"l" permission should be valid also for MDTM and SIZE commands

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Define a user with no permissions:
>>> authorizer.add_user('user', 'password', '/home/user', perm='')
2. Try to use MDTM or SIZE commands.

What is the expected output? What do you see instead?
Even though no permissions have been assigned to the user the client 
authenticating as "user" can still use MDTM (file modification time) and SIZE 
(file size) commands.
Although he's not aware of any pathname resident on the server (LIST, NLST, 
STAT or MLSD should be enabled via "l" permission for that) he can still 
blindly use MLST or SIZE commands to figure out what file names exist in the 
user home directory (if file exists a response != 5xx is returned).

Similarly to issue 114, the server should avoid the usage of MDTM and SIZE 
commands unless the "l" (list) permission
has been specifically assigned to the user.
Altough "l" is technically used for listing commands, using it also for MLSD 
and SIZE also makes sense because information such as file size and 
modification time are already provided as part of LIST and MLSD responses.

Please use labels and text to provide additional information.
Security impact should be limited as providing a FTP server without 
read/listing permissions against files of the local filesystem is not a common 
scenario.

Original issue reported on code.google.com by g.rodola on 13 Nov 2010 at 6:51

[GoogleCodeExporter]

Fixed in r764.

Original comment by g.rodola on 13 Nov 2010 at 6:59

• Changed state: FixedInSVN
• Added labels: Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Original comment by g.rodola on 13 Nov 2010 at 6:59

• Added labels: Milestone-0.6.0, Version-0.5.2

[GoogleCodeExporter]

Implemented in version 0.6.0.

Original comment by g.rodola on 23 Jan 2011 at 8:59

• Changed state: Fixed