[Sum of Talk with Randy] Re: [cosmo-dev] options to fix security
hole
Mimi Yin
mimi at osafoundation.org
Thu Feb 21 13:42:27 PST 2008
Randy, Grant, Sheila and I met briefly. We have decided the following:
Grant is going to investigate addressing 2 of the 4 issues outlined
here - http://lists.osafoundation.org/pipermail/cosmo-dev/2008-
February/005741.html, from the Desktop side.
1. In particular, he's going to ship read-write tickets around with
emailed items so that when users add items they've received via email
to collections that are on the Server, the Server will accept those
items. Otherwise, users might end up in situations where they think
they've added emailed items to published collections, but other
subscribers won't see them and they won't see them if they check the
collection on the web UI or on a different machine.
https://bugzilla.osafoundation.org/show_bug.cgi?id=11878
This is essentially a way to keep the behavior we have today. No
better, no worse :)
2. Grant is also going to disable the ability to drag and drop items
from read-only collections into other collections.
https://bugzilla.osafoundation.org/show_bug.cgi?id=11880
Again, we are trying to avoid misleading users into thinking they've
successfully added read-only items to a collection on the server only
to find out after a lot of confusion that the item was never accepted
by the server.
Both of these bugs have been added to the top of the Desktop Work Q
along with the original 'Plug read-only security hole' bug, which
Grant already has a patch for - https://bugzilla.osafoundation.org/
show_bug.cgi?id=11013
3. Randy asked me to log 2 bugs, 1 for the Server, the 2nd for the
Desktop to improve sharing error handling and messaging.
https://bugzilla.osafoundation.org/show_bug.cgi?id=11883
https://bugzilla.osafoundation.org/show_bug.cgi?id=11884
I was going to add these to the work Qs, but I realized that we've
generally been avoiding adding 'nice-to-have' items. Anyhow, I can be
talked out of that if anyone feels strongly about this.
Mimi
On Feb 21, 2008, at 12:31 PM, Mimi Yin wrote:
>> Would it be productive to have a meeting with Randy and Grant to
>> review these issues on the phone?
>
> We are meeting today at 1:00PM PST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osafoundation.org/pipermail/cosmo-dev/attachments/20080221/75891685/attachment.htm
More information about the cosmo-dev
mailing list