Rework ACL structures

commonspace/object/acl/aclrecordproto/aclrecord.pb.go

@@ -812,7 +812,7 @@ func (m *AclReadKeyChange) GetAccountKeys() []*AclEncryptedReadKey {
 
 // AclAccountRemove removes an account and changes read key for space
 type AclAccountRemove struct {
-	Identity    []byte                 `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
+	Identities  [][]byte               `protobuf:"bytes,1,rep,name=identities,proto3" json:"identities,omitempty"`
 	AccountKeys []*AclEncryptedReadKey `protobuf:"bytes,2,rep,name=accountKeys,proto3" json:"accountKeys,omitempty"`
 }
 
@@ -849,9 +849,9 @@ func (m *AclAccountRemove) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_AclAccountRemove proto.InternalMessageInfo
 
-func (m *AclAccountRemove) GetIdentity() []byte {
+func (m *AclAccountRemove) GetIdentities() [][]byte {
 	if m != nil {
-		return m.Identity
+		return m.Identities
 	}
 	return nil
 }
@@ -863,6 +863,43 @@ func (m *AclAccountRemove) GetAccountKeys() []*AclEncryptedReadKey {
 	return nil
 }
 
+// AclAccountRequestRemove adds a request to remove an account
+type AclAccountRequestRemove struct {
+}
+
+func (m *AclAccountRequestRemove) Reset()         { *m = AclAccountRequestRemove{} }
+func (m *AclAccountRequestRemove) String() string { return proto.CompactTextString(m) }
+func (*AclAccountRequestRemove) ProtoMessage()    {}
+func (*AclAccountRequestRemove) Descriptor() ([]byte, []int) {
+	return fileDescriptor_c8e9f754f34e929b, []int{14}
+}
+func (m *AclAccountRequestRemove) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *AclAccountRequestRemove) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_AclAccountRequestRemove.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *AclAccountRequestRemove) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_AclAccountRequestRemove.Merge(m, src)
+}
+func (m *AclAccountRequestRemove) XXX_Size() int {
+	return m.Size()
+}
+func (m *AclAccountRequestRemove) XXX_DiscardUnknown() {
+	xxx_messageInfo_AclAccountRequestRemove.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_AclAccountRequestRemove proto.InternalMessageInfo
+
 // AclContentValue contains possible values for Acl
 type AclContentValue struct {
 	// Types that are valid to be assigned to Value:
@@ -875,6 +912,7 @@ type AclContentValue struct {
 	//	*AclContentValue_AccountRemove
 	//	*AclContentValue_ReadKeyChange
 	//	*AclContentValue_RequestDecline
+	//	*AclContentValue_AccountRequestRemove
 	Value isAclContentValue_Value `protobuf_oneof:"value"`
 }
 
@@ -882,7 +920,7 @@ func (m *AclContentValue) Reset()         { *m = AclContentValue{} }
 func (m *AclContentValue) String() string { return proto.CompactTextString(m) }
 func (*AclContentValue) ProtoMessage()    {}
 func (*AclContentValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8e9f754f34e929b, []int{14}
+	return fileDescriptor_c8e9f754f34e929b, []int{15}
 }
 func (m *AclContentValue) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -941,15 +979,19 @@ type AclContentValue_ReadKeyChange struct {
 type AclContentValue_RequestDecline struct {
 	RequestDecline *AclAccountRequestDecline `protobuf:"bytes,8,opt,name=requestDecline,proto3,oneof" json:"requestDecline,omitempty"`
 }
+type AclContentValue_AccountRequestRemove struct {
+	AccountRequestRemove *AclAccountRequestRemove `protobuf:"bytes,9,opt,name=accountRequestRemove,proto3,oneof" json:"accountRequestRemove,omitempty"`
+}
 
-func (*AclContentValue_Invite) isAclContentValue_Value()           {}
-func (*AclContentValue_InviteRevoke) isAclContentValue_Value()     {}
-func (*AclContentValue_RequestJoin) isAclContentValue_Value()      {}
-func (*AclContentValue_RequestAccept) isAclContentValue_Value()    {}
-func (*AclContentValue_PermissionChange) isAclContentValue_Value() {}
-func (*AclContentValue_AccountRemove) isAclContentValue_Value()    {}
-func (*AclContentValue_ReadKeyChange) isAclContentValue_Value()    {}
-func (*AclContentValue_RequestDecline) isAclContentValue_Value()   {}
+func (*AclContentValue_Invite) isAclContentValue_Value()               {}
+func (*AclContentValue_InviteRevoke) isAclContentValue_Value()         {}
+func (*AclContentValue_RequestJoin) isAclContentValue_Value()          {}
+func (*AclContentValue_RequestAccept) isAclContentValue_Value()        {}
+func (*AclContentValue_PermissionChange) isAclContentValue_Value()     {}
+func (*AclContentValue_AccountRemove) isAclContentValue_Value()        {}
+func (*AclContentValue_ReadKeyChange) isAclContentValue_Value()        {}
+func (*AclContentValue_RequestDecline) isAclContentValue_Value()       {}
+func (*AclContentValue_AccountRequestRemove) isAclContentValue_Value() {}
 
 func (m *AclContentValue) GetValue() isAclContentValue_Value {
 	if m != nil {
@@ -1014,6 +1056,13 @@ func (m *AclContentValue) GetRequestDecline() *AclAccountRequestDecline {
 	return nil
 }
 
+func (m *AclContentValue) GetAccountRequestRemove() *AclAccountRequestRemove {
+	if x, ok := m.GetValue().(*AclContentValue_AccountRequestRemove); ok {
+		return x.AccountRequestRemove
+	}
+	return nil
+}
+
 // XXX_OneofWrappers is for the internal use of the proto package.
 func (*AclContentValue) XXX_OneofWrappers() []interface{} {
 	return []interface{}{
@@ -1025,6 +1074,7 @@ func (*AclContentValue) XXX_OneofWrappers() []interface{} {
 		(*AclContentValue_AccountRemove)(nil),
 		(*AclContentValue_ReadKeyChange)(nil),
 		(*AclContentValue_RequestDecline)(nil),
+		(*AclContentValue_AccountRequestRemove)(nil),
 	}
 }
 
@@ -1037,7 +1087,7 @@ func (m *AclData) Reset()         { *m = AclData{} }
 func (m *AclData) String() string { return proto.CompactTextString(m) }
 func (*AclData) ProtoMessage()    {}
 func (*AclData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8e9f754f34e929b, []int{15}
+	return fileDescriptor_c8e9f754f34e929b, []int{16}
 }
 func (m *AclData) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1081,7 +1131,7 @@ func (m *AclSyncMessage) Reset()         { *m = AclSyncMessage{} }
 func (m *AclSyncMessage) String() string { return proto.CompactTextString(m) }
 func (*AclSyncMessage) ProtoMessage()    {}
 func (*AclSyncMessage) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8e9f754f34e929b, []int{16}
+	return fileDescriptor_c8e9f754f34e929b, []int{17}
 }
 func (m *AclSyncMessage) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1129,7 +1179,7 @@ func (m *AclSyncContentValue) Reset()         { *m = AclSyncContentValue{} }
 func (m *AclSyncContentValue) String() string { return proto.CompactTextString(m) }
 func (*AclSyncContentValue) ProtoMessage()    {}
 func (*AclSyncContentValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8e9f754f34e929b, []int{17}
+	return fileDescriptor_c8e9f754f34e929b, []int{18}
 }
 func (m *AclSyncContentValue) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1199,7 +1249,7 @@ func (m *AclAddRecords) Reset()         { *m = AclAddRecords{} }
 func (m *AclAddRecords) String() string { return proto.CompactTextString(m) }
 func (*AclAddRecords) ProtoMessage()    {}
 func (*AclAddRecords) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8e9f754f34e929b, []int{18}
+	return fileDescriptor_c8e9f754f34e929b, []int{19}
 }
 func (m *AclAddRecords) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1251,6 +1301,7 @@ func init() {
 	proto.RegisterType((*AclAccountPermissionChange)(nil), "aclrecord.AclAccountPermissionChange")
 	proto.RegisterType((*AclReadKeyChange)(nil), "aclrecord.AclReadKeyChange")
 	proto.RegisterType((*AclAccountRemove)(nil), "aclrecord.AclAccountRemove")
+	proto.RegisterType((*AclAccountRequestRemove)(nil), "aclrecord.AclAccountRequestRemove")
 	proto.RegisterType((*AclContentValue)(nil), "aclrecord.AclContentValue")
 	proto.RegisterType((*AclData)(nil), "aclrecord.AclData")
 	proto.RegisterType((*AclSyncMessage)(nil), "aclrecord.AclSyncMessage")
@@ -1263,69 +1314,70 @@ func init() {
 }
 
