[cosmo-dev] options to fix security hole

Mimi Yin mimi at osafoundation.org
Thu Feb 21 07:31:28 PST 2008 

Hi Randy,

Thanks for re-explaining some of this stuff to me...more in-line below:

On Feb 20, 2008, at 8:28 AM, Randy Letness wrote:

> Mimi Yin wrote:
>> Here's a much more complicated solution...
>>
>> + When a collection is deleted on Chandler Hub or unpublished from  
>> Chandler Desktop, only delete items that have *not* been manually  
>> added to other collections
>
> This is how it works today on the server.  If an item was added to  
> another collection, then that item will not be removed.  An item is  
> only deleted if it only exists in a single collection, and that  
> collection was deleted, or if it only exists in a single collection  
> and the item was removed from that collection.

Risking tedium in order to be exceedingly clear, in Chandler Desktop,  
there is a distinction between an item that exists in multiple  
collections and an item that has been manually (via Drag and Drop)  
added to multiple collections. This is because the out-of-the-box  
collections (Dashboard, In and Out) automatically collect items based  
on certain 'rules'.

So, the desired behavior is items should only be spared deletion only  
if they have been *manually* added to other collections.

Currently, can the server tell the difference between items that  
belong in multiple collections by virtue of rules versus manual drag  
and drop?

>
>
>> + However, *do* revoke all tickets associated with that collection  
>> which results in the following:
>> - (T1) Users who *only* have access to items in the deleted/ 
>> unpublished collection by virtue of that collection will lose that  
>> access - Do the items get deleted for these users?
>
> These users will lose access to the items if they are accessed  
> through the deleted collection because the ticket is no longer  
> valid and the collection doesn't exist.  If the items were added to  
> other collections, the items are still present, but require a  
> different ticket/user to access them.

Got it.

>
>
>> - Any users who are 'downstream' of the T1 users also lose access  
>> to items in the deleted / unpublished collection - Is this possible?
>>
>
> This is possible, and is the complicated solution I described.  The  
> server would basically have to store a "chain" of tickets each time  
> an item is added to a collection.  For example.
> 1. User A publishes item X in collection 1, shares with rw ticket  
> T1 (no ticket stored with this)
> 2. User B adds item X to collection 2 using rw ticket T1, shares  
> with rw ticket T2 (T1 stored with this)
> 3. User C adds item X to collection 3 using rw ticket T2 (T1, and  
> T2 strored with this)
> 4. etc/etc
>
> Now if User A or User B unpublishes their collection, User C would  
> lose access to X because in order for User C to have access to X,  
> both T1 and T2 must be valid.
>
> This is a lot more work than was planned (implementation, testing,  
> migration), so we need to decide if its worth supporting.  One  
> option is to do the basic security fixes now(fix the know the uuid/ 
> gain read-write access problem), and implement this later so that  
> we can move on to other things.  Or we could spend time on this  
> now, but there is still the case of existing items that were added  
> to multiple collections.  These items don't have any "ticket chain"  
> and can't really be controlled by revoking a ticket.

I think it's totally reasonable to defer fixing the 'revoke access'  
problem until later. Basically for now, if you unpublish a  
collection, there's a chance that you will continue sharing some of  
the items in that collection with others, even though you don't  
actually share any collections with those subscribers. Is that correct?

Should I log a separate bug to keep track of this issue for later?

>
>> *Question:* What if you gained access to the same items by virtue  
>> of a different collection? Are there any situations where you  
>> might be able to hold on to your access? Here's an example:
>>
>> 1. User A publishes a collection and shares it with Users B and C  
>> with Ticket A-B.
>>
>> 2. User B adds some items from that collection to a different  
>> collection and shares that second collection with User C with  
>> Ticket B-C.
>>
>> 3. User B unpublishes the 2nd collection, thereby revoking all  
>> Ticket B-Cs.
>>
>> Can Users A, B and C still see the items that User B manually  
>> added from the 1st collection to the 2nd collection by virtue of  
>> Ticket A-B?
>
> Yes because the item still exists in the first collection.  Now any  
> item that User B adds from the 2nd collection to the 1st  
> collection  using Ticket B-C would be removed.

Uh-oh, I don't understand this last sentence. Perhaps it's best to  
ping you on IRC.

>
> -Randy
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list