Hi,
The github story you mentioned has already been moved in this forum: As an admin, while deleting a user who is the sole owner of a password that is shared, I should be able to transfer the ownership to another user in order to be able to perform the deletion
There is no documented turn-around as of now. The SQL manipulations can be quite complicated since it would deal directly with the permissions table, and because it has to be mentioned: I wouldn’t recommend any direct SQL manipulation in the passbolt database as it can lead to non desired side effects. However, if really you are stuck let’s try something. What we could do through sql here is:
(BEFORE ANYTHING DON’T FORGET TO DO A BACKUP OF YOUR DATABASE).
-
set the group as a second owner of the password.
UPDATE permissions SET type=15 WHERE aco_foreign_key='{resource_uuid}' AND aro_foreign_key='{group_uuid}'
type=15 means owner permission. -
If you have identified which is the third password that is shared with another user, then you could set the other user the password is shared with as an admin, similarly to what we did above:
UPDATE permissions SET type=15 WHERE aco_foreign_key='{resource_uuid}' AND aro_foreign_key='{user_uuid}'
If you manage to do #1 and #2, then you should be able to delete the user from the UI without being blocked.
If you are unable to do #2 for some reason, and if that third password is not important to you, then you can ignore it and delete the user directly in db.
UPDATE users SET deleted=1 WHERE id={user_uuid}
Let me know if that works.
Regarding your question about the admin privileges, our take is that an admin should normally not have more access rights to the passwords than the ones given to him by the other users while sharing them (It can be argued, feel free to post a separate thread on this forum if you wish to start a discussion). However, there are specific circumstances (such as during a password deletion) for which a bypass can be necessary, since it impacts the capabilities of the admin to manage the users. Hence, the compromise we are willing to make here is to give the admin extra privileges only when these specific scenarios occur so that he can do his job without being blocked by the system.
Cheers, and good luck!
Kevin