"Recent messages" for locked lists is available by URL

[jjfine]

Issue by Trevoke from Sunday Jan 06, 2013 at 00:29 GMT
Originally opened as https://github.com/cyrusinnovation/ListList/issues/38

---

I was able to see the recent messages for a locked list of which I am not a member by typing in the URL for the Recent Messages for that list manually -- e.g.

http://cyruslists.com/lists/99/archives?

This should, of course, not be possible.

[jjfine]

Comment by pinfieldharm from Sunday Jan 06, 2013 at 01:10 GMT

---

Thanks for finding this. Until this is fixed, I nuked the archives in the Rails cache, changed the password for the Gmail firehose account, and deleted all the messages therein.

[jjfine]

Comment by pinfieldharm from Sunday Jan 06, 2013 at 01:11 GMT

---

Messages to closed lists should absolutely, positively not be going into the firehose gmail account.

[jjfine]

Comment by Trevoke from Sunday Jan 06, 2013 at 01:13 GMT

---

So for now we're not worrying about changing the locked status of a list. However, if we -could- change the status of a list, we'd have to manage :

• closed -> open means we begin to store
• open -> close means we clear the cache

Correct? Because, well, correct me if I'm wrong, we can still change that status through the database.. Is this a use case we want to worry about?

[jjfine]

Comment by pinfieldharm from Sunday Jan 06, 2013 at 01:19 GMT

---

I wouldn't worry about retroactively clearing the firehose account. I think the contract we are enforcing is "mail sent to a closed list won't be archived." If a list is open when a message is sent, then it's okay to keep it forever.