"lookup-only" permission on a folder breaks communication with server. (IMAP error reported by server.)

[brrrrrrrt]

Steps to reproduce

1. Set permissions to l (lookup only) on a single folder (on an Cyrus IMAP Server)
2. No folders and no mails are shown

Expected behaviour

should show folders and emails, even if there is one folder with only lookup permissions.

if there are no read permissions on a listed folder nextcloud should not disconnect, but move on to the next folder.

Actual behaviour

everything keeps blank, showing the message "loading accounts" forever, on top it shows "unknown Error". the problem persists if the folder is not subscribed at all.

it seems like the mail client issues a STATUS request on the mentioned folder, the server answers with "no permission" and nextcloud issues a logout.

Error

Horde_Imap_Client_Exception_ServerResponse: IMAP error reported by server.
  at Horde_Imap_Client_Socket::_getLine
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Socket.php, line 4302
  at Horde_Imap_Client_Socket::_sendCmdChunk
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Socket.php, line 4230
  at Horde_Imap_Client_Socket::_sendCmd
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Socket.php, line 1751
  at Horde_Imap_Client_Socket::_status
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Base.php, line 1728
  at Horde_Imap_Client_Base::status
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Base.php, line 4033
  at Horde_Imap_Client_Base::_syncStatus
     /net/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Imap_Client/Horde/Imap/Client/Base.php, line 3585
  at Horde_Imap_Client_Base::getSyncToken
     /net/www/nextcloud/apps/mail/lib/IMAP/FolderMapper.php, line 65
  at OCA\Mail\IMAP\FolderMapper::getFolders
     /net/www/nextcloud/apps/mail/lib/Service/MailManager.php, line 84
  at OCA\Mail\Service\MailManager::getFolders
     /net/www/nextcloud/apps/mail/lib/Controller/FoldersController.php, line 72
  at OCA\Mail\Controller\FoldersController::index
  at call_user_func_array
     /net/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php, line 161
  at OC\AppFramework\Http\Dispatcher::executeController
     /net/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php, line 91
  at OC\AppFramework\Http\Dispatcher::dispatch
     /net/www/nextcloud/lib/private/AppFramework/App.php, line 115
  at OC\AppFramework\App::main
     /net/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php, line 47
  at OC\AppFramework\Routing\RouteActionHandler::__invoke
  at call_user_func
     /net/www/nextcloud/lib/private/Route/Router.php, line 297
  at OC\Route\Router::match
     /net/www/nextcloud/lib/base.php, line 999
  at OC::handleRequest
     /net/www/nextcloud/index.php, line 42

conversation nextcloud< - >cyrus:

<1528817613<31 STATUS "Projekte.082.08292 AAA Blabla" (MESSAGES UIDNEXT UIDVALIDITY HIGHESTMODSEQ)
>1528817613>31 NO Permission denied
<1528817613<32 LOGOUT
>1528817613>* BYE LOGOUT received
32 OK Completed

when changing the folders permisson to e.g. lrswipcda everything works fine.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/59578236-lookup-only-permission-on-a-folder-breaks-communication-with-server-imap-error-reported-by-server?utm_campaign=plugin&utm_content=tracker%2F44154351&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F44154351&utm_medium=issues&utm_source=github).

[ChristophWurst]

Set permissions to l (lookup only) on a single folder (on an Cyrus IMAP Server)

Could you please elaborate what that setting does/means? How could the app check the permissions via IMAP?

[brrrrrrrt]

if you only set "l" (lookup) on a folder, you are able to see the folder, but you are not allowed to read its content. we use that for shared projects-folders. everyone has "l" permissions on all folders so they are able to see what folders exist, and if needed they can request permissions on a specific folder.

not sure how the app can "check" permissions, because "l" does not include the right to read the ACL. the commands STATUS, EXAMINE, SELECT and GETACL will all return "NO Permission denied", but is it normal to logout, just in case a STATUS command on a folder returns "NO Permission denied"?

[ChristophWurst]

not sure how the app can "check" permissions, because "l" does not include the right to read the ACL. the commands STATUS, EXAMINE, SELECT and GETACL will all return "NO Permission denied", but is it normal to logout, just in case a STATUS command on a folder returns "NO Permission denied"?

Good point. We probably should just catch that case and handle it gracefully.

[brrrrrrrt]

when digging through the roundcube code i see that it is using the "extended list" command. it does not check every folder by imap commands but instead it builds an extended list command which also returns STATUS and much more for every folder in one single command, and then it parses multiple lines for every folder.

for example if you send:

LIST (SUBSCRIBED RECURSIVEMATCH) "" "*" RETURN (MYRIGHTS STATUS (MESSAGES UNSEEN))

you get the STATUS and MYRIGHTS for every single folder with just one imap command, and no breakage because there will be no error, as you will never ask for something on a folder you do not have permissions for.

[brrrrrrrt]

there is also some interesting information about that in the IMAP4 RFC , also mentioning the situation where only "l" ACL right is granted but no "r" right.