[cosmo-dev] options to fix security hole

Randy Letness randy at osafoundation.org
Thu Feb 7 07:33:43 PST 2008 

Jeffrey Harris wrote:
>
>
> Does that match up with what you're suggesting?

After talking with Jeffrey on #cosmo yesterday it seems this does match 
up with what I was suggesting.  So basically think of a collection as a 
set of items and a set of permissions to those items.  In order to 
modify an item, you need a read-write ticket to the collection and the 
item in that collection must be editable.  This would be a new concept 
to the server, which doesn't consider individual items in determining 
permissions, but would allow the workflows that are currently supported 
by desktop and will be supported by web widgets.  I like this idea much 
better than storing copies, and its about the same amount of work 
considering we wouldn't have to worry about creating copies of all those 
existing items out there.

>
> One possible option C would be to not bother with read-only item 
> tickets.  If I know a UUID, I can always add it to a collection, I 
> just don't get edit access to it.  This seems like a reasonable 
> approach to me.  I think it might give a smoother transition for the 
> desktop and morse code:  everything would continue to work, but behind 
> the scenes when morse code added items to multiple collections, those 
> items wouldn't be editable.
>
> I think that might actually work reasonably well with existing Desktop 
> code (although not perfectly) immediately if we made the server 
> silently (or at least non-fatally) fail to process changes to 
> read-only items. Existing desktop users would still change the item in 
> question when they synced the read-write version, and they could still 
> add items to new collections.
>
> There'd definitely be problems; user's who didn't have read-write 
> access through some collection wouldn't know they didn't have 
> edit-access but think they did.  Still, this seems better than 
> requiring all desktop clients to upgrade immediately.

This is a good idea and would make existing clients mostly backwards 
compatible with the existing protocol, allowing all the work to be done 
on the server.  We could always add support in the protocol for 
determining permissions and tighten things up later.  One concern I have 
is that both the desktop and webui may need some tweaking to handle a 
read-write collection containing read-only items.  If we fail silently 
then the clients will assume these items were changed, and if all the 
clients have access to is the read-only version then we end up with 
inconsistent data.  The bare-minimum we could do would be to add an 
exception handler for both clients when this happens, letting the user 
know they can't edit that particular item.

-Randy

More information about the cosmo-dev mailing list