 var fileDescriptor_c8e9f754f34e929b = []byte{
-	// 977 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0xdd, 0x6e, 0x1b, 0x45,
-	0x14, 0xde, 0x75, 0x1c, 0x3b, 0x3e, 0x9b, 0xb8, 0xee, 0x00, 0xed, 0x2a, 0x14, 0x13, 0x16, 0x15,
-	0x45, 0x15, 0x6a, 0x90, 0x11, 0xa2, 0x42, 0x88, 0xd6, 0x4d, 0x2a, 0xec, 0x40, 0x00, 0x4d, 0x80,
-	0x4a, 0x95, 0x40, 0x9a, 0xce, 0x8e, 0xd2, 0x85, 0xfd, 0xeb, 0xec, 0xc4, 0x95, 0xdf, 0x82, 0x47,
-	0xe0, 0x45, 0xb8, 0xe7, 0xb2, 0x37, 0x48, 0x88, 0x2b, 0x94, 0x3c, 0x00, 0xaf, 0x80, 0x66, 0xc6,
-	0xfb, 0x37, 0xbb, 0xb5, 0x9a, 0x8b, 0xc4, 0x3b, 0x67, 0xce, 0xf9, 0xe6, 0x9c, 0xf3, 0x7d, 0x73,
-	0x76, 0xe1, 0x73, 0x9a, 0x44, 0x51, 0x12, 0x67, 0x29, 0xa1, 0xec, 0x20, 0x79, 0xfa, 0x0b, 0xa3,
-	0xe2, 0x80, 0xd0, 0x50, 0xfe, 0x71, 0x46, 0x13, 0xee, 0xa7, 0x3c, 0x11, 0xc9, 0x81, 0xfa, 0x9f,
-	0x95, 0xd6, 0xbb, 0xca, 0x80, 0x06, 0x85, 0xc1, 0xfb, 0xdd, 0x86, 0x6d, 0x4c, 0x5e, 0x4c, 0x69,
-	0x88, 0x95, 0x01, 0xb9, 0xd0, 0x4f, 0xc9, 0x32, 0x4c, 0x88, 0xef, 0xda, 0x7b, 0xf6, 0xfe, 0x36,
-	0xce, 0x97, 0xe8, 0x16, 0x0c, 0xb2, 0xe0, 0x2c, 0x26, 0xe2, 0x9c, 0x33, 0xb7, 0xa3, 0xf6, 0x4a,
-	0x03, 0xba, 0x03, 0x23, 0x42, 0x29, 0x4b, 0x45, 0xc2, 0xe7, 0x3e, 0x8b, 0x45, 0x20, 0x96, 0xee,
-	0x86, 0x72, 0x6a, 0xd8, 0xd1, 0x87, 0x70, 0x3d, 0xb7, 0x9d, 0x16, 0x88, 0x5d, 0xe5, 0xdc, 0xdc,
-	0xf0, 0xbe, 0x00, 0x54, 0xcd, 0xf0, 0x71, 0x20, 0x9e, 0xcd, 0xd7, 0xe5, 0x39, 0x84, 0x4e, 0xe0,
-	0xab, 0x04, 0x07, 0xb8, 0x13, 0xf8, 0xde, 0x73, 0x18, 0x94, 0xe5, 0xdd, 0x80, 0x5e, 0xca, 0xd9,
-	0x62, 0xae, 0xa3, 0x06, 0x78, 0xb5, 0x42, 0xbb, 0xb0, 0x15, 0xe4, 0x69, 0xeb, 0xda, 0x8a, 0x35,
-	0x42, 0xd0, 0xf5, 0x89, 0x20, 0xab, 0x72, 0xd4, 0xb3, 0x6c, 0x86, 0x08, 0x22, 0x96, 0x09, 0x12,
-	0xa5, 0x2a, 0xf5, 0x0d, 0x5c, 0x1a, 0xbc, 0xbf, 0x6c, 0xe8, 0xcb, 0x33, 0x93, 0x44, 0xd4, 0x90,
-	0x6d, 0x03, 0xf9, 0x16, 0x0c, 0x22, 0x92, 0x09, 0xc6, 0xbf, 0x62, 0xf9, 0xb1, 0xa5, 0x41, 0x96,
-	0xa8, 0x08, 0x9e, 0xfb, 0xea, 0xe8, 0x01, 0xce, 0x97, 0xb2, 0xd9, 0x2c, 0xa6, 0x7c, 0x99, 0x0a,
-	0xe6, 0x63, 0x46, 0x7c, 0x19, 0xae, 0xfb, 0xd7, 0xb0, 0xd7, 0x33, 0xdd, 0x34, 0x32, 0x95, 0x54,
-	0xe4, 0xd9, 0x94, 0x54, 0xf4, 0x34, 0x15, 0x8d, 0x0d, 0xef, 0x23, 0x18, 0x4d, 0x69, 0x38, 0xa5,
-	0x34, 0x39, 0x8f, 0xc5, 0x3c, 0x5e, 0x04, 0x82, 0x49, 0xfc, 0x40, 0x3d, 0xc9, 0x24, 0x74, 0x81,
-	0xa5, 0xc1, 0xfb, 0xc3, 0x86, 0xb7, 0xca, 0x10, 0xcc, 0x9e, 0x9f, 0xb3, 0x4c, 0x1c, 0x27, 0x41,
-	0x8c, 0x3e, 0x80, 0xa1, 0x76, 0x9b, 0xd7, 0xbb, 0x63, 0x58, 0x4b, 0x3f, 0xcd, 0xe0, 0x3c, 0xa7,
-	0xd6, 0xb0, 0xa2, 0x7b, 0x70, 0xb3, 0x1e, 0x59, 0xd6, 0xa3, 0x89, 0x7b, 0xd5, 0xb6, 0x64, 0x28,
-	0x62, 0x82, 0x28, 0x8e, 0x75, 0x17, 0x8b, 0xb5, 0xf7, 0x9f, 0x0d, 0x37, 0x1b, 0xf9, 0x4f, 0x95,
-	0x46, 0xd7, 0x32, 0xbb, 0x0f, 0xd7, 0xb8, 0x76, 0x36, 0xd2, 0x36, 0xcd, 0xe8, 0x04, 0xae, 0x9b,
-	0x9c, 0x65, 0xee, 0xc6, 0xde, 0xc6, 0xbe, 0x33, 0x79, 0xf7, 0x6e, 0x79, 0x73, 0x95, 0x84, 0xd5,
-	0xae, 0xbc, 0x00, 0x3a, 0x1a, 0x37, 0x23, 0xd1, 0x7d, 0x70, 0x52, 0xc6, 0xa3, 0x20, 0xcb, 0x82,
-	0x24, 0xce, 0x54, 0x3d, 0xc3, 0xc9, 0x3b, 0x75, 0xa0, 0x1f, 0x32, 0xc6, 0xbf, 0x2b, 0x9d, 0x70,
-	0x35, 0xc2, 0x3b, 0x02, 0xb7, 0x51, 0xf0, 0x11, 0xa3, 0x61, 0x10, 0xb3, 0xb6, 0xaa, 0xec, 0xd6,
-	0xaa, 0xbc, 0x07, 0x70, 0xc3, 0x54, 0x0a, 0x66, 0x8b, 0xe4, 0x57, 0xd6, 0xc2, 0xa7, 0xdd, 0xc6,
-	0xa7, 0xf7, 0x33, 0xbc, 0xd9, 0x56, 0xb3, 0xec, 0x3a, 0xaf, 0x47, 0x16, 0xeb, 0xd6, 0x7b, 0xd1,
-	0x69, 0xbf, 0x17, 0xde, 0x4f, 0xf0, 0xc6, 0x94, 0x86, 0x8f, 0xcc, 0xeb, 0xb2, 0x8e, 0xd4, 0xab,
-	0xc0, 0x2f, 0x61, 0xb7, 0x6c, 0x40, 0xd9, 0xec, 0xc3, 0x67, 0x24, 0x3e, 0x63, 0x6b, 0x4f, 0x31,
-	0x18, 0xec, 0x5c, 0x99, 0xc1, 0xef, 0xd5, 0x2d, 0x5d, 0x25, 0xb2, 0x3a, 0xf0, 0x01, 0x38, 0x44,
-	0xe7, 0xa2, 0xf4, 0x65, 0x2b, 0x7d, 0x8d, 0xeb, 0xa0, 0x66, 0x2f, 0x70, 0x35, 0xc4, 0x4b, 0xab,
-	0x77, 0x1f, 0xb3, 0x28, 0x59, 0xac, 0x2f, 0xc3, 0x38, 0xb1, 0x73, 0xf5, 0x13, 0xff, 0xe9, 0xc2,
-	0xb5, 0x29, 0x0d, 0x0f, 0x93, 0x58, 0xb0, 0x58, 0xfc, 0x48, 0xc2, 0x73, 0x86, 0x3e, 0x81, 0x9e,
-	0xd6, 0x89, 0x3a, 0xcf, 0x99, 0xbc, 0x5d, 0x07, 0xac, 0x09, 0x6e, 0x66, 0xe1, 0x95, 0x33, 0xfa,
-	0x12, 0xb6, 0x83, 0x8a, 0x08, 0x55, 0x53, 0x9d, 0xc9, 0x7b, 0x6b, 0x82, 0xb5, 0xe3, 0xcc, 0xc2,
-	0xb5, 0x40, 0x74, 0x04, 0x0e, 0x2f, 0x87, 0x98, 0x9a, 0x2c, 0xce, 0x64, 0xaf, 0x15, 0xa7, 0x32,
-	0xec, 0x66, 0x16, 0xae, 0x86, 0xa1, 0x63, 0xd8, 0xe1, 0xd5, 0x51, 0xa2, 0xae, 0xa9, 0x33, 0xf1,
-	0xd6, 0xe1, 0x68, 0xcf, 0x99, 0x85, 0xeb, 0xa1, 0xe8, 0x14, 0x46, 0xa9, 0x21, 0x2f, 0x35, 0xe6,
-	0x9d, 0xc9, 0xed, 0x56, 0x38, 0x53, 0x8b, 0x33, 0x0b, 0x37, 0x00, 0xd0, 0x21, 0xec, 0x90, 0x2a,
-	0xd3, 0xea, 0x95, 0xf0, 0xaa, 0x6e, 0x6b, 0x17, 0x99, 0x59, 0x2d, 0x46, 0x82, 0xf0, 0xaa, 0x08,
-	0xdd, 0x7e, 0x1b, 0x48, 0x4d, 0xa7, 0xba, 0xbc, 0xaa, 0x70, 0x4f, 0x60, 0xc8, 0x6b, 0x43, 0xc8,
-	0xdd, 0x52, 0x28, 0xef, 0xaf, 0xeb, 0xd5, 0xca, 0x75, 0x66, 0x61, 0x23, 0xf8, 0x61, 0x1f, 0x36,
-	0x17, 0x52, 0x48, 0xde, 0x23, 0xf5, 0x86, 0x3e, 0x92, 0xef, 0xf2, 0xcf, 0x00, 0x48, 0x21, 0xb3,
-	0xd5, 0xd5, 0xd8, 0xad, 0xc3, 0x57, 0x35, 0x88, 0x2b, 0xde, 0xde, 0x31, 0x0c, 0xa7, 0x34, 0x3c,
-	0x5d, 0xc6, 0xf4, 0x84, 0x65, 0x19, 0x39, 0x63, 0xe8, 0x1e, 0xf4, 0x69, 0x01, 0x65, 0x37, 0x35,
-	0x2f, 0x7d, 0x6b, 0x70, 0xb9, 0xbb, 0xf7, 0x44, 0x4d, 0x24, 0x73, 0x5f, 0xa5, 0xe7, 0xfb, 0x7a,
-	0xfa, 0x65, 0x2b, 0x4c, 0xd7, 0xa8, 0xbe, 0xd8, 0x9f, 0x59, 0xb8, 0xe2, 0x5d, 0x96, 0x3b, 0x83,
-	0x9d, 0x9a, 0x1f, 0xfa, 0x14, 0xfa, 0xbc, 0x80, 0x94, 0x15, 0x57, 0x27, 0x4c, 0xf3, 0x7b, 0x0b,
-	0xe7, 0xde, 0x77, 0xbe, 0x06, 0xd4, 0x1c, 0x40, 0x68, 0x0b, 0xba, 0xdf, 0x24, 0x31, 0x1b, 0x59,
-	0x68, 0x00, 0x9b, 0xdf, 0xbe, 0x88, 0x19, 0x1f, 0xd9, 0xf2, 0x71, 0xea, 0x47, 0x41, 0x3c, 0xea,
-	0x20, 0x80, 0xde, 0x63, 0x1e, 0x08, 0xc6, 0x47, 0x1b, 0xf2, 0x59, 0x92, 0xce, 0xf8, 0xa8, 0xfb,
-	0xf0, 0xfe, 0x9f, 0x17, 0x63, 0xfb, 0xe5, 0xc5, 0xd8, 0xfe, 0xf7, 0x62, 0x6c, 0xff, 0x76, 0x39,
-	0xb6, 0x5e, 0x5e, 0x8e, 0xad, 0xbf, 0x2f, 0xc7, 0xd6, 0x93, 0xdb, 0xaf, 0xf5, 0x89, 0xfb, 0xb4,
-	0xa7, 0x7e, 0x3e, 0xfe, 0x3f, 0x00, 0x00, 0xff, 0xff, 0x93, 0x1c, 0x33, 0x3f, 0x12, 0x0b, 0x00,
-	0x00,
+	// 1008 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0xdd, 0x6e, 0xdc, 0x44,
