Bug: OPs owned by a kicked team member may be accessible by other team members

[le-jeu]

Currently, to add a team permission to an OP, you need to:

• be the OP owner
• be part of the team

Once added, those conditions are not preserved by some operations:

1. the owner is removed from the team
2. the OP changed owner (unavailable from any UI 🙄 )
3. maybe no point 3, I didn't dig too much into the code

That leads to OP with permission to team (and access to team member) while the owner isn't in the team. This occurs if a team member becomes inactive while sharing draws with a team, polluting the op list of fellow agents.

[cloudkucooland]

So, when an agent (Y) is removed from (or leaves) a team (X)

1. get a list of any ops Y owns: [Z...]
2. foreach Z... : (z)
   remove any permissions X has to z

Would that address this fully?

[le-jeu]

Yes. Additionnal idea, a team owner could opt-out their team from an op (that would require some UI addition)

[cloudkucooland]

28266cb

[le-jeu]

This doesn't address the case when the OP changes owner yet.

When agent (Y) get the own of op (X), it can be

• for each permission for team (t) on (X)
  • if (y) is not in (t), remove the permission

or

• reject the change if (y) is not part of all teams