rfc4314.txt

广泛使用的邮件服务器！同时

            will return:

               S: * LISTRIGHTS archive/imap anyone ""
                  lr s w i p k c x te d

   Example: The server that ties the rights as follows:

               lr swte i p k x

            and c=kx




Melnikov                    Standards Track                     [Page 7]

RFC 4314                        IMAP ACL                   December 2005


            will return:

               S: * LISTRIGHTS archive/imap anyone ""
                  lr swted i p k x c

   (*)  Clients conforming to this document MUST ignore the virtual "d"
        and "c" rights in MYRIGHTS, ACL, and LISTRIGHTS responses.

   (**) The IMAPEXT Working Group has debated this issue in great length
        and after reviewing existing ACL implementations concluded that
        this is a reasonable restriction.

2.2.  Rights Defined in RFC 2086

   The "RIGHTS=" capability MUST NOT include any of the rights defined
   in RFC 2086: "l", "r", "s", "w", "i", "p", "a", "c", "d", and the
   digits ("0" .. "9").

3.  Access control management commands and responses

   Servers, when processing a command that has an identifier as a
   parameter (i.e., any of SETACL, DELETEACL, and LISTRIGHTS commands),
   SHOULD first prepare the received identifier using "SASLprep" profile
   [SASLprep] of the "stringprep" algorithm [Stringprep].  If the
   preparation of the identifier fails or results in an empty string,
   the server MUST refuse to perform the command with a BAD response.
   Note that Section 6 recommends additional identifier's verification
   steps.

3.1.  SETACL Command

   Arguments:  mailbox name
               identifier
               access right modification

   Data:       no specific data for this command

   Result:     OK - setacl completed
               NO - setacl failure: can't set acl
               BAD - arguments invalid

   The SETACL command changes the access control list on the specified
   mailbox so that the specified identifier is granted permissions as
   specified in the third argument.

   The third argument is a string containing an optional plus ("+") or
   minus ("-") prefix, followed by zero or more rights characters.  If
   the string starts with a plus, the following rights are added to any



Melnikov                    Standards Track                     [Page 8]

RFC 4314                        IMAP ACL                   December 2005


   existing rights for the identifier.  If the string starts with a
   minus, the following rights are removed from any existing rights for
   the identifier.  If the string does not start with a plus or minus,
   the rights replace any existing rights for the identifier.

   Note that an unrecognized right MUST cause the command to return the
   BAD response.  In particular, the server MUST NOT silently ignore
   unrecognized rights.

   Example:    C: A001 GETACL INBOX/Drafts
               S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswi
               S: A001 OK Getacl complete
               C: A002 SETACL INBOX/Drafts Chris +cda
               S: A002 OK Setacl complete
               C: A003 GETACL INBOX/Drafts
               S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswicdakxet
               S: A003 OK Getacl complete


               C: A035 SETACL INBOX/Drafts John lrQswicda
               S: A035 BAD Uppercase rights are not allowed


               C: A036 SETACL INBOX/Drafts John lrqswicda
               S: A036 BAD The q right is not supported

3.2.  DELETEACL Command

   Arguments:  mailbox name
               identifier

   Data:       no specific data for this command

   Result:     OK - deleteacl completed
               NO - deleteacl failure: can't delete acl
              BAD - arguments invalid

   The DELETEACL command removes any <identifier,rights> pair for the
   specified identifier from the access control list for the specified
   mailbox.

   Example:    C: B001 getacl INBOX
               S: * ACL INBOX Fred rwipslxetad -Fred wetd $team w
               S: B001 OK Getacl complete
               C: B002 DeleteAcl INBOX Fred
               S: B002 OK Deleteacl complete





Melnikov                    Standards Track                     [Page 9]

RFC 4314                        IMAP ACL                   December 2005


               C: B003 GETACL INBOX
               S: * ACL INBOX -Fred wetd $team w
               S: B003 OK Getacl complete

3.3.  GETACL Command

   Arguments:  mailbox name

   Data:       untagged responses: ACL

   Result:     OK - getacl completed
               NO - getacl failure: can't get acl
              BAD - arguments invalid

   The GETACL command returns the access control list for mailbox in an
   untagged ACL response.

