[cosmo-dev] options to fix security hole

[Randy Letness]

How important is it to be able to revoke write access to items shared 
via a read-write ticket?  I ask because this gets tricky with items in 
multiple collections.  My original thinking was to store the read-write 
ticket used to add an existing item to another collection with the 
item<-->collection relationship.  That way there would be a way to 
"revoke" write access to an item shared this way, because we would know 
all collections that the item was added to using that ticket and we 
could remove that item from those collections. 

But what happens when a collection is removed from the server 
(unpublished)?  In this case, all tickets are removed, so what should 
happen to the items that were added to other collections using these 
tickets?  Should these items be removed from those collections?

Example:

1. Randy creates item "Rock Band Party", adds it to his collection  
"parties"
2. Randy shares collection "parties" using read-write ticket T1 to Travis
3. Travis subscribes to "parties" using ticket T1, adds item "Rock Band 
Party" to his collection "tvachon"
4. Travis syncs his collection "tvachon", and the desktop client 
includes ticket T1 in the update request, which allows item "Rock Band 
Party" to be added to collection "tvachon" read-write
5. Randy unpublishes his collection "rletness", removing the collection 
and ticket T1 from the server

In this case, should the shared item "Rock Band Party" be removed from 
the "tvachon" collection because it was originally added using the 
no-longer valid ticket T1? Or should it stick around in "tvachon" even 
though the ticket used to originally add it isn't valid.

My thinking is that if you share items using a collection ticket, and 
that collection ticket is no longer valid (removed from server), then it 
seems like any items added to other collections using that ticket should 
be removed from those collections.  But, that may not be what everyone 
else thinks.

-Randy