[cosmo-dev] options to fix security hole

[Randy Letness]

Mimi Yin wrote:
> Hi Randy,
>
> On the Desktop, even when someone removes a shared collection from the 
> server, the Desktop doesn't delete the collection / items locally. The 
> collection simply no longer syncs. If there are items in that 
> collection that also belong in other collections that *are* still 
> syncing, then my assumption is that those items continue to live in 
> those 'other' collections locally and on the server and continue 
> syncing. Grant? Jeffrey?
>
> I understand that to simulate this behavior on the web UI  would 
> require a lot of work. However, I'm wondering if we can tackle a 
> subset of that behavior.
>
> Currently, when you delete collections in the Desktop, we don't delete 
> items that have been manually added to other collections.
>
> Is it feasible to follow that model on the server?

This is currently the way the sever works.  My questions were more along 
the lines of what happens when a ticket is no longer valid, which is the 
case for collections that are "un-published" because all tickets 
associated with a deleted collection are removed.  So in that case, if 
the ticket is no longer valid,  what does that mean for items that were 
published to other collections using that ticket?  Should those items be 
removed from those collections?  Currently they aren't.  Its possible to 
implement this logic on the server, but it would be a pain as we would 
basically have to store a "ticket chain" for each item-->collection 
relationship, and if any ticket in that chain is no longer valid, then 
the item would be removed from that collection.

-Randy