potiuk commented on PR #23:
URL: https://github.com/apache/comdev/pull/23#issuecomment-4891799232

   > The tokens can be regarded as a cache of the permissions that were active 
when the user logged in originally. There needs to be a way to evict tokes when 
these permissions change. I think this approach needs to be discussed with 
Infra.
   
   Actually, there is no need - this is already implemented automatically (I 
think also well explained in the documentation) - the actual permissions that 
the token allows to have is a superset of the token scope and actual 
**current** permissions of the user. So basically what the "scope" of the token 
is is a "wish" - but the wish is only granted if the user already has those 
permissions.
   
   But yes - maybe worth explaining it more in the docs, and definitely infra 
needs to be involved when enabling it. Note that this feature is disabled by 
default - so for example "mail.apache.org" might choose not to enable it or 
limit the time for example  - all this is configurable.
   
   Let me make sure that what I explained above is very clear in the docs of 
the change in PonyMail change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to