Hi, I am using passbolt v3 and I just realized that when I share a password with another user in “can update” mode he can modify it and also delete the password. This was not possible before with other versions of passbolt, wasn’t it?
Can read > read only
Can update > modify only, not delete???
This is the same behavior since version 1. The rationale is that someone who can modify the resource can already make it unavailable, for example by putting " " in all the fields. In terms of security impacts both update and delete are the same, but I get your point in terms of end user expectations.
We’ll see if we can revisit this with the ACL feature (which will allow more fine grained control / creation of custom roles).
By the way, I just installed an old Passbolt CE package on Debian with the oldest package available (2.13.5-1) to check again and I was able to delete a password as a user with the “can update” rights so it is not a change or regression with the v3.
There are more differences between “can update” and “is owner” and in my opinion, some of do not make sense.
For example: You can only edit tags if you have the “is owner” permissions, but not with the “can update” permission.
I would really appreciate if this could be discussed and fixed, if other Passbolt administrators agree. What I would also love to see is a more granular permission system.