+	0x14, 0xb6, 0x37, 0xc9, 0x6e, 0x7c, 0x9c, 0x6c, 0xb7, 0x43, 0x69, 0x4d, 0x28, 0x4b, 0x30, 0x2a,
+	0x8a, 0x2a, 0xd4, 0xa0, 0x45, 0x88, 0x0a, 0x21, 0xda, 0x6d, 0x52, 0xb1, 0x1b, 0x08, 0xa0, 0x09,
+	0x50, 0x54, 0x09, 0xa4, 0xe9, 0x78, 0x94, 0x1a, 0xfc, 0xd7, 0xf1, 0x64, 0xab, 0x7d, 0x0b, 0x1e,
+	0x81, 0x87, 0xe0, 0x96, 0x7b, 0x2e, 0x7b, 0x83, 0xc4, 0x25, 0x4a, 0x1e, 0x80, 0x57, 0x40, 0x33,
+	0xe3, 0x7f, 0xbb, 0x4b, 0x73, 0x91, 0xac, 0xe7, 0xcc, 0x39, 0xdf, 0xf9, 0xfb, 0xce, 0xb1, 0xe1,
+	0x53, 0x1a, 0x87, 0x61, 0x1c, 0xa5, 0x09, 0xa1, 0x6c, 0x3f, 0x7e, 0xf2, 0x33, 0xa3, 0x62, 0x9f,
+	0xd0, 0x40, 0xfe, 0x71, 0x46, 0x63, 0xee, 0x25, 0x3c, 0x16, 0xf1, 0xbe, 0xfa, 0x9f, 0x96, 0xd2,
+	0x3b, 0x4a, 0x80, 0xac, 0x42, 0xe0, 0xfe, 0x66, 0xc2, 0x16, 0x26, 0xcf, 0xa7, 0x34, 0xc0, 0x4a,
+	0x80, 0x1c, 0x18, 0x24, 0x64, 0x19, 0xc4, 0xc4, 0x73, 0xcc, 0x5d, 0x73, 0x6f, 0x0b, 0xe7, 0x47,
+	0x74, 0x13, 0xac, 0xd4, 0x3f, 0x8d, 0x88, 0x38, 0xe3, 0xcc, 0xe9, 0xa9, 0xbb, 0x52, 0x80, 0x6e,
+	0xc3, 0x88, 0x50, 0xca, 0x12, 0x11, 0xf3, 0xb9, 0xc7, 0x22, 0xe1, 0x8b, 0xa5, 0xb3, 0xa6, 0x94,
+	0x5a, 0x72, 0xf4, 0x3e, 0x5c, 0xcd, 0x65, 0x27, 0x05, 0xe2, 0xba, 0x52, 0x6e, 0x5f, 0xb8, 0x9f,
+	0x01, 0xaa, 0x46, 0xf8, 0xc8, 0x17, 0x4f, 0xe7, 0xab, 0xe2, 0x1c, 0x42, 0xcf, 0xf7, 0x54, 0x80,
+	0x16, 0xee, 0xf9, 0x9e, 0xfb, 0x0c, 0xac, 0x32, 0xbd, 0xeb, 0xd0, 0x4f, 0x38, 0x5b, 0xcc, 0xb5,
+	0x95, 0x85, 0xb3, 0x13, 0xda, 0x81, 0x4d, 0x3f, 0x0f, 0x5b, 0xe7, 0x56, 0x9c, 0x11, 0x82, 0x75,
+	0x8f, 0x08, 0x92, 0xa5, 0xa3, 0x9e, 0x65, 0x31, 0x84, 0x1f, 0xb2, 0x54, 0x90, 0x30, 0x51, 0xa1,
+	0xaf, 0xe1, 0x52, 0xe0, 0xfe, 0x65, 0xc2, 0x40, 0xfa, 0x8c, 0x63, 0x51, 0x43, 0x36, 0x1b, 0xc8,
+	0x37, 0xc1, 0x0a, 0x49, 0x2a, 0x18, 0xff, 0x82, 0xe5, 0x6e, 0x4b, 0x81, 0x4c, 0x51, 0x35, 0x78,
+	0xee, 0x29, 0xd7, 0x16, 0xce, 0x8f, 0xb2, 0xd8, 0x2c, 0xa2, 0x7c, 0x99, 0x08, 0xe6, 0x61, 0x46,
+	0x3c, 0x69, 0xae, 0xeb, 0xd7, 0x92, 0xd7, 0x23, 0xdd, 0x68, 0x44, 0x2a, 0x5b, 0x91, 0x47, 0x53,
+	0xb6, 0xa2, 0xaf, 0x5b, 0xd1, 0xba, 0x70, 0x3f, 0x80, 0xd1, 0x94, 0x06, 0x53, 0x4a, 0xe3, 0xb3,
+	0x48, 0xcc, 0xa3, 0x85, 0x2f, 0x98, 0xc4, 0xf7, 0xd5, 0x93, 0x0c, 0x42, 0x27, 0x58, 0x0a, 0xdc,
+	0x3f, 0x4c, 0x78, 0xbd, 0x34, 0xc1, 0xec, 0xd9, 0x19, 0x4b, 0xc5, 0x51, 0xec, 0x47, 0xe8, 0x3d,
+	0x18, 0x6a, 0xb5, 0x79, 0xbd, 0x3a, 0x0d, 0x69, 0xa9, 0xa7, 0x3b, 0x38, 0xcf, 0x5b, 0xdb, 0x90,
+	0xa2, 0xbb, 0x70, 0xa3, 0x6e, 0x59, 0xe6, 0xa3, 0x1b, 0xf7, 0xb2, 0x6b, 0xd9, 0xa1, 0x90, 0x09,
+	0xa2, 0x7a, 0xac, 0xab, 0x58, 0x9c, 0xdd, 0x7f, 0x4d, 0xb8, 0xd1, 0x8a, 0x7f, 0xaa, 0x38, 0xba,
+	0xb2, 0xb3, 0x7b, 0x70, 0x85, 0x6b, 0xe5, 0x46, 0xd8, 0x4d, 0x31, 0x3a, 0x86, 0xab, 0xcd, 0x9e,
+	0xa5, 0xce, 0xda, 0xee, 0xda, 0x9e, 0x3d, 0x79, 0xfb, 0x4e, 0x39, 0xb9, 0x8a, 0xc2, 0xea, 0x56,
+	0x0e, 0x80, 0xb6, 0xc6, 0x6d, 0x4b, 0x74, 0x0f, 0xec, 0x84, 0xf1, 0xd0, 0x4f, 0x53, 0x3f, 0x8e,
+	0x52, 0x95, 0xcf, 0x70, 0xf2, 0x56, 0x1d, 0xe8, 0xbb, 0x94, 0xf1, 0x6f, 0x4a, 0x25, 0x5c, 0xb5,
+	0x70, 0x0f, 0xc1, 0x69, 0x25, 0x7c, 0xc8, 0x68, 0xe0, 0x47, 0xac, 0x2b, 0x2b, 0xb3, 0x33, 0x2b,
+	0xf7, 0x3e, 0x5c, 0x6f, 0x32, 0x05, 0xb3, 0x45, 0xfc, 0x0b, 0xeb, 0xe8, 0xa7, 0xd9, 0xd5, 0x4f,
+	0xf7, 0x27, 0xb8, 0xd6, 0x95, 0xb3, 0xac, 0x3a, 0xaf, 0x5b, 0x16, 0xe7, 0xce, 0xb9, 0xe8, 0x75,
+	0xcf, 0x85, 0xfb, 0x23, 0xbc, 0x36, 0xa5, 0xc1, 0xc3, 0xe6, 0xb8, 0xac, 0x6a, 0xea, 0x65, 0xe0,
+	0x97, 0xb0, 0x53, 0x16, 0xa0, 0x2c, 0xf6, 0xc1, 0x53, 0x12, 0x9d, 0xb2, 0x95, 0x5e, 0x1a, 0x1d,
+	0xec, 0x5d, 0xba, 0x83, 0xdf, 0xaa, 0x29, 0xcd, 0x02, 0xc9, 0x1c, 0xde, 0x07, 0x9b, 0xe8, 0x58,
+	0x14, 0xbf, 0x4c, 0xc5, 0xaf, 0x71, 0x1d, 0xb4, 0x59, 0x0b, 0x5c, 0x35, 0x71, 0x45, 0x75, 0xf6,
+	0x31, 0x0b, 0xe3, 0x05, 0x43, 0x63, 0x80, 0x2c, 0x6c, 0x9f, 0x69, 0xd0, 0x2d, 0x5c, 0x91, 0x34,
+	0xbd, 0xf6, 0x2e, 0xef, 0xf5, 0x8d, 0x8e, 0xf1, 0xd3, 0xce, 0xdd, 0xdf, 0x37, 0xe0, 0xca, 0x94,
+	0x06, 0x07, 0x71, 0x24, 0x58, 0x24, 0xbe, 0x27, 0xc1, 0x19, 0x43, 0x1f, 0x41, 0x5f, 0xd3, 0x48,
+	0x55, 0xd5, 0x9e, 0xbc, 0x59, 0xf7, 0x55, 0xe3, 0xe3, 0xcc, 0xc0, 0x99, 0x32, 0xfa, 0x1c, 0xb6,
+	0xfc, 0x0a, 0x47, 0x55, 0xcd, 0xed, 0xc9, 0x3b, 0x2b, 0x8c, 0xb5, 0xe2, 0xcc, 0xc0, 0x35, 0x43,
+	0x74, 0x08, 0x36, 0x2f, 0x77, 0x9c, 0x5a, 0x3c, 0xf6, 0x64, 0xb7, 0x13, 0xa7, 0xb2, 0x0b, 0x67,
+	0x06, 0xae, 0x9a, 0xa1, 0x23, 0xd8, 0xe6, 0xd5, 0x4d, 0xa3, 0xa6, 0xd8, 0x9e, 0xb8, 0xab, 0x70,
+	0xb4, 0xe6, 0xcc, 0xc0, 0x75, 0x53, 0x74, 0x02, 0xa3, 0xa4, 0xc1, 0x3e, 0xf5, 0x16, 0xb0, 0x27,
+	0xb7, 0x3a, 0xe1, 0x9a, 0x54, 0x9d, 0x19, 0xb8, 0x05, 0x80, 0x0e, 0x60, 0x9b, 0x54, 0x89, 0xa0,
+	0xde, 0x18, 0x2f, 0xab, 0xb6, 0x56, 0x91, 0x91, 0xd5, 0x6c, 0x24, 0x08, 0xaf, 0x72, 0xd4, 0x19,
+	0x74, 0x81, 0xd4, 0x68, 0xac, 0xd3, 0xab, 0xf2, 0xfa, 0x18, 0x86, 0xbc, 0xb6, 0xa3, 0x9c, 0x4d,
+	0x85, 0xf2, 0xee, 0xaa, 0x5a, 0x65, 0xaa, 0x33, 0x03, 0x37, 0x8c, 0xd1, 0x0f, 0x70, 0x8d, 0x74,
+	0x70, 0xcd, 0xb1, 0xfe, 0xbf, 0x01, 0x45, 0x9a, 0x9d, 0x08, 0x0f, 0x06, 0xb0, 0xb1, 0x90, 0x14,
+	0x75, 0x1f, 0xaa, 0x4f, 0x83, 0x43, 0xf9, 0x11, 0xf1, 0x09, 0x00, 0x29, 0x08, 0x9c, 0xcd, 0xe4,
+	0x4e, 0xdd, 0x47, 0x95, 0xdd, 0xb8, 0xa2, 0xed, 0x1e, 0xc1, 0x70, 0x4a, 0x83, 0x93, 0x65, 0x44,
+	0x8f, 0x59, 0x9a, 0x92, 0x53, 0x86, 0xee, 0xc2, 0x80, 0x16, 0x50, 0x66, 0x7b, 0xd0, 0xa4, 0x6e,
+	0x0d, 0x2e, 0x57, 0x77, 0x1f, 0xab, 0x55, 0xd8, 0xbc, 0x57, 0xe1, 0x79, 0x9e, 0x5e, 0xbb, 0x69,
+	0x86, 0xe9, 0x34, 0x4a, 0x50, 0xdc, 0xcf, 0x0c, 0x5c, 0xd1, 0x2e, 0xd3, 0x9d, 0xc1, 0x76, 0x4d,
+	0x0f, 0x7d, 0x0c, 0x03, 0x5e, 0x40, 0xca, 0x8c, 0xab, 0xab, 0xad, 0xfd, 0xa1, 0x87, 0x73, 0xed,
+	0xdb, 0x5f, 0x02, 0x6a, 0x6f, 0x3e, 0xb4, 0x09, 0xeb, 0x5f, 0xc5, 0x11, 0x1b, 0x19, 0xc8, 0x82,
+	0x8d, 0xaf, 0x9f, 0x47, 0x8c, 0x8f, 0x4c, 0xf9, 0x38, 0xf5, 0x42, 0x3f, 0x1a, 0xf5, 0x10, 0x40,
+	0xff, 0x11, 0xf7, 0x05, 0xe3, 0xa3, 0x35, 0xf9, 0x2c, 0xe9, 0xc4, 0xf8, 0x68, 0xfd, 0xc1, 0xbd,
+	0x3f, 0xcf, 0xc7, 0xe6, 0x8b, 0xf3, 0xb1, 0xf9, 0xcf, 0xf9, 0xd8, 0xfc, 0xf5, 0x62, 0x6c, 0xbc,
+	0xb8, 0x18, 0x1b, 0x7f, 0x5f, 0x8c, 0x8d, 0xc7, 0xb7, 0x5e, 0xe9, 0xdb, 0xfa, 0x49, 0x5f, 0xfd,
+	0x7c, 0xf8, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x1d, 0x52, 0x8e, 0xdb, 0x8b, 0x0b, 0x00, 0x00,
 }
 
