esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Xuefeng Wu <ben...@gmail.com>
Subject Re: Deleting user from access pool
Date Wed, 30 Sep 2009 08:30:44 GMT
We should have unique Id which can not be deleted.User or Pool could have
same name but have different unique id which only system know.

The pool name can not have duplicate validate same name,
but the validate pool could have a name as same as invalidate pool.


On Wed, Sep 30, 2009 at 3:59 PM, Vassil Dichev <vdichev@apache.org> wrote:

> > Should we allow for a user to be deleted from an access pool?
> >
> > If yes what happens? Does he no longer have access to the messages in
> > the pool - irregardless of whether he wrote them or not?
>
> It should be possible to delete a user, yes. I think it has been
> discussed or specified in the requirements pdf that once a message is
> in the user's mailbox, it stays there, so that's how it works now. At
> any rate, deleting a message from the mailbox, which the user may have
> already seen doesn't offer any more security. A user also doesn't see
> messages in his/her mailbox, which were sent before he was added to
> the pool.
>
> The interesting part is what happens if a pool has been removed and
> whether it should be possible at all. This could pose a security
> problem if an impostor creates a pool with the same name (similar to
> what might happen with a deleted user account)
>



-- 
Global R&D Center,Shanghai China,Carestream Health, Inc.
Tel:(86-21)3852 6101

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message