[Cosmo-dev] securing access to items in multiple collections

[Randy Letness]

Yesterday Brian, Mimi and I chatted about how cosmo needs to tighten its 
security when it comes to items in multiple collections.  Here is the 
scenario:

1. User subscribes to collection 1 with a read-write ticket
2. User adds an item from the subscribed collection 1 to a personal 
collection 2.
3. User publishes collection 2, which contains an item that they didn't 
create.

Currently, the protocol doesn't perform any extra authorization checks 
in order to add an item to a published collection.  So there really 
isn't a way for the server to determine if a user really has write 
access to an item and cosmo just assumes they do.  I think everyone 
agrees that this needs to be fixed. 

We felt the best way to fix this in the short term was to add a list of 
tickets (probably as a http header) to each morse-code publish/update 
and the server will use those tickets to verify that a user has write 
access (either because they own the item or because one of the tickets 
provided allows access) to an item before adding that item to their 
collection.  Once an item has been added to a collection, the owner of 
that collection and anyone with a read-write ticket to that collection 
essentially has read-write access to that item.

This will require the client to keep track of which items were imported 
using a ticket, associate a ticket to an item, and generate a list of 
relevant tickets to include in the morse code request to prevent the 
server from rejecting a publish/update due to not being properly 
authorized.  There are some other details that we would need to hash out 
(when and where to include tickets, what is the user experience if the 
request is denied, etc).

Thoughts?

-Randy