 func (m *RawAclRecord) Marshal() (dAtA []byte, err error) {
@@ -1905,16 +1957,41 @@ func (m *AclAccountRemove) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 			dAtA[i] = 0x12
 		}
 	}
-	if len(m.Identity) > 0 {
-		i -= len(m.Identity)
-		copy(dAtA[i:], m.Identity)
-		i = encodeVarintAclrecord(dAtA, i, uint64(len(m.Identity)))
-		i--
-		dAtA[i] = 0xa
+	if len(m.Identities) > 0 {
+		for iNdEx := len(m.Identities) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.Identities[iNdEx])
+			copy(dAtA[i:], m.Identities[iNdEx])
+			i = encodeVarintAclrecord(dAtA, i, uint64(len(m.Identities[iNdEx])))
+			i--
+			dAtA[i] = 0xa
+		}
 	}
 	return len(dAtA) - i, nil
 }
 
+func (m *AclAccountRequestRemove) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AclAccountRequestRemove) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *AclAccountRequestRemove) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	return len(dAtA) - i, nil
+}
+
 func (m *AclContentValue) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -2115,6 +2192,27 @@ func (m *AclContentValue_RequestDecline) MarshalToSizedBuffer(dAtA []byte) (int,
 	}
 	return len(dAtA) - i, nil
 }
+func (m *AclContentValue_AccountRequestRemove) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *AclContentValue_AccountRequestRemove) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	if m.AccountRequestRemove != nil {
+		{
+			size, err := m.AccountRequestRemove.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintAclrecord(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x4a
+	}
+	return len(dAtA) - i, nil
+}
 func (m *AclData) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -2547,9 +2645,11 @@ func (m *AclAccountRemove) Size() (n int) {
 	}
 	var l int
 	_ = l
-	l = len(m.Identity)
-	if l > 0 {
-		n += 1 + l + sovAclrecord(uint64(l))
+	if len(m.Identities) > 0 {
+		for _, b := range m.Identities {
+			l = len(b)
+			n += 1 + l + sovAclrecord(uint64(l))
+		}
 	}
 	if len(m.AccountKeys) > 0 {
 		for _, e := range m.AccountKeys {
@@ -2560,6 +2660,15 @@ func (m *AclAccountRemove) Size() (n int) {
 	return n
 }
 
