On 8/21/06, Matthew Eernisse <[EMAIL PROTECTED]> wrote:
I'm simply saying that single-click easy access to a calendar (including full write privileges), without also providing users a straightforward way to lock it down, is a huge, obvious security hole. And when bad things happen to users' shared calendars, it will give us a black eye. I understand that it adds a lot of extra complexity to the security model. It just seems like the ability to password-protect stuff (i.e., provide an obvious way to use something distinctly different from the URL) is a pretty fundamental facility to expect for anything Web-based.
i don't dispute that, but we already have this single-click feature that you are pointing out as a security hole, and mimi's proposal makes the collection password optional, so we're never going to make the security issue go away entirely. some people are just going to reject security in favor of convenience. i don't have any problem with that as long as we also provide (eventually) for people who want better security (eg acl). _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Design" mailing list http://lists.osafoundation.org/mailman/listinfo/design
