used when user is the storage's owner. 48 identifier name is ignored. */ 49 ACL_ID_OWNER, 50 /* User's rights */ 51 ACL_ID_USER, 52 /* Same as group's rights, but also overrides user's rights */ 53 ACL_ID_GROUP_OVERRIDE, 54 55 ACL_ID_TYPE_COUNT 56 }; 57 58 enum acl_modify_mode { 59 /* Remove rights from existing ACL */ 60 ACL_MODIFY_MODE_REMOVE = 0, 61 /* Add rights to existing ACL (or create a new one) */ 62 ACL_MODIFY_MODE_ADD, 63 /* Replace existing ACL with given rights */ 64 ACL_MODIFY_MODE_REPLACE, 65 /* Clear all the rights from an existing ACL */ 66 ACL_MODIFY_MODE_CLEAR 67 }; 68 69 struct acl_rights { 70 /* Type of the identifier, user/group */ 71 enum acl_id_type id_type; 72 /* Identifier, eg. username / group name */ 73 const char *identifier; 74 75 /* Rights assigned. NULL entry can be ignored, but { NULL } means user 76 has no rights. */ 77 const char *const *rights; 78 /* Negative rights assigned */ 79 const char *const *neg_rights; 80 81 /* These rights are global for all users */ 82 bool global:1; 83 }; 84 ARRAY_DEFINE_TYPE(acl_rights, struct acl_rights); 85 86 struct acl_rights_update { 87 struct acl_rights rights; 88 89 enum acl_modify_mode modify_mode; 90 enum acl_modify_mode neg_modify_mode; 91 /* These changes' "last changed" timestamp */ 92 time_t last_change; 93 }; 94 95 /* data contains the information needed to initialize ACL backend. If username 96 is NULL, it means the user is anonymous. Username and groups are matched 97 case-sensitively. */ 98 struct acl_backend * 99 acl_backend_init(const char *data, struct mailbox_list *list, 100 const char *acl_username, const char *const *groups, 101 bool owner); 102 void acl_backend_deinit(struct acl_backend **backend); 103 104 /* Returns the acl_username passed to acl_backend_init(). Note that with 105 anonymous users NULL is returned. */ 106 const char *acl_backend_get_acl_username(struct acl_backend *backend); 107 108 /* Returns TRUE if user isn't anonymous. */ 109 bool acl_backend_user_is_authenticated(struct acl_backend *backend); 110 /* Returns TRUE if user owns the storage. */ 111 bool acl_backend_user_is_owner(struct acl_backend *backend); 112 /* Returns TRUE if given name matches the ACL user name. */ 113 bool acl_backend_user_name_equals(struct acl_backend *backend, 114 const char *username); 115 /* Returns TRUE if ACL user is in given group. */ 116 bool acl_backend_user_is_in_group(struct acl_backend *backend, 117 const char *group_name); 118 /* Returns index for the right name. If it doesn't exist, it's created. */ 119 unsigned int acl_backend_lookup_right(struct acl_backend *backend, 120 const char *right); 121 /* Returns TRUE if acl_rights matches backend user. */ 122 bool acl_backend_rights_match_me(struct acl_backend *backend, 123 const struct acl_rights *rights); 124 125 /* List mailboxes that have lookup right to some non-owners. */ 126 struct acl_mailbox_list_context * 127 acl_backend_nonowner_lookups_iter_init(struct acl_backend *backend); 128 bool acl_backend_nonowner_lookups_iter_next(struct acl_mailbox_list_context *ctx, 129 const char **name_r); 130 int 131 acl_backend_nonowner_lookups_iter_deinit(struct acl_mailbox_list_context **ctx); 132 133 /* Force a rebuild for nonowner lookups index */ 134 int acl_backend_nonowner_lookups_rebuild(struct acl_backend *backend); 135 136 struct acl_object *acl_object_init_from_name(struct acl_backend *backend, 137 const char *name); 138 struct acl_object *acl_object_init_from_parent(struct acl_backend *backend, 139 const char *child_name); 140 void acl_object_deinit(struct acl_object **aclobj); 141 142 /* Returns 1 if we have the requested rights, 0 if not, or -1 if internal 143 error occurred. */ 144 int acl_object_have_right(struct acl_object *aclobj, unsigned int right_idx); 145 /* Returns 0 = ok, -1 = internal error */ 146 int acl_object_get_my_rights(struct acl_object *aclobj, pool_t pool, 147 const char *const **rights_r); 148 /* Returns the default rights for the object. */ 149 const char *const *acl_object_get_default_rights(struct acl_object *aclobj); 150 /* Returns timestamp of when the ACLs were last changed for this object, 151 or 0 = never. */ 152 int acl_object_last_changed(struct acl_object *aclobj, time_t *last_changed_r); 153 154 /* Update ACL of given object. */ 155 int acl_object_update(struct acl_object *aclobj, 156 const struct acl_rights_update *update); 157 158 /* List all identifiers. */ 159 struct acl_object_list_iter *acl_object_list_init(struct acl_object *aclobj); 160 bool acl_object_list_next(struct acl_object_list_iter *iter, 161 struct acl_rights *rights_r); 162 int acl_object_list_deinit(struct acl_object_list_iter **iter); 163 164 /* Returns the canonical ID for the right. */ 165 const char *acl_rights_get_id(const struct acl_rights *right); 166 167 #endif 168