Resources created via api do not inherit folder permissions

When creating a resource via the api it doesn’t inherit its parent folder permissions, I have to programmatically create encrypted secrets for each user with rights to that resource.

Is that how it’s supposed to work?
if so, do you have any plans to automate that process on the backend, like when you create a resource via the gui?

Hello @pcostello and welcome to the forum!

Yes, this is supposed to be like this. It’s a consequence of our security model that uses asymmetric keys with OpenPGP. If you want a user to have access to a resource, the resource has to be encrypted with the user’s public key. So when sharing a resources, the client needs first to access the decrypted version of the secret and then encrypt it for everybody having access to it with each users’ public key.

Also, we made a choice to put as much as possible the cryptographic operations on the browser extension side (or in other words, on the client). So actually, the GUI is doing exactly that, getting the decrypted version of the resource (by decrypting it if needed on a share) and then re-encrypting it for every users that have access to it.

As far as I know, no, there is no plan to put theses operations on the server side.

1 Like