[cosmo-dev] options to fix security hole

[Randy Letness]

I'm having doubts about making the server + security fixes fully 
backwards compatible with existing clients.  I'm mainly talking about 
silently failing when  updating read-only items.  I don't like the idea 
that the client thinks something succeeded, when it really didn't.  So 
the use case is:

1. I share collection 1 RW using ticket T1
2. Jeffrey uses existing desktop to subscribe to collection 1, adds item 
A from collection 1 to his collection 2, shares collection 2 RW with 
Travis using  RW ticket T2
3. Travis subscribes to collection 2 using ticket T2
4. Travis updates A, syncs.  The server silently fails because A is RO 
because it was added to collection 2 without a RW ticket..

The desktop Travis is using is out of sync with the server now because 
it believes the updates were successful when in reality they failed.  
Also, Travis will see different data if he uses the webui now because 
the desktop has his local changes (which the client thought were synced 
to the server) and the webui won't see these changes.

So what we could do instead is:

1. Require a RW ticket when adding existing items to new collections.  
The thinking here is that currently there isn't a way to add read-only 
items to a collection using the desktop.
2. Fail if a RW ticket is not provided for existing items to be added to 
the collection.

This of course breaks existing desktop clients, but only in the case 
where users want to add an item they don't own into their personal 
collection.  These users would receive and error message which would 
direct them to upgrade to the newer version of the desktop in order to 
do this.  That way we don't have the problem of out-of-sync clients.  
Then later on, we can support adding read-only items to a collection.  
Does this seem reasonable?

-Randy