+func (m *AclAccountRequestRemove) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	return n
+}
+
 func (m *AclContentValue) Size() (n int) {
 	if m == nil {
 		return 0
@@ -2668,6 +2777,18 @@ func (m *AclContentValue_RequestDecline) Size() (n int) {
 	}
 	return n
 }
+func (m *AclContentValue_AccountRequestRemove) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.AccountRequestRemove != nil {
+		l = m.AccountRequestRemove.Size()
+		n += 1 + l + sovAclrecord(uint64(l))
+	}
+	return n
+}
 func (m *AclData) Size() (n int) {
 	if m == nil {
 		return 0
@@ -4502,7 +4623,7 @@ func (m *AclAccountRemove) Unmarshal(dAtA []byte) error {
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Identity", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Identities", wireType)
 			}
 			var byteLen int
 			for shift := uint(0); ; shift += 7 {
@@ -4529,10 +4650,8 @@ func (m *AclAccountRemove) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Identity = append(m.Identity[:0], dAtA[iNdEx:postIndex]...)
-			if m.Identity == nil {
-				m.Identity = []byte{}
-			}
+			m.Identities = append(m.Identities, make([]byte, postIndex-iNdEx))
+			copy(m.Identities[len(m.Identities)-1], dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
@@ -4589,6 +4708,56 @@ func (m *AclAccountRemove) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *AclAccountRequestRemove) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAclrecord
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AclAccountRequestRemove: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AclAccountRequestRemove: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAclrecord(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthAclrecord
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *AclContentValue) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -4898,6 +5067,41 @@ func (m *AclContentValue) Unmarshal(dAtA []byte) error {
 			}
 			m.Value = &AclContentValue_RequestDecline{v}
 			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AccountRequestRemove", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAclrecord
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthAclrecord
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthAclrecord
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &AclAccountRequestRemove{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Value = &AclContentValue_AccountRequestRemove{v}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipAclrecord(dAtA[iNdEx:])

commonspace/object/acl/aclrecordproto/protos/aclrecord.proto

@@ -90,10 +90,14 @@ message AclReadKeyChange {
 
 // AclAccountRemove removes an account and changes read key for space
 message AclAccountRemove {
-    bytes identity = 1;
+    repeated bytes identities = 1;
     repeated AclEncryptedReadKey accountKeys = 2;
 }
 
+// AclAccountRequestRemove adds a request to remove an account
+message AclAccountRequestRemove {
+}
+
 // AclContentValue contains possible values for Acl
 message AclContentValue {
     oneof value {
@@ -105,6 +109,7 @@ message AclContentValue {
         AclAccountRemove accountRemove = 6;
         AclReadKeyChange readKeyChange = 7;
         AclAccountRequestDecline requestDecline = 8;
+        AclAccountRequestRemove accountRequestRemove = 9;
     }
 }
 

commonspace/object/acl/list/aclrecordbuilder.go

@@ -34,8 +34,8 @@ type PermissionChangePayload struct {
 }
 
 type AccountRemovePayload struct {
-	Identity crypto.PubKey
-	ReadKey  crypto.SymKey
+	Identities []crypto.PubKey
+	ReadKey    crypto.SymKey
 }
 
 type InviteResult struct {
@@ -53,6 +53,7 @@ type AclRecordBuilder interface {
 	BuildRequestJoin(payload RequestJoinPayload) (rawRecord *aclrecordproto.RawAclRecord, err error)
 	BuildRequestAccept(payload RequestAcceptPayload) (rawRecord *aclrecordproto.RawAclRecord, err error)
 	BuildRequestDecline(requestRecordId string) (rawRecord *aclrecordproto.RawAclRecord, err error)
+	BuildRequestRemove() (rawRecord *aclrecordproto.RawAclRecord, err error)
 	BuildPermissionChange(payload PermissionChangePayload) (rawRecord *aclrecordproto.RawAclRecord, err error)
 	BuildReadKeyChange(newKey crypto.SymKey) (rawRecord *aclrecordproto.RawAclRecord, err error)
 	BuildAccountRemove(payload AccountRemovePayload) (rawRecord *aclrecordproto.RawAclRecord, err error)
@@ -230,12 +231,13 @@ func (a *aclRecordBuilder) BuildRequestDecline(requestRecordId string) (rawRecor
 }
 
 func (a *aclRecordBuilder) BuildPermissionChange(payload PermissionChangePayload) (rawRecord *aclrecordproto.RawAclRecord, err error) {
-	if !a.state.Permissions(a.state.pubKey).CanManageAccounts() {
+	permissions := a.state.Permissions(a.state.pubKey)
+	if !permissions.CanManageAccounts() || payload.Identity.Equals(a.state.pubKey) {
 		err = ErrInsufficientPermissions
 		return
 	}
-	if payload.Identity.Equals(a.state.pubKey) || payload.Permissions.IsOwner() {
-		err = ErrIncorrectPermissions
+	if payload.Permissions.IsOwner() {
+		err = ErrIsOwner
 		return
 	}
 	protoIdentity, err := payload.Identity.Marshall()
@@ -284,13 +286,19 @@ func (a *aclRecordBuilder) BuildReadKeyChange(newKey crypto.SymKey) (rawRecord *
 }
 
 func (a *aclRecordBuilder) BuildAccountRemove(payload AccountRemovePayload) (rawRecord *aclrecordproto.RawAclRecord, err error) {
-	permissions := a.state.Permissions(payload.Identity)
-	if !a.state.Permissions(a.state.pubKey).CanManageAccounts() || permissions.IsOwner() {
-		err = ErrInsufficientPermissions
-		return
+	deletedMap := map[string]struct{}{}
+	for _, key := range payload.Identities {
+		permissions := a.state.Permissions(key)
+		if permissions.IsOwner() {
+			return nil, ErrInsufficientPermissions
+		}
+		if permissions.NoPermissions() {
+			return nil, ErrNoSuchAccount
+		}
+		deletedMap[mapKeyFromPubKey(key)] = struct{}{}
 	}
-	if permissions.NoPermissions() {
-		err = ErrNoSuchAccount
+	if !a.state.Permissions(a.state.pubKey).CanManageAccounts() {
+		err = ErrInsufficientPermissions
 		return
 	}
 	rawKey, err := payload.ReadKey.Raw()
@@ -303,7 +311,7 @@ func (a *aclRecordBuilder) BuildAccountRemove(payload AccountRemovePayload) (raw
 	}
 	var aclReadKeys []*aclrecordproto.AclEncryptedReadKey
 	for _, st := range a.state.userStates {
-		if st.PubKey.Equals(payload.Identity) {
+		if _, exists := deletedMap[mapKeyFromPubKey(st.PubKey)]; exists {
 			continue
 		}
 		protoIdentity, err := st.PubKey.Marshall()
@@ -319,12 +327,31 @@ func (a *aclRecordBuilder) BuildAccountRemove(payload AccountRemovePayload) (raw
 			EncryptedReadKey: enc,
 		})
 	}
-	protoIdentity, err := payload.Identity.Marshall()
-	if err != nil {
+	var marshalledIdentities [][]byte
+	for _, key := range payload.Identities {
+		protoIdentity, err := key.Marshall()
+		if err != nil {
+			return nil, err
+		}
+		marshalledIdentities = append(marshalledIdentities, protoIdentity)
+	}
+	removeRec := &aclrecordproto.AclAccountRemove{AccountKeys: aclReadKeys, Identities: marshalledIdentities}
+	content := &aclrecordproto.AclContentValue{Value: &aclrecordproto.AclContentValue_AccountRemove{AccountRemove: removeRec}}
+	return a.buildRecord(content)
+}
+
+func (a *aclRecordBuilder) BuildRequestRemove() (rawRecord *aclrecordproto.RawAclRecord, err error) {
+	permissions := a.state.Permissions(a.state.pubKey)
+	if permissions.NoPermissions() {
+		err = ErrNoSuchAccount
 		return
 	}
-	removeRec := &aclrecordproto.AclAccountRemove{AccountKeys: aclReadKeys, Identity: protoIdentity}
-	content := &aclrecordproto.AclContentValue{Value: &aclrecordproto.AclContentValue_AccountRemove{AccountRemove: removeRec}}
+	if permissions.IsOwner() {
+		err = ErrIsOwner
+		return
+	}
+	removeRec := &aclrecordproto.AclAccountRequestRemove{}
+	content := &aclrecordproto.AclContentValue{Value: &aclrecordproto.AclContentValue_AccountRequestRemove{AccountRequestRemove: removeRec}}
 	return a.buildRecord(content)
 }
 

commonspace/object/acl/list/aclstate.go

@@ -14,6 +14,7 @@ var log = logger.NewNamedSugared("common.commonspace.acllist")
 
 var (
 	ErrNoSuchAccount             = errors.New("no such account")
+	ErrPendingRequest            = errors.New("already exists pending request")
 	ErrUnexpectedContentType     = errors.New("unexpected content type")
 	ErrIncorrectIdentity         = errors.New("incorrect identity")
 	ErrIncorrectInviteKey        = errors.New("incorrect invite key")
@@ -22,7 +23,7 @@ var (
 	ErrNoSuchRequest             = errors.New("no such request")
 	ErrNoSuchInvite              = errors.New("no such invite")
 	ErrInsufficientPermissions   = errors.New("insufficient permissions")
-	ErrIncorrectPermissions      = errors.New("incorrect permissions")
+	ErrIsOwner                   = errors.New("can't be made by owner")
 	ErrIncorrectNumberOfAccounts = errors.New("incorrect number of accounts")
 	ErrNoReadKey                 = errors.New("acl state doesn't have a read key")
 	ErrIncorrectReadKey          = errors.New("incorrect read key")
@@ -39,15 +40,24 @@ type UserPermissionPair struct {
 type AclState struct {
 	id               string
 	currentReadKeyId string
-	userReadKeys     map[string]crypto.SymKey
-	userStates       map[string]AclUserState
-	statesAtRecord   map[string][]AclUserState
-	inviteKeys       map[string]crypto.PubKey
-	requestRecords   map[string]RequestRecord
-	key              crypto.PrivKey
-	pubKey           crypto.PubKey
-	keyStore         crypto.KeyStorage
-	totalReadKeys    int
+	// userReadKeys is a map recordId -> read key which tells us about every read key
+	userReadKeys map[string]crypto.SymKey
+	// userStates is a map pubKey -> state which defines current user state
+	userStates map[string]AclUserState
+	// statesAtRecord is a map recordId -> state which define user state at particular record
+	//  probably this can grow rather large at some point, so we can maybe optimise later to have:
+	//  - map pubKey -> []recordIds (where recordIds is an array where such identity permissions were changed)
+	statesAtRecord map[string][]AclUserState
+	// inviteKeys is a map recordId -> invite
+	inviteKeys map[string]crypto.PubKey
+	// requestRecords is a map recordId -> RequestRecord
+	requestRecords map[string]RequestRecord
+	// pendingRequests is a map pubKey -> RequestType
+	pendingRequests map[string]RequestType
+	key             crypto.PrivKey
+	pubKey          crypto.PubKey
+	keyStore        crypto.KeyStorage
+	totalReadKeys   int
 
 	lastRecordId     string
 	contentValidator ContentValidator
@@ -57,15 +67,16 @@ func newAclStateWithKeys(
 	id string,
 	key crypto.PrivKey) (*AclState, error) {
 	st := &AclState{
-		id:             id,
-		key:            key,
-		pubKey:         key.GetPublic(),
-		userReadKeys:   make(map[string]crypto.SymKey),
-		userStates:     make(map[string]AclUserState),
-		statesAtRecord: make(map[string][]AclUserState),
-		inviteKeys:     make(map[string]crypto.PubKey),
-		requestRecords: make(map[string]RequestRecord),
-		keyStore:       crypto.NewKeyStorage(),
+		id:              id,
+		key:             key,
+		pubKey:          key.GetPublic(),
+		userReadKeys:    make(map[string]crypto.SymKey),
+		userStates:      make(map[string]AclUserState),
+		statesAtRecord:  make(map[string][]AclUserState),
+		inviteKeys:      make(map[string]crypto.PubKey),
+		requestRecords:  make(map[string]RequestRecord),
+		pendingRequests: make(map[string]RequestType),
+		keyStore:        crypto.NewKeyStorage(),
 	}
 	st.contentValidator = &contentValidator{
 		keyStore: st.keyStore,
@@ -76,13 +87,14 @@ func newAclStateWithKeys(
 
