What I'm trying to avoid here is making a user jump through hoops to get at data they have already "authenticated" for. If you're logged in as dw_annabel, and fic_annabel is associated with that, then by definition you can read posts to which fic_annabel has access.
It makes sense from that end! And with a bunch of people granting access to a journal which I state in my userinfo I don't read from, and don't subscribe to anyone, I know a lot of people grant access to obviously not-being-used-as-a-personal-journal journals, and there's nothing to be done about that (in other words, someone who grants access to $really_personal_filter to some_mod_journal should be rethinking their access policy, not the policy of who can read what where).
On the other hand, I do wonder a bit about the promotion of and passing around of secondary accounts. Thinking about it some...
I start off with MY_JOURNAL, to which I post fiction, code, meta, personal stuff, and other things. But I decide I'm just going to use MY_JOURNAL for fiction, and I start MY_PERSONAL for personal stuff, and I make MY_PERSONAL my primary with MY_JOURNAL as my secondary. People may or may not revoke access on MY_JOURNAL (they should! but they probably don't!). Now MY_PERSONAL has access to anything that MY_JOURNAL still has access to.
A while later, I begin a cowriting relationship with someone who wishes to remain anonymous, and I end up sharing access to MY_JOURNAL with ANON_USER. Because he wishes to remain anonymous, I don't list it on the profile. If I'm a nice person, I might say "heads up -- I'm now going to share this journal with someone else, but I can't tell you who, because he wishes to remain anonymous." Hopefully everyone revokes access to that journal at that point! Hopefully! But probably not. And I might just not say anything at all (okay, I would say something, but many people wouldn't think it was necessary). Either way, now all those legacy people who granted access to MY_JOURNAL have also managed to grant access to ANON_USER, without knowing who he is or that he has access to those posts of theirs.
On one hand, I kind of feel like this is the sort of thing that people should be looking after themselves -- if you grant someone access, you should probably keep an eye on them to make sure they haven't changed the purpose of their journal, that they didn't make it a secondary journal, and so on. On the other hand, there's no reason in the world that people would ever know that the circumstances under which they granted access are now different (I assume that if a journal becomes a secondary, it doesn't send a message to all the accounts that grant it access that it is now a secondary, and if it becomes shared, it probably doesn't send a message to all the accounts that grant it access that it is now shared -- I mean, thank God my accounts don't tell everyone to whom I've granted access when I change my email address, because I would've spammed 70-odd people four times in one week at one point *g*), and that just plain still seems risky to me.
I'm not sure it's a risk DW needs to help mediate (unlike the leak where if PRIMARY1 has access to USER, then SECONDARY1 has access to USER, and if SECONDARY1 is shared with PRIMARY2, then PRIMARY2 has access to USER, which was a terrifying thought and one I'm glad isn't in the works!), but it's definitely a concern for me.
Ultimately, I think it is a good idea to make people explicitly change identities in order to access things that only one identity has access to, really, because it prevents DW from being in the very unfortunate position of automatically transferring access between accounts without alerting the access-granter that the transfer is occurring. DW may know that "you" are "you", but I'm just terribly uneasy with the notion that DW would be, behind the scenes, transferring a grant of access to journals that were not themselves explicitly granted access. (Yes, you'd be able to get them anyway -- and the hoop of an extra click to switch accounts is not a very big one -- but I really, really like the idea of a distinction between DW allowing you to change identies and DW transferring access around.)
But we'll see how this shakes down! I may be fixating on this because I have a security-oriented brain. ;)
Re: Shared access = massive security hole
It makes sense from that end! And with a bunch of people granting access to a journal which I state in my userinfo I don't read from, and don't subscribe to anyone, I know a lot of people grant access to obviously not-being-used-as-a-personal-journal journals, and there's nothing to be done about that (in other words, someone who grants access to $really_personal_filter to some_mod_journal should be rethinking their access policy, not the policy of who can read what where).
On the other hand, I do wonder a bit about the promotion of and passing around of secondary accounts. Thinking about it some...
I start off with MY_JOURNAL, to which I post fiction, code, meta, personal stuff, and other things. But I decide I'm just going to use MY_JOURNAL for fiction, and I start MY_PERSONAL for personal stuff, and I make MY_PERSONAL my primary with MY_JOURNAL as my secondary. People may or may not revoke access on MY_JOURNAL (they should! but they probably don't!). Now MY_PERSONAL has access to anything that MY_JOURNAL still has access to.
A while later, I begin a cowriting relationship with someone who wishes to remain anonymous, and I end up sharing access to MY_JOURNAL with ANON_USER. Because he wishes to remain anonymous, I don't list it on the profile. If I'm a nice person, I might say "heads up -- I'm now going to share this journal with someone else, but I can't tell you who, because he wishes to remain anonymous." Hopefully everyone revokes access to that journal at that point! Hopefully! But probably not. And I might just not say anything at all (okay, I would say something, but many people wouldn't think it was necessary). Either way, now all those legacy people who granted access to MY_JOURNAL have also managed to grant access to ANON_USER, without knowing who he is or that he has access to those posts of theirs.
On one hand, I kind of feel like this is the sort of thing that people should be looking after themselves -- if you grant someone access, you should probably keep an eye on them to make sure they haven't changed the purpose of their journal, that they didn't make it a secondary journal, and so on. On the other hand, there's no reason in the world that people would ever know that the circumstances under which they granted access are now different (I assume that if a journal becomes a secondary, it doesn't send a message to all the accounts that grant it access that it is now a secondary, and if it becomes shared, it probably doesn't send a message to all the accounts that grant it access that it is now shared -- I mean, thank God my accounts don't tell everyone to whom I've granted access when I change my email address, because I would've spammed 70-odd people four times in one week at one point *g*), and that just plain still seems risky to me.
I'm not sure it's a risk DW needs to help mediate (unlike the leak where if PRIMARY1 has access to USER, then SECONDARY1 has access to USER, and if SECONDARY1 is shared with PRIMARY2, then PRIMARY2 has access to USER, which was a terrifying thought and one I'm glad isn't in the works!), but it's definitely a concern for me.
Ultimately, I think it is a good idea to make people explicitly change identities in order to access things that only one identity has access to, really, because it prevents DW from being in the very unfortunate position of automatically transferring access between accounts without alerting the access-granter that the transfer is occurring. DW may know that "you" are "you", but I'm just terribly uneasy with the notion that DW would be, behind the scenes, transferring a grant of access to journals that were not themselves explicitly granted access. (Yes, you'd be able to get them anyway -- and the hoop of an extra click to switch accounts is not a very big one -- but I really, really like the idea of a distinction between DW allowing you to change identies and DW transferring access around.)
But we'll see how this shakes down! I may be fixating on this because I have a security-oriented brain. ;)