[cosmo-dev] options to fix security hole

[Randy Letness]

Jeffrey Harris wrote:
> To be clear, I'd been hoping we could send a non-fatal warning to the 
> client, so recent Desktop clients could handle this case gracefully.  
> As I think about it, I don't know of a mechanism in Morse Code to 
> provide non-fatal warnings; maybe we could use custom HTTP headers in 
> the response?

I thought about this too, but got stumped when we return a 204 (no 
content) on a successful update so there goes returning XML in the 
response.  I didn't think about a custom header though.

>
> But I think it's problematic for the server to fail when old desktop 
> clients do normal sharing activities like sharing an item in two 
> collections.  It seems like this would happen frequently in a 
> fail-without-read-write-ticket world, but maybe I'm not understanding 
> why this wouldn't happen often?

Current items would work fine, but users would have to upgrade if they 
do the following:

Subscribe to collection that is not theirs and publish items in that 
collection to there personal collections.  At first I didn't think it 
would be that big of a deal to force an upgrade given our current user 
base, and the fact that all current stuff would work, but maybe it is.  
I still don't like that by silently failing, existing desktops won't 
have a clue that something is wrong, and we end up with a bunch of 
read-only items in collections that the client thinks are read-write.

> It occurs to me that we should probably add some future proofing to 
> the desktop error system, so future desktop clients can display 
> arbitrary error messages from the server.  Right now errors get logged 
> and users don't get much feedback about why things fail (unless they 
> think to mouseover the sync-failure icon).  It'd be nice if after a 
> server upgrade we could have the server provide arbitrary messages to 
> display as a pop-up in the client.

+1

-Randy