 func newAclState(id string) *AclState {
 	st := &AclState{
-		id:             id,
-		userReadKeys:   make(map[string]crypto.SymKey),
-		userStates:     make(map[string]AclUserState),
-		statesAtRecord: make(map[string][]AclUserState),
-		inviteKeys:     make(map[string]crypto.PubKey),
-		requestRecords: make(map[string]RequestRecord),
-		keyStore:       crypto.NewKeyStorage(),
+		id:              id,
+		userReadKeys:    make(map[string]crypto.SymKey),
+		userStates:      make(map[string]AclUserState),
+		statesAtRecord:  make(map[string][]AclUserState),
+		inviteKeys:      make(map[string]crypto.PubKey),
+		requestRecords:  make(map[string]RequestRecord),
+		pendingRequests: make(map[string]RequestType),
+		keyStore:        crypto.NewKeyStorage(),
 	}
 	st.contentValidator = &contentValidator{
 		keyStore: st.keyStore,
@@ -239,6 +251,8 @@ func (st *AclState) applyChangeContent(ch *aclrecordproto.AclContentValue, recor
 		return st.applyAccountRemove(ch.GetAccountRemove(), recordId, authorIdentity)
 	case ch.GetReadKeyChange() != nil:
 		return st.applyReadKeyChange(ch.GetReadKeyChange(), recordId, authorIdentity)
+	case ch.GetAccountRequestRemove() != nil:
+		return st.applyRequestRemove(ch.GetAccountRequestRemove(), recordId, authorIdentity)
 	default:
 		return ErrUnexpectedContentType
 	}
@@ -287,6 +301,7 @@ func (st *AclState) applyRequestJoin(ch *aclrecordproto.AclAccountRequestJoin, r
 	if err != nil {
 		return err
 	}
+	st.pendingRequests[mapKeyFromPubKey(authorIdentity)] = RequestTypeJoin
 	st.requestRecords[recordId] = RequestRecord{
 		RequestIdentity: authorIdentity,
 		RequestMetadata: ch.Metadata,
@@ -309,6 +324,7 @@ func (st *AclState) applyRequestAccept(ch *aclrecordproto.AclAccountRequestAccep
 		Permissions:     AclPermissions(ch.Permissions),
 		RequestMetadata: record.RequestMetadata,
 	}
+	delete(st.pendingRequests, mapKeyFromPubKey(st.requestRecords[ch.RequestRecordId].RequestIdentity))
 	if !st.pubKey.Equals(acceptIdentity) {
 		return nil
 	}
@@ -331,15 +347,34 @@ func (st *AclState) applyRequestDecline(ch *aclrecordproto.AclAccountRequestDecl
 	if err != nil {
 		return err
 	}
+	delete(st.pendingRequests, mapKeyFromPubKey(st.requestRecords[ch.RequestRecordId].RequestIdentity))
 	delete(st.requestRecords, ch.RequestRecordId)
 	return nil
 }
 
-func (st *AclState) applyAccountRemove(ch *aclrecordproto.AclAccountRemove, recordId string, authorIdentity crypto.PubKey) error {
-	err := st.contentValidator.ValidateRemove(ch, authorIdentity)
+func (st *AclState) applyRequestRemove(ch *aclrecordproto.AclAccountRequestRemove, recordId string, authorIdentity crypto.PubKey) error {
+	err := st.contentValidator.ValidateRequestRemove(ch, authorIdentity)
 	if err != nil {
 		return err
 	}
+	st.pendingRequests[mapKeyFromPubKey(authorIdentity)] = RequestTypeRemove
+	return nil
+}
+
+func (st *AclState) applyAccountRemove(ch *aclrecordproto.AclAccountRemove, recordId string, authorIdentity crypto.PubKey) error {
+	err := st.contentValidator.ValidateAccountRemove(ch, authorIdentity)
+	if err != nil {
+		return err
+	}
+	for _, rawIdentity := range ch.Identities {
+		identity, err := st.keyStore.PubKeyFromProto(rawIdentity)
+		if err != nil {
+			return err
+		}
+		idKey := mapKeyFromPubKey(identity)
+		delete(st.userStates, idKey)
+		delete(st.pendingRequests, idKey)
+	}
 	return st.updateReadKey(ch.AccountKeys, recordId)
 }
 

commonspace/object/acl/list/list.go

@@ -23,6 +23,17 @@ type RWLocker interface {
 	RUnlock()
 }
 
+type AcceptorVerifier interface {
+	VerifyAcceptor(rec *aclrecordproto.RawAclRecord) (err error)
+}
+
+type NoOpAcceptorVerifier struct {
+}
+
+func (n NoOpAcceptorVerifier) VerifyAcceptor(rec *aclrecordproto.RawAclRecord) (err error) {
+	return nil
+}
+
 type AclList interface {
 	RWLocker
 	Id() string
@@ -32,6 +43,7 @@ type AclList interface {
 	IsAfter(first string, second string) (bool, error)
 	Head() *AclRecord
 	Get(id string) (*AclRecord, error)
+	GetIndex(idx int) (*AclRecord, error)
 	Iterate(iterFunc IterFunc)
 	IterateFrom(startId string, iterFunc IterFunc)
 
@@ -59,18 +71,43 @@ type aclList struct {
 	sync.RWMutex
 }
 
-func BuildAclListWithIdentity(acc *accountdata.AccountKeys, storage liststorage.ListStorage) (AclList, error) {
-	builder := newAclStateBuilderWithIdentity(acc)
-	keyStorage := crypto.NewKeyStorage()
-	return build(storage.Id(), keyStorage, builder, NewAclRecordBuilder(storage.Id(), keyStorage, acc), storage)
+type internalDeps struct {
+	storage          liststorage.ListStorage
+	keyStorage       crypto.KeyStorage
+	stateBuilder     *aclStateBuilder
+	recordBuilder    AclRecordBuilder
+	acceptorVerifier AcceptorVerifier
 }
 
-func BuildAclList(storage liststorage.ListStorage) (AclList, error) {
+func BuildAclListWithIdentity(acc *accountdata.AccountKeys, storage liststorage.ListStorage, verifier AcceptorVerifier) (AclList, error) {
 	keyStorage := crypto.NewKeyStorage()
-	return build(storage.Id(), keyStorage, newAclStateBuilder(), NewAclRecordBuilder(storage.Id(), crypto.NewKeyStorage(), nil), storage)
+	deps := internalDeps{
+		storage:       storage,
+		keyStorage:    keyStorage,
+		stateBuilder:  newAclStateBuilderWithIdentity(acc),
+		recordBuilder: NewAclRecordBuilder(storage.Id(), keyStorage, acc),
+	}
+	return build(deps)
 }
 
-func build(id string, keyStorage crypto.KeyStorage, stateBuilder *aclStateBuilder, recBuilder AclRecordBuilder, storage liststorage.ListStorage) (list AclList, err error) {
+func BuildAclList(storage liststorage.ListStorage, verifier AcceptorVerifier) (AclList, error) {
+	keyStorage := crypto.NewKeyStorage()
+	deps := internalDeps{
+		storage:       storage,
+		keyStorage:    keyStorage,
+		stateBuilder:  newAclStateBuilder(),
+		recordBuilder: NewAclRecordBuilder(storage.Id(), keyStorage, nil),
+	}
+	return build(deps)
+}
+
+func build(deps internalDeps) (list AclList, err error) {
+	var (
+		storage      = deps.storage
+		id           = deps.storage.Id()
+		recBuilder   = deps.recordBuilder
+		stateBuilder = deps.stateBuilder
+	)
 	head, err := storage.Head()
 	if err != nil {
 		return
@@ -215,11 +252,19 @@ func (a *aclList) Head() *AclRecord {
 func (a *aclList) Get(id string) (*AclRecord, error) {
 	recIdx, ok := a.indexes[id]
 	if !ok {
-		return nil, fmt.Errorf("no such record")
+		return nil, ErrNoSuchRecord
 	}
 	return a.records[recIdx], nil
 }
 
