[cosmo-dev] options to fix security hole

Mimi Yin mimi at osafoundation.org
Tue Feb 19 15:58:07 PST 2008 

These might be a stupid questions, but:

+ Could an item 'inherit' a new ticket from another read-write  
collection? OR
+ Could the server selectively *not* delete tickets for items that  
are also in other collections?

Currently, ff we don't remove the item, what happens? Can anybody  
edit the item?

On Feb 19, 2008, at 3:38 PM, Randy Letness wrote:

> Mimi Yin wrote:
>> Hi Randy,
>>
>> On the Desktop, even when someone removes a shared collection from  
>> the server, the Desktop doesn't delete the collection / items  
>> locally. The collection simply no longer syncs. If there are items  
>> in that collection that also belong in other collections that  
>> *are* still syncing, then my assumption is that those items  
>> continue to live in those 'other' collections locally and on the  
>> server and continue syncing. Grant? Jeffrey?
>>
>> I understand that to simulate this behavior on the web UI  would  
>> require a lot of work. However, I'm wondering if we can tackle a  
>> subset of that behavior.
>>
>> Currently, when you delete collections in the Desktop, we don't  
>> delete items that have been manually added to other collections.
>>
>> Is it feasible to follow that model on the server?
>
> This is currently the way the sever works.  My questions were more  
> along the lines of what happens when a ticket is no longer valid,  
> which is the case for collections that are "un-published" because  
> all tickets associated with a deleted collection are removed.  So  
> in that case, if the ticket is no longer valid,  what does that  
> mean for items that were published to other collections using that  
> ticket?  Should those items be removed from those collections?   
> Currently they aren't.  Its possible to implement this logic on the  
> server, but it would be a pain as we would basically have to store  
> a "ticket chain" for each item-->collection relationship, and if  
> any ticket in that chain is no longer valid, then the item would be  
> removed from that collection.
>
> -Randy
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list