Found in m-ld/m-ld-security-spec#14: voiding of operations contribute to the "update" seen by constraints (and ultimately the application). This voiding is included in the interim update, whose context is the triggering agreement, including its attribution.
This can lead to constraint failures. For example, in timeld, the voiding may affect timesheet entries for which the agreement's principal does not have edit rights.
The correct behaviour should be to apply the voiding first, without constraints (as the prior state should always have integrity), then apply constraints only to the new agreement. This is problematic for the Javascript engine because it's not capable of atomically applying procedural code in the middle of a transaction.
Arguably, since the agreement did cause the voiding, the permission check is sensical. Should permission checks allow for agreement, by authority or otherwise?
Found in m-ld/m-ld-security-spec#14: voiding of operations contribute to the "update" seen by constraints (and ultimately the application). This voiding is included in the interim update, whose context is the triggering agreement, including its attribution.
This can lead to constraint failures. For example, in timeld, the voiding may affect timesheet entries for which the agreement's principal does not have edit rights.
The correct behaviour should be to apply the voiding first, without constraints (as the prior state should always have integrity), then apply constraints only to the new agreement. This is problematic for the Javascript engine because it's not capable of atomically applying procedural code in the middle of a transaction.