potiuk commented on PR #23: URL: https://github.com/apache/comdev/pull/23#issuecomment-4891799232
> The tokens can be regarded as a cache of the permissions that were active when the user logged in originally. There needs to be a way to evict tokes when these permissions change. I think this approach needs to be discussed with Infra. Actually, there is no need - this is already implemented automatically (I think also well explained in the documentation) - the actual permissions that the token allows to have is a superset of the token scope and actual **current** permissions of the user. So basically what the "scope" of the token is is a "wish" - but the wish is only granted if the user already has those permissions. But yes - maybe worth explaining it more in the docs, and definitely infra needs to be involved when enabling it. Note that this feature is disabled by default - so for example "mail.apache.org" might choose not to enable it or limit the time for example - all this is configurable. Let me make sure that what I explained above is very clear in the docs of the change in PonyMail change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
