search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.07k stars 1.42k forks source link

KeeShare: Set import mode as read only #10884

Open taurus227 opened 3 weeks ago

taurus227 commented 3 weeks ago

Summary

Allow the user to set a Group using KeeShare Import to read-only, where all editing would be denied for entries in the group

Context

We use Passbolt to share credentials within the company. These are credentials for internal systems, as well as external systems we support. It is very useful to keep track of who knows which credentials, which helps a lot when someone leaves the company: it will inform us which shared passwords should be changed.

Users can export all credentials that are shared with them into a kdbx file and use KeePassXC's KeeShare feature (set to Import) to import the shared credentials into a "passbolt-export" sub-Group of their personal kdbx file (which contains additional non-shared credentials).

It would be great if we could make the "passbolt-export" sub-Group read-only, so that the users don't accidentally update any shared credentials in the KeePassXC UI. Updating should only be done in Passbolt (based on user permissions), then re-exported into the kdbx file and re-imported into the "passbolt-export" sub-Group.

droidmonkