Results 1 to 7 of 7

Thread: Sharing questions and a potentially alarming sharing bug?

  1. #1
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Question Sharing questions and a potentially alarming sharing bug?

    Hi everyone

    I'm gradually migrating users over from MS SBS 2003 (only 13 users total) and looking to replicate our extensive nested Public Folders system.
    We're planning to have a dedicated "company" account which is shared between all users of a particular distribution list.

    I see that for users to be able to accept shares and access them they need to have sharing enabled in their COS.
    However that also means that they can create shares for other users.

    1) Can I set it so that users can accept/mount/access/unmount shares... but not create shares for other users?

    2) Can the sharer force the name (mount point) and colour onto the user?

    3) Ideally forcing shares to be auto-mounted and preventing users from dismounting would be properly awesome as well. Is that possible?

    4) In my testing I've noticed a slight inconsistency with the users Sharing section in the Preferences of the Ajax UI.
    If user X shares a mail folder with subfolders to user Y, then user Y only gets a single share request e-mail.
    If user Y then deletes a subfolder from the share, it goes into user Xs Trash (really cool!).
    User X then restores that subfolder into the share... fair enough it takes a few minutes for that to appear again or a logout/login for user Y.
    But if user Y then goes into Sharing Preferences and uses the function to search for folders shared by user X, the deleted and now restored subfolder appears as a separate share request in the "not yet accepted" section.
    Even though that subfolder is happily displayed again under the original share.
    ... does that make any sense?
    Means a user could then create an a mount point for the subfolder whilst the parent folder is also shared.
    Fair enough if user X wants to share the subfolder again or with different permissions for example but in this case I don't think it should appear as a separate/new share request for user Y.

    5) Another thing I've just noticed... pretty concerning!
    If user X shares a folder with subfolders to user Y, user Y has r+w permissions.
    User Y deletes the main mount point (the root of the share) so it appears in their own Trash.
    That's fine... as those actions don't affect the share and its contents as far as user X or any other users are concerned.
    However if user Y then right clicks the mount point that's sat in their Trash and selects "Empty Folder", then the entire contents of that mount point is deleted... from user X's mailbox completely
    Those deleted items/subfolders don't even end up in user X's Trash, just gone
    The parent folder that was the root of the share is still present in user X's mailbox but completely empty.

    Would it not be better to prevent users being able to permanently delete mail items/folders that are shared with them, even if they have Manager/Admin permissions?
    Anything a user deletes should be moved to the sharer's trash, then it's subject to the sharer's trash retention policy.

    Anyone got any comments/suggestions on these or able to replicate these final 2?

    Cheers, B
    Last edited by batfastad; 06-04-2010 at 05:21 PM. Reason: readability
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  2. #2
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    batfastad, I don't know the answers to all your questions but I have a couple ideas and a question of my own...
    2) Can the sharer force the name (mount point) and colour onto the user?

    3) Ideally forcing shares to be auto-mounted and preventing users from dismounting would be properly awesome as well. Is that possible?
    AFAIK, you can't prevent the sharee from dismounting or changing name/color, but mounting and setting name/color are all doable from the CLI (using zmmailbox), so you could write shell scripts to do such things administratively.

    5) Another thing I've just noticed... pretty concerning!
    If user X shares a folder with subfolders to user Y, user Y has r+w permissions.
    User Y deletes the main mount point (the root of the share) so it appears in their own Trash.
    That's fine... as those actions don't affect the share and its contents as far as user X or any other users are concerned.
    However if user Y then right clicks the mount point that's sat in their Trash and selects "Empty Folder", then the entire contents of that mount point is deleted... from user X's mailbox completely
    Those deleted items/subfolders don't even end up in user X's Trash, just gone
    The parent folder that was the root of the share is still present in user X's mailbox but completely empty.

    Would it not be better to prevent users being able to permanently delete mail items/folders that are shared with them, even if they have Manager/Admin permissions?
    Anything a user deletes should be moved to the sharer's trash, then it's subject to the sharer's trash retention policy.
    It sounds like you're mixing two functions. (1) If you delete any mail-object (folder or message), it goes to the trash. This is normal/desirable. (2) If you right-click on any folder in Mail, you have access to an "Empty Folder" command that immediately hard-deletes everything in the folder without sending it to Trash. Note that it doesn't matter where the folder itself is located.

    Anyway, no, I think that Managers should have the ability to hard-delete anything in a folder they have rights to. I do wonder what would happen if you deleted a message in one of the shared folders--does it go to Trash in the Manager account or does it go to Trash in the original account?

    I agree, though, that the "empty folder" command can be dangerous (as well as useful), so maybe there ought to be a preference or COS setting that controls its availability (in all folders other than Trash and Junk, where its function is unambiguous).

  3. #3
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Quote Originally Posted by ewilen View Post
    It sounds like you're mixing two functions. (1) If you delete any mail-object (folder or message), it goes to the trash. This is normal/desirable. (2) If you right-click on any folder in Mail, you have access to an "Empty Folder" command that immediately hard-deletes everything in the folder without sending it to Trash. Note that it doesn't matter where the folder itself is located.
    ...
    I agree, though, that the "empty folder" command can be dangerous (as well as useful), so maybe there ought to be a preference or COS setting that controls its availability (in all folders other than Trash and Junk, where its function is unambiguous).
    Ok I didn't really think that though, despite the warning msg that comes up! It's probably not a bug after all then.

    I think that Empty Folder should just empty the folder, sending the contents to Trash. Then you could permanently delete from Trash if you wanted or leave it for the Trash retention settings to kill it.
    Or at least to have a COS setting that can override the current behaviour.
    Though I believe the default behaviour should actually be the more "defensive" setting that I've just described.

    Quote Originally Posted by ewilen View Post
    I do wonder what would happen if you deleted a message in one of the shared folders--does it go to Trash in the Manager account or does it go to Trash in the original account?
    That's what I was testing above. So the reason it disappeared from the sharer's (user X) account is that I did "Empty Folder".
    I think it ends up in both users' Trash, the sharer and sharee.
    It sounds like it's not a bug after all but the designed behaviour! Frightening

    Quote Originally Posted by ewilen View Post
    Anyway, no, I think that Managers should have the ability to hard-delete anything in a folder they have rights to.
    I have to disagree on this one.
    Manager level is the lowest read+write permission available and should not be able to hard-delete IMO.
    Anything that anyone of Manager permission tries to hard-delete, should go to the sharer's Trash... where it could be rescued if needed.
    Users with Admin permissions granted on a share, should of course be able to hard-delete though.

    Ideally, if a sharee tries to delete from a shared folder (either a message of subfolder) then it skips their Trash and disappears immediately. Giving the impression of permanent deletion. But actually ends up in the sharer's Trash where it can be rescued.

    I'm just thinking about how a user could (either through fat-fingers or deliberately) permanently delete our 30GB set of hierarchical shared folders by OKing only a single warning message (the Empty Folder confirmation message). Then we'd have to restore from backup or disaster recovery etc.

    I can feel an RFE brewing in bugzilla about these

    Thanks for pointing me in the direction of zmmailbox though for auto-mounting. Be great if there was a simple mount point name box and tickbox to make the mount permanent on the sharing options dialogue box though.

    If anyone has any further comments, or any info on #1 and #4 above then please let me know

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  4. #4
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    There's certainly room for disagreement on how things should be; but giving options would be good, so if you submit an RFE, please post the # here so people can track & vote on it.

    However I do not think that Empty Folder should do one thing or another depending on COS, unless the behavior is clearly marked in the UI. It's just too confusing to have it be ambiguous, or for one Zimbra to work differently from another. Better to just have a COS or Preference that removes "Empty Folder" altogether. If you intend to move everything in a folder to the Trash, the way to do it is to tick the selection box in the header row (shift-tick will select all, even messages not yet loaded), and then hit delete on your keyboard.

    About Manager-delete going to the sharer's Trash, with Admin-delete having access to true hard-delete, it's an interesting idea. The downside is that there are probably scenarios where you want to give someone access to hard-delete but not give them the ability to modify the sharing permissions. Another downside is that "edit/remove" then mean different things depending on the role in the share grant. Really they ought to be different types of access altogether.

    Perhaps the ACL functionality in ZCS 6 can provide that level of granularity already; I haven't explored it. An alternative would be to just treat deletes by a sharee as soft-deletes that put the deleted item into the sharer's Trash, except if the delete is occurring from a shared Trash or Junk folder. In other words, if you want to give someone the ability to hard-delete, you share your Trash (and optionally Junk) folder(s) with them.

    EDIT: On second thought, that isn't completely satisfactory, either, since you don't necessarily want your sharee to be able to view/copy/delete stuff that you've put into your Trash. Hm...

  5. #5
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Oh, and about auto-mounting, you can share the folder with a distro list and then "publish" the share. Doesn't do everything you want but it makes it easy for sharees to mount the folder at will, and you can just plop people into distro lists to give them access to certain sets of folders.

    http://www.zimbra.com/forums/adminis...haring-dl.html

  6. #6
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Yeah I agree on the consistency of Empty Folder behaviour. After thinking about it a bit more, here's what I think would be the best behaviour:
    • Remove the Empty Folder option entirely from shared mail folders, or have it greyed-out would be better
    • If the user deletes a mount point, it should remove the share and not move the mount point to Trash. Because if the user then decides to Empty Trash then that's permanent deletion of the contents of that share.
    • Deleting sub-folders or mail items from shared mail folders should delete to the owner's Trash but NOT additionally to the user's. This is probably easier to implement than having it hanging around in the Trash of the owner and the user. If a particular item needs to be rescued it can be retrieved from the owner's Trash. Also then stuff deleted from shared mail folders is subject to the owner's Trash retention and not users.


    Here's a bug I'm now voting for, to hopefully get this looked at... Bug 24727 – Shared mail folder delete warning

    Cheers for the info on the auto-mount stuff etc, very useful

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  7. #7
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Quote Originally Posted by batfastad View Post
    Yeah I agree on the consistency of Empty Folder behaviour. After thinking about it a bit more, here's what I think would be the best behaviour:
    • Remove the Empty Folder option entirely from shared mail folders, or have it greyed-out would be better
    Not sure this is necessary. But if implemented, I'd be fine with it as an option, settable either via COS, domain/server-wide, or as a property of the share grant itself.
    • If the user deletes a mount point, it should remove the share and not move the mount point to Trash. Because if the user then decides to Empty Trash then that's permanent deletion of the contents of that share.
    Emptying Trash when there's a deleted mount point in it doesn't delete the contents of the share. (Try it and see--not even if the share is writeable.) OTOH I agree it's a confusing interface design. When right-clicking on a mount point, the "Delete" option should be changed into "Dismount" or "Unlink Share". ("Remove" isn't quite as clear.) And it shouldn't place the mount point into the Trash--it should just go away immediately.
    • Deleting sub-folders or mail items from shared mail folders should delete to the owner's Trash but NOT additionally to the user's. This is probably easier to implement than having it hanging around in the Trash of the owner and the user. If a particular item needs to be rescued it can be retrieved from the owner's Trash. Also then stuff deleted from shared mail folders is subject to the owner's Trash retention and not users.


    Here's a bug I'm now voting for, to hopefully get this looked at... Bug 24727 – Shared mail folder delete warning

    Cheers for the info on the auto-mount stuff etc, very useful

    Cheers, B
    You're welcome. I'm going to CC myself on that bug and vote for when I get a chance. I'll also link our discussion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •