How can I delete a permission using the API?

antonio.rodriguez · January 29, 2020, 5:58pm

Good afternoon,

I have been trying for quite some time to remove permission for a password from my user via the API.
The ultimate goal would be to generate a password, share it with a group, and then remove the user from the API to prevent the password from being viewed by users other than the group.

Everything works except removing the user’s permission (in this case passbolt.api)

I have tried to do this using "DELETE /permissions/<permissionId>.json?api-version=v2 " but it is possible that I am not passing correctly the permissionId needed for this.

Could someone give me a hand?

Thanks in advance for your help !

Best Regards

garrett · February 4, 2020, 3:31am

Hi @antonio.rodriguez, I’ve been looking through the code and I could be wrong but it does not appear that deleting a permission is actually a function, even though the api guide mentions it.

It seems there is only GET: https://github.com/passbolt/passbolt_api/tree/master/src/Controller/Permissions

antonio.rodriguez · February 4, 2020, 6:52am

Hi @garrett ,

Thanks for your response.

Reviewing the Nginx records, I see that to do the “Permission Removal”, the extension, does the following:

GET to get the permissions for the resource.
POST to simulate the modification of the resource.
POST to perform the modification of the resource.

I tried to replicate the same thing through the API without success.

Can you think of any way?

Thank you very much.

Best Regards.

garrett · February 4, 2020, 11:27am

That sounds right, but like you are saying it is performing the operation on a resource versus on a permission.

What you initially described took me a moment to understand because it would be a resource that is owned by nobody but shared with a group, if I understand correctly.

Maybe @remy can shed some light on whether what you ask is possible or if it will corrupt the database if you were to manually delete the permission that is for ownership, but leave permissions for a resource that are for reading. And whether this is an opportunity for us to contribute code or if the API specs need to change.

remy · February 4, 2020, 12:10pm

Hello,

Yes the way to proceed when removing a permission is to push the updated permissions using the share endpoint. It is not possible to just drop a permission on a resource at the moment. We are open to adding a DELETE /permissions/uuid.json to the api if more people are interested.

The constraints for the permissions at the moment are as follow:

All the users must be active (and obviously exists)
There must be at least one owner
All the secrets must be made available (either because they were already available, or because they are pushed with the request).

@antonio.rodriguez if you post more information about the POST simulation and response we can help you sort it out.

garrett · February 4, 2020, 12:58pm

@remy he was being guided by https://help.passbolt.com/api/permissions/delete which I think is the source of confusion if there isn’t the functionality.

remy · February 4, 2020, 1:25pm

hmm, yeah that endpoint does not exist, i’ll remove the documentation

antonio.rodriguez · February 7, 2020, 10:44am

Hi, Remy and Garrett,

Thank you for your response.

I see quite interesting the implementation of DELETE PERMISSION since in view of a quite a lot of passwords update through API (let’s imagine that a member of the project leaves the project but doesn’t unsubscribe in the platform), it could facilitate quite a lot the work.

Greetings.