Suppose there is me and you, we know that there is an edit URL. But only I know the unlock password. Once I unlock you can go the the edit URL and see it unlocked! Even worse - you will be able to lock it under my hands with your own password.
Per session unlocking might solve this. I imagine it always having "isLocked": true in the JSON and unlock would simply add "unlockedFor":
Another unlock would fail if there is unlockedFor already. We would need to add action "Change Password" since "Unlock" would not be changing the password anymore.
Based on the discussion in #107, we should have a timestamp for unlockedFor to clear any locking after 10 minutes after the last change.
schollz
commented
6 years ago
This issue is related to #107
Suppose there is me and you, we know that there is an edit URL. But only I know the unlock password. Once I unlock you can go the the edit URL and see it unlocked! Even worse - you will be able to lock it under my hands with your own password.
Per session unlocking might solve this. I imagine it always having "isLocked": true in the JSON and unlock would simply add "unlockedFor":
Another unlock would fail if there is unlockedFor already. We would need to add action "Change Password" since "Unlock" would not be changing the password anymore.
Based on the discussion in #107, we should have a timestamp for unlockedFor to clear any locking after 10 minutes after the last change.