I concur that this is a problem, and this worry is one of the things
that keeps me from depending on coda more than I do.

I think the issue can be solved by saying that expired tokens continue
to work locally indefinitely (but that they can still be cleared with
cunlog).  This means that even after a brief reconnection they should
work.

Further, this needs to be stored in RVM so that a fresh start of venus
while disconnected (e.g. after a reboot) still works.  Yes, I usually
suspend and don't have to do this, but sometimes one wants to or has
to reboot.

To argue that this is reasonable: on a local filesystem, one can
access one's files indefinitely.  Over a network, whkle the user's
access at a high-level is valid until revoked, tokens are short-lived
for the same sorts of reasons that kerberos tickets are short-lived
(don't store long-term user keys).

On my laptop, I could certainly go look at files in the cache, so
declining to let me look at them with venus is sort of silly.  The
only argument I can think of against the expired-tokens-work-locally
scheme is user separation on a multi-user possibly-disconnected
client.  But on such machines, one should cunlog at logout to remove
rights, and perhaps flush all of one's data from the cache, depending
on paranoia level.


-- 
        Greg Troxel <gdt_at_ir.bbn.com>