+func (a *aclList) GetIndex(idx int) (*AclRecord, error) {
+	// TODO: when we add snapshots we will have to monitor record num in snapshots
+	if idx < 0 || idx >= len(a.records) {
+		return nil, ErrNoSuchRecord
+	}
+	return a.records[idx], nil
+}
+
 func (a *aclList) Iterate(iterFunc IterFunc) {
 	for _, rec := range a.records {
 		if !iterFunc(rec) {

commonspace/object/acl/list/listutils.go

@@ -27,5 +27,5 @@ func NewTestDerivedAcl(spaceId string, keys *accountdata.AccountKeys) (AclList,
 	if err != nil {
 		return nil, err
 	}
-	return BuildAclListWithIdentity(keys, st)
+	return BuildAclListWithIdentity(keys, st, NoOpAcceptorVerifier{})
 }

commonspace/object/acl/list/models.go

@@ -26,6 +26,13 @@ type AclUserState struct {
 	RequestMetadata []byte
 }
 
+type RequestType int
+
+const (
+	RequestTypeRemove RequestType = iota
+	RequestTypeJoin
+)
+
 type AclPermissions aclrecordproto.AclUserPermissions
 
 func (p AclPermissions) NoPermissions() bool {

commonspace/object/acl/list/validator.go

@@ -13,7 +13,8 @@ type ContentValidator interface {
 	ValidateRequestJoin(ch *aclrecordproto.AclAccountRequestJoin, authorIdentity crypto.PubKey) (err error)
 	ValidateRequestAccept(ch *aclrecordproto.AclAccountRequestAccept, authorIdentity crypto.PubKey) (err error)
 	ValidateRequestDecline(ch *aclrecordproto.AclAccountRequestDecline, authorIdentity crypto.PubKey) (err error)
-	ValidateRemove(ch *aclrecordproto.AclAccountRemove, authorIdentity crypto.PubKey) (err error)
+	ValidateAccountRemove(ch *aclrecordproto.AclAccountRemove, authorIdentity crypto.PubKey) (err error)
+	ValidateRequestRemove(ch *aclrecordproto.AclAccountRequestRemove, authorIdentity crypto.PubKey) (err error)
 	ValidateReadKeyChange(ch *aclrecordproto.AclReadKeyChange, authorIdentity crypto.PubKey) (err error)
 }
 
@@ -51,7 +52,9 @@ func (c *contentValidator) validateAclRecordContent(ch *aclrecordproto.AclConten
 	case ch.GetRequestDecline() != nil:
 		return c.ValidateRequestDecline(ch.GetRequestDecline(), authorIdentity)
 	case ch.GetAccountRemove() != nil:
-		return c.ValidateRemove(ch.GetAccountRemove(), authorIdentity)
+		return c.ValidateAccountRemove(ch.GetAccountRemove(), authorIdentity)
+	case ch.GetAccountRequestRemove() != nil:
+		return c.ValidateRequestRemove(ch.GetAccountRequestRemove(), authorIdentity)
 	case ch.GetReadKeyChange() != nil:
 		return c.ValidateReadKeyChange(ch.GetReadKeyChange(), authorIdentity)
 	default:
@@ -102,6 +105,9 @@ func (c *contentValidator) ValidateRequestJoin(ch *aclrecordproto.AclAccountRequ
 	if err != nil {
 		return
 	}
+	if _, exists := c.aclState.pendingRequests[mapKeyFromPubKey(inviteIdentity)]; exists {
+		return ErrPendingRequest
+	}
 	if !authorIdentity.Equals(inviteIdentity) {
 		return ErrIncorrectIdentity
 	}
@@ -151,21 +157,36 @@ func (c *contentValidator) ValidateRequestDecline(ch *aclrecordproto.AclAccountR
 	return
 }
 
-func (c *contentValidator) ValidateRemove(ch *aclrecordproto.AclAccountRemove, authorIdentity crypto.PubKey) (err error) {
+func (c *contentValidator) ValidateAccountRemove(ch *aclrecordproto.AclAccountRemove, authorIdentity crypto.PubKey) (err error) {
 	if !c.aclState.Permissions(authorIdentity).CanManageAccounts() {
 		return ErrInsufficientPermissions
 	}
-	identity, err := c.keyStore.PubKeyFromProto(ch.Identity)
-	if err != nil {
-		return
-	}
-	_, exists := c.aclState.userStates[mapKeyFromPubKey(identity)]
-	if !exists {
-		return ErrNoSuchAccount
+	for _, rawIdentity := range ch.Identities {
+		identity, err := c.keyStore.PubKeyFromProto(rawIdentity)
+		if err != nil {
+			return err
+		}
+		permissions := c.aclState.Permissions(identity)
+		if permissions.NoPermissions() {
+			return ErrNoSuchAccount
+		}
+		if permissions.IsOwner() {
+			return ErrInsufficientPermissions
+		}
 	}
 	return c.validateAccountReadKeys(ch.AccountKeys)
 }
 
+func (c *contentValidator) ValidateRequestRemove(ch *aclrecordproto.AclAccountRequestRemove, authorIdentity crypto.PubKey) (err error) {
+	if c.aclState.Permissions(authorIdentity).NoPermissions() {
+		return ErrInsufficientPermissions
+	}
+	if _, exists := c.aclState.pendingRequests[mapKeyFromPubKey(authorIdentity)]; exists {
+		return ErrPendingRequest
+	}
+	return
+}
+
 func (c *contentValidator) ValidateReadKeyChange(ch *aclrecordproto.AclReadKeyChange, authorIdentity crypto.PubKey) (err error) {
 	return c.validateAccountReadKeys(ch.AccountKeys)
 }

commonspace/object/acl/syncacl/syncacl.go

@@ -2,6 +2,7 @@ package syncacl
 
 import (
 	"context"
+
 	"github.com/anyproto/any-sync/accountservice"
 	"github.com/anyproto/any-sync/app"
 	"github.com/anyproto/any-sync/commonspace/object/acl/list"
@@ -34,7 +35,7 @@ func (s *SyncAcl) Init(a *app.App) (err error) {
 		return err
 	}
 	acc := a.MustComponent(accountservice.CName).(accountservice.Service)
-	s.AclList, err = list.BuildAclListWithIdentity(acc.Account(), aclStorage)
+	s.AclList, err = list.BuildAclListWithIdentity(acc.Account(), aclStorage, list.NoOpAcceptorVerifier{})
 	return err
 }
 

commonspace/object/tree/exporter/treeimport.go

@@ -15,7 +15,7 @@ type TreeImportParams struct {
 }
 
 func ImportHistoryTree(params TreeImportParams) (tree objecttree.ReadableObjectTree, err error) {
-	aclList, err := list.BuildAclList(params.ListStorage)
+	aclList, err := list.BuildAclList(params.ListStorage, list.NoOpAcceptorVerifier{})
 	if err != nil {
 		return
 	}

commonspace/payloads.go

@@ -2,6 +2,12 @@ package commonspace
 
 import (
 	"errors"
+	"hash/fnv"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
 	"github.com/anyproto/any-sync/commonspace/object/acl/aclrecordproto"
 	"github.com/anyproto/any-sync/commonspace/object/acl/list"
 	"github.com/anyproto/any-sync/commonspace/object/tree/objecttree"
@@ -11,11 +17,6 @@ import (
 	"github.com/anyproto/any-sync/util/cidutil"
 	"github.com/anyproto/any-sync/util/crypto"
 	"github.com/gogo/protobuf/proto"
-	"hash/fnv"
-	"math/rand"
-	"strconv"
-	"strings"
-	"time"
 )
 
 const (
@@ -71,7 +72,7 @@ func storagePayloadForSpaceCreate(payload SpaceCreatePayload) (storagePayload sp
 
 	// building acl root
 	keyStorage := crypto.NewKeyStorage()
-	aclBuilder := list.NewAclRecordBuilder("", keyStorage)
+	aclBuilder := list.NewAclRecordBuilder("", keyStorage, nil)
 	aclRoot, err := aclBuilder.BuildRoot(list.RootContent{
 		PrivKey:          payload.SigningKey,
 		MasterKey:        payload.MasterKey,
@@ -158,7 +159,7 @@ func storagePayloadForSpaceDerive(payload SpaceDerivePayload) (storagePayload sp
 
 	// building acl root
 	keyStorage := crypto.NewKeyStorage()
-	aclBuilder := list.NewAclRecordBuilder("", keyStorage)
+	aclBuilder := list.NewAclRecordBuilder("", keyStorage, nil)
 	aclRoot, err := aclBuilder.BuildRoot(list.RootContent{
 		PrivKey:   payload.SigningKey,
 		MasterKey: payload.MasterKey,

util/crypto/ed25519_test.go

@@ -2,8 +2,9 @@ package crypto
 
 import (
 	"crypto/rand"
-	"github.com/stretchr/testify/require"
 	"testing"
+
+	"github.com/stretchr/testify/require"
 )
 
 func Test_EncryptDecrypt(t *testing.T) {

util/strkey/strkey_test.go

@@ -1,9 +1,10 @@
 package strkey
 
 import (
+	"testing"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"testing"
 )
 
 func TestDecode(t *testing.T) {