   Some implementations MAY permit multiple forms of an identifier to
   reference the same IMAP account.  Usually, such implementations will
   have a canonical form that is stored internally.  An ACL response
   caused by a GETACL command MAY include a canonicalized form of the
   identifier that might be different from the one used in the
   corresponding SETACL command.

   Example:    C: A002 GETACL INBOX
               S: * ACL INBOX Fred rwipsldexta
               S: A002 OK Getacl complete

3.4.  LISTRIGHTS Command

   Arguments:  mailbox name
               identifier

   Data:       untagged responses: LISTRIGHTS

   Result:     OK - listrights completed
               NO - listrights failure: can't get rights list
               BAD - arguments invalid

   The LISTRIGHTS command takes a mailbox name and an identifier and
   returns information about what rights can be granted to the
   identifier in the ACL for the mailbox.

   Some implementations MAY permit multiple forms of an identifier to
   reference the same IMAP account.  Usually, such implementations will
   have a canonical form that is stored internally.  A LISTRIGHTS





Melnikov                    Standards Track                    [Page 10]

RFC 4314                        IMAP ACL                   December 2005


   response caused by a LISTRIGHTS command MUST always return the same
   form of an identifier as specified by the client.  This is to allow
   the client to correlate the response with the command.

   Example:    C: a001 LISTRIGHTS ~/Mail/saved smith
               S: * LISTRIGHTS ~/Mail/saved smith la r swicdkxte
               S: a001 OK Listrights completed

   Example:    C: a005 listrights archive/imap anyone
               S: * LISTRIGHTS archive.imap anyone ""
                  l r s w i p k x t e c d a 0 1 2 3 4 5 6 7 8 9
               S: a005 Listrights successful

3.5.  MYRIGHTS Command

   Arguments:  mailbox name

   Data:       untagged responses: MYRIGHTS

   Result:     OK - myrights completed
               NO - myrights failure: can't get rights
               BAD - arguments invalid

   The MYRIGHTS command returns the set of rights that the user has to
   mailbox in an untagged MYRIGHTS reply.

   Example:    C: A003 MYRIGHTS INBOX
               S: * MYRIGHTS INBOX rwiptsldaex
               S: A003 OK Myrights complete

3.6.  ACL Response

   Data:       mailbox name
               zero or more identifier rights pairs

   The ACL response occurs as a result of a GETACL command.  The first
   string is the mailbox name for which this ACL applies.  This is
   followed by zero or more pairs of strings; each pair contains the
   identifier for which the entry applies followed by the set of rights
   that the identifier has.

   Section 2.1.1 details additional server requirements related to
   handling of the virtual "d" and "c" rights.








Melnikov                    Standards Track                    [Page 11]

RFC 4314                        IMAP ACL                   December 2005


3.7.  LISTRIGHTS Response

   Data:       mailbox name
               identifier
               required rights
               list of optional rights

   The LISTRIGHTS response occurs as a result of a LISTRIGHTS command.
   The first two strings are the mailbox name and identifier for which
   this rights list applies.  Following the identifier is a string
   containing the (possibly empty) set of rights the identifier will
   always be granted in the mailbox.

   Following this are zero or more strings each containing a set of
   rights the identifier can be granted in the mailbox.  Rights
   mentioned in the same string are tied together.  The server MUST
   either grant all tied rights to the identifier in the mailbox or
   grant none.  Section 2.1.1 details additional server requirements
   related to handling of the virtual "d" and "c" rights.

   The same right MUST NOT be listed more than once in the LISTRIGHTS
   command.

3.8.  MYRIGHTS Response

   Data:       mailbox name
               rights

   The MYRIGHTS response occurs as a result of a MYRIGHTS command.  The
   first string is the mailbox name for which these rights apply.  The
   second string is the set of rights that the client has.

   Section 2.1.1 details additional server requirements related to
   handling of the virtual "d" and "c" rights.

4.  Rights Required to Perform Different IMAP4rev1 Commands

   Before executing a command, an ACL-compliant server MUST check which
   rights are required to perform it.  This section groups command by
   functions they perform and list the rights required.  It also gives
   the detailed description of any special processing required.

