esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hirsch <hirsch.d...@gmail.com>
Subject Re: Deleting user from access pool
Date Wed, 30 Sep 2009 08:43:30 GMT
I've created a JIRA item for this topic
(https://issues.apache.org/jira/browse/ESME-87) - the JIRA item is a
little misleading but it is basically deleting users from pools.

You've already worked on access pools. Maybe you'd like to work on this?

Thanks.

D.

On Wed, Sep 30, 2009 at 9:59 AM, Vassil Dichev <vdichev@apache.org> wrote:
>> Should we allow for a user to be deleted from an access pool?
>>
>> If yes what happens? Does he no longer have access to the messages in
>> the pool - irregardless of whether he wrote them or not?
>
> It should be possible to delete a user, yes. I think it has been
> discussed or specified in the requirements pdf that once a message is
> in the user's mailbox, it stays there, so that's how it works now. At
> any rate, deleting a message from the mailbox, which the user may have
> already seen doesn't offer any more security. A user also doesn't see
> messages in his/her mailbox, which were sent before he was added to
> the pool.
>
> The interesting part is what happens if a pool has been removed and
> whether it should be possible at all. This could pose a security
> problem if an impostor creates a pool with the same name (similar to
> what might happen with a deleted user account)
>

Mime
View raw message