As a Passbolt admin I want a UI warning that "Email content visibility" toggles do not apply to v5 encrypted metadata resources, so that I do not waste time troubleshooting expected behavior

Feature requests
1

Q1. What is the problem that you are trying to solve?

In Passbolt 5.9.0 (CE, self-hosted), the “Email content visibility” toggles under Administration → Email Notifications (Username, URI, Description, Encrypted secret, Comment content) appear to have no visible effect on share/edit notification emails when resources use the new v5 encrypted metadata format.

Even with all toggles enabled and saved through the admin UI, share notification emails for v5 resources only contain a generic line (“X shared a resource with you”) with no name, username, URI or description.

After investigating the email templates inside the container, the cause becomes clear:

  • v4 legacy template (/usr/share/php/passbolt/templates/email/html/LU/resource_share.php) reads $showUsername, $showUri, $showDescription, $showSecret and renders the corresponding fields.
  • v5 template (/usr/share/php/passbolt/plugins/PassboltCe/Metadata/templates/email/html/LU/resource_share_v5.php) only reads $showSecret. The variables for username, URI and description are not present.

This is technically correct behavior (the server cannot decrypt v5 metadata, so it cannot include it in emails — this is exactly what zero-knowledge architecture promises). However, this is not communicated anywhere in the admin UI, leading admins to believe the toggles are broken.

The problem would be considered solved when an administrator logging into a v5 instance for the first time can immediately understand, from the UI alone, why the visibility toggles do not affect their v5 resource emails — without having to read the email template source code inside the container.

Q2. Who is impacted?

Every Passbolt administrator using a self-hosted or Cloud instance with encrypted metadata enabled as the default content type (which is the default for new instances since 5.5).

This affects:

  • New admins onboarding to Passbolt 5.5+
  • Admins migrating from v4 to v5 who expect the existing toggles to keep working
  • Anyone responding to internal questions like “why do our notification emails look empty?”

Given that 5.5+ enables encrypted metadata by default and v5 is the recommended path forward, this potentially impacts the majority of new Passbolt deployments.

Q3. Why is it important and/or urgent?

It is not urgent in terms of security or functionality — everything works as designed. However, it is important for the following reasons:

  • Reduces support load: Admins currently spend hours investigating “why the toggles don’t work”, which often ends up on the community forum or as direct questions to the Passbolt team.
  • Prevents bad decisions: Without context, frustrated admins may switch the default back to “Legacy cleartext metadata” just to get emails working — silently degrading the security posture of their organization, which is exactly what v5 was designed to prevent.
  • Reinforces the v5 narrative: A clear UI message explaining that “the server cannot read this data because it is end-to-end encrypted” actually strengthens the perceived value of v5 — it turns a confusing UX moment into a security selling point.
  • Aligns with documentation: The encrypted metadata documentation already explains this, but the admin UI does not surface it where the decision happens.

Q4. Proposed solution

User story

As a Passbolt administrator with encrypted metadata enabled, when I navigate to the Email Notifications settings, I want to clearly see that the “Email content visibility” toggles only apply to legacy v4 resources, so that I understand why my v5 resource emails do not contain those fields.

Test scenario (given/when/then)

Scenario 1 — Encrypted metadata is enabled as default

  • Given an administrator with encrypted metadata enabled as the default content type
  • When they open Administration → Email Notifications
  • Then an inline notice should appear above the “Email content visibility” section explaining that these toggles only apply to legacy v4 cleartext resources

Scenario 2 — Only legacy cleartext is enabled

  • Given an administrator with only legacy cleartext metadata enabled
  • When they open Administration → Email Notifications
  • Then no warning is shown (current behavior preserved)

Suggested wording

:warning: Note: The Username, URI and Description toggles below only affect resources stored with legacy cleartext metadata (v4). Resources using encrypted metadata (v5) do not include these fields in emails by design, since the server cannot decrypt them — this is part of Passbolt’s zero-knowledge architecture. Learn more

Additional considerations

  • The same notice could be added near the “Default metadata type” selector in Content types → Encrypted metadata, mentioning that switching to encrypted will reduce email content visibility.
  • Optionally, the affected toggles (Username, URI, Description) could be visually dimmed or marked as “(legacy v4 only)” when encrypted metadata is the default.

Q5. Community support

  • Must have
  • Should have
  • Could have
  • Won’t have

Thanks to the Passbolt team for the great work on v5 — encrypted metadata is a fantastic security improvement. This UI clarification would make rolling it out significantly smoother for administrators.