Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Group removal is best effort access control, so use fresh session
The group removal feature is not based on cryptography, just best-effort server side access control. With either manual sessions or transparent sessions, a user may keep using a session that was previously shared with a group, and the key does not rotate when a group member is removed So when using transparent sessions a device that shares with a given group may keep using the same cryptographic key for up to 12h, which means the server should continue to apply access control to the files themselves, in addition to best-effort acces control on groups. In the case of our functional tests, it means that after removing a user from a group we should test with a fresh device (and drop any still active manual sessions) to get a reliable access control test
- Loading branch information