esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vassil Dichev <>
Subject Re: Deleting user from access pool
Date Wed, 30 Sep 2009 07:59:30 GMT
> Should we allow for a user to be deleted from an access pool?
> If yes what happens? Does he no longer have access to the messages in
> the pool - irregardless of whether he wrote them or not?

It should be possible to delete a user, yes. I think it has been
discussed or specified in the requirements pdf that once a message is
in the user's mailbox, it stays there, so that's how it works now. At
any rate, deleting a message from the mailbox, which the user may have
already seen doesn't offer any more security. A user also doesn't see
messages in his/her mailbox, which were sent before he was added to
the pool.

The interesting part is what happens if a pool has been removed and
whether it should be possible at all. This could pose a security
problem if an impostor creates a pool with the same name (similar to
what might happen with a deleted user account)

View raw message