[jira] [Comment Edited] (JAMES-3925) JMAP quota for uploads

[Benoit Tellier (Jira)]

    [ 
https://issues.apache.org/jira/browse/JAMES-3925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755560#comment-17755560
 ] 

Benoit Tellier edited comment on JAMES-3925 at 8/17/23 1:56 PM:
----------------------------------------------------------------

FYI as their is some interesting design considerations behind this proposal, I 
did write an ADR about this topic.

ADR:

https://github.com/apache/james-project/pull/1688


was (Author: btellier):
FYI as their is some interesting design considerations behind this proposal, I 
did write an ADR about this topi.

ADR:

https://github.com/apache/james-project/pull/1688

> JMAP quota for uploads
> ----------------------
>
>                 Key: JAMES-3925
>                 URL: https://issues.apache.org/jira/browse/JAMES-3925
>             Project: James Server
>          Issue Type: New Feature
>    Affects Versions: 3.8.0
>            Reporter: Benoit Tellier
>            Priority: Major
>             Fix For: master
>
>
> h3. Why?
> As a james user, I want to set up a SaaS mail offer.
> As such, I can't control my SaaS users, I have limited prior control on them, 
> and little retorsion mechanisms. As such I cannot assert that they are good 
> actors, as I would for instance for an on-premise deployment.
> It turns out the JMAP uploads offer a simple binary store that is currently 
> not limited by James. As such it would be trivial for an attacker to exploit 
> this to store unlimited amount of data.
> The way to counter such a threat is to set up a quota on users uploads.
> h3. How?
>  - Store the current size of total user uploads. Cassandra and memory 
> implementation.
>  - Have a global limit (configured)
>  - Enforce the quota checks upon uploads. Upon upload deletion.
>  - Expose a webadmin API to see user quota usage for JMAP uploads.
> h3. Definition of done
> JMAP integration tests rejecting offending over-quota uploads.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org