   For the purpose of this section the UID counterpart of a command is
   considered to be the same command, e.g., both UID COPY and COPY
   commands require the same set of rights.






Melnikov                    Standards Track                    [Page 12]

RFC 4314                        IMAP ACL                   December 2005


   The table below summarizes different rights or their combinations
   that are required in order to perform different IMAP operations.  As
   it is not always possible to express complex right checking and
   interactions, the description after the table should be used as the
   primary reference.

   +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+
   |Operations\Rights  | l | r | s | w | i | k | x | t | e | a |Any|Non|
   +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+
   |                  commands in authenticated state                  |
   +-------------------------------------------------------------------+
   |      LIST         | + |   |   |   |   |   |   |   |   |   |   |   |
   |   SUBSCRIBE       | * |   |   |   |   |   |   |   |   |   |   | * |
   |  UNSUBSCRIBE      |   |   |   |   |   |   |   |   |   |   |   | + |
   |      LSUB         | * |   |   |   |   |   |   |   |   |   |   | * |
   |CREATE (for parent)|   |   |   |   |   | + |   |   |   |   |   |   |
   |     DELETE        |   | ? |   |   |   |   | + | ? | ? |   |   |   |
   |     RENAME        |   |   |   |   |   | + | + |   |   |   |   |   |
   |  SELECT/EXAMINE   |   | + |   |   |   |   |   |   |   |   |   |   |
   |      STATUS       |   | + |   |   |   |   |   |   |   |   |   |   |
   |  SETACL/DELETEACL |   |   |   |   |   |   |   |   |   | + |   |   |
   | GETACL/LISTRIGHTS |   |   |   |   |   |   |   |   |   | + |   |   |
   |     MYRIGHTS      |   |   |   |   |   |   |   |   |   |   | + |   |
   |      APPEND       |   |   | ? | ? | + |   |   | ? |   |   |   |   |
   +-------------------------------------------------------------------+
   |                     commands in selected state                    |
   +-------------------------------------------------------------------+
   |       COPY        |   |   | ? | ? | + |   |   | ? |   |   |   |   |
   |     EXPUNGE       |   |   |   |   |   |   |   |   | + |   |   |   |
   |      CLOSE        |   |   |   |   |   |   |   |   | ? |   |   |   |
   |      FETCH        |   |   | ? |   |   |   |   |   |   |   |   |   |
   |   STORE flags     |   |   | ? | ? |   |   |   | ? |   |   |   |   |
   +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+

   Note: for all commands in the selected state, the "r" is implied,
   because it is required to SELECT/EXAMINE a mailbox.  Servers are not
   required to check presence of the "r" right once a mailbox is
   successfully selected.

   Legend:
    +     - The right is required
    *     - Only one of the rights marked with * is required
            (see description below)
    ?     - The right is OPTIONAL (see description below)
    "Any" - at least one of the "l", "r", "i", "k", "x", "a" rights is
            required
    "Non" - No rights required to perform the command




Melnikov                    Standards Track                    [Page 13]

RFC 4314                        IMAP ACL                   December 2005


   Listing and subscribing/unsubscribing mailboxes:
      LIST - "l" right is required.  However, unlike other commands
      (e.g., SELECT) the server MUST NOT return a NO response if it
      can't list a mailbox.
      Note that if the user has "l" right to a mailbox "A/B", but not to
      its parent mailbox "A", the LIST command should behave as if the
      mailbox "A" doesn't exist, for example:

               C: A777 LIST "" *
               S: * LIST (\NoInferiors) "/" "A/B"
               S: * LIST () "/" "C"
               S: * LIST (\NoInferiors) "/" "C/D"
               S: A777 OK LIST completed


      SUBSCRIBE - "l" right is required only if the server checks for
      mailbox existence when performing SUBSCRIBE.

      UNSUBSCRIBE - no rights required to perform this operation.

      LSUB - "l" right is required only if the server checks for mailbox
      existence when performing SUBSCRIBE.  However, unlike other
      commands (e.g., SELECT) the server MUST NOT return a NO response
      if it can't list a subscribed mailbox.