Q1. What is the problem that you are trying to solve?
Currently, it’s possible to search passbolt entries after the session has expired. Steps:
- Login
- Allow session to expire by doing nothing for the timeout
- Try to search password list
Q2 - Who is impacted?
All users are impacted, as best I can tell. Note that you still must provide the GPG key password to view the password or perform edits/additions.
Q3 - Why is it important and/or urgent?
This seems like it could be a security oversight, especially given that the CLI seems to not reproduce this behavior.
Q4 - What is your proposed solution? (optional)
Force current session to be active to search passwords
As a user, I should re-enter my GPG key password to be able to search passwords if my session duration has expired.
Q5. Community support
I’m not allowed to create polls according to the forum, so I removed this part of the template.