Managing group procedure

Routhgen · August 11, 2025, 8:48am

Hello there,

after few days of struggling I need to ask the community. The final code after tweaking Im willing to share to return back to the community.

As a PoC Im making the progress via SH where I can:
get the JWT (BTW I didnt get the refresh-token functionality as it do work only once for few minutes - but thats for another topic I would say).

Create a group where initially only the admin (manager) is present - need to create via API is in the fact to have the private key due to future encryptions & updates.

Here comes the tricky part - group is created but even there are no relations to passwords (resources) yet it claims its already needed.

So there is successfully created a group with me as a owner. Update group while passing groups-users (me + new user) & secrets for me + new user → API response:

"message":"Could not validate group data."
"body":{"groups_users":[{"group_id":{"group_user_unique":"The user is already member of this group."

Thats surprising because from what I´ve got is that each group-update payload need to consist of all users - while there is no appropriate API call to update/add/delete user from the group which whould make this much easier.

Next according to the above message I tried to keep in the payload only new user, resulting in:

"message":"Could not validate group data."
"body":{"groups_users":[{"secrets":[{"resource_id":{"_required":"The resource identifier is required."

The goal is actually really simple: to run adhoc call from other system holding groups&users (including ids, priv & pubkeys). So each time there is a change we run a script to sync the PassBolt.

Could you please point me in the right direction to better understand this API logic as there not much in the offic. docs?

What is the procedure to upgrade group? Especially Im worried about the need to reencrypt each resource (password) each time there is a change in the group?
e.g. having combinations like 10 groups with 10 users, where each group has 100 resources is actually real pain to reencrypt every time. I do understand the security concerns but is it really like that?

Please let me know.

Thanks

Zbynek

Routhgen · August 11, 2025, 3:06pm

EDIT:

Finally I made progress so actually its possible to PUT group update for NEW user while sending re-encrypted secrets for such group.

There is another problem API cant handle automatically which is:
Scenario: There is a Group A with existing resources within Folder F already assigned to User U.
But when there is an overlap of Folder F shared with Group A & Group B, then its refusing to add User U to such Group B with message

"body":{"groups_users":[{"secrets":[{"resource_id":{"only_missing":"The user already has a secret for the resource."

Via GUI its possible without any issues - it performs decrypt/encrypt & its done.

It seems the API is not common for GUI at all… Then whats the purpose of building API?