[Cosmo-dev] Re: securing access to items in multiple collections

[Randy Letness]

Ok brining this thread back from the dead:

I was thinking about this a little more and I like the idea of cosmo 
moving to a tighter access control mechanism.  What about the following 
restrictions:

1. A request must authenticate as a single principal.
2. A principal is either a User or Ticket
3. A Ticket grants access to a single resource
4. A User has access to multiple resources through ACLs
5. Publishing an item to multiple collections requires a User principal.
6. A User principal that presents a ticket automatically has an ACE 
added to the ticket's resource for that user.

The idea is that you can only authenticate using a single ticket, or as 
a user.  If you authenticate as a single ticket, then you have access to 
that resource only.  This means you can't add an existing item to the 
collection because that single ticket won't grant you access to the 
existing item, only the target collection.  You can update and add new 
items to the target collection.

In order to publish an existing item into another collection, you must 
be authenticated as a user and that user must have permissions (through 
the ACL) for that item.  This prevents adding an item to another 
collection just using a ticket.   So how does the user get access to the 
existing item?  That user could be added to the ACL for the existing 
item/collection but that would require more client work (security 
dialogue).  Cosmo could also support adding a user to an ACL by 
presenting a ticket.  A ticket is associated to a single resource, so if 
a user presents that ticket, then the server could add the permissions 
for the user to that resource.  This could  happen automatically by 
including a set of relevant tickets in a header (an ACE for the user 
would be added to each resource associated to each ticket).

This moves cosmo to a tighter security model and paves the way for true 
ACL support.  Thoughts? 

-Randy