You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we only assume that access will be checked when the notification channel gets created. We don't seem to address a common scenario when access policy changes on the resource which is a topic of some existing notification channels.
I think every change to access policies, would result in re-evaluating all the channels using that resource as their topic. If the receiver doesn't have required access anymore, their channel should be most likely deactivated.
I am putting these concerns out there with the intention of discussion than immediate resolution.
Would you invalidate the channel, or would you modify it? For single topic channels, invalidation is the way to go, but for multi topic channels either could be justified.
Also, should we include this in SNP (we do not specify how security is implemented) or does this need to go into its own document (or even just an implementation note) where we tell servers to be aware of this consideration?
This would add additional issues for server implementation though, as every time an authorization resource is updated, the server needs to
a) find all resources impacted by this change
b) find all notification channels for those resources, and
c) determine the impact of the authorization changes on all those channels.
In the case of a container ACL changing, this would mean recursively finding all child resources without an ACL. With ACP it would just be all child resources as there container permissions are not always overwritten by document permissions. And then for all those resources check the new permissions for the WebID that subscribed to that specific channel.
This is all known information to the server so can be done, but that could potentially trigger a lot of actions on the server by doing a single operation on an authorization resource, as a lot of resources might have to be loaded to do all those checks.
Currently, we only assume that access will be checked when the notification channel gets created. We don't seem to address a common scenario when access policy changes on the resource which is a
topic
of some existing notification channels.I think every change to access policies, would result in re-evaluating all the channels using that resource as their
topic
. If the receiver doesn't have required access anymore, their channel should be most likely deactivated.Related issues:
The text was updated successfully, but these errors were encountered: