[Cosmo-dev] Re: securing access to items in multiple collections
Morgen Sagen
morgen at osafoundation.org
Wed Oct 10 10:56:48 PDT 2007
On 10/1/07, Mimi Yin <mimi at osafoundation.org> wrote:
> Yup, if you *receive* both read-only and read-write privileges to an
> item, then the more liberal privilege should win.
>
> The key is to not allow users to grant themselves read-write
> privileges simply by dragging an item from an read-only collection to
> one they have read-write access to.
Right -- I suggest you shouldn't be able to copy an item from one
collection to another unless you have write-access to that item -- the
server should determine you have write-access to an item if you have
at least one read-write ticket for any collection currently containing
that item. Please let me know if you see a security hole in this
proposal.
More information about the cosmo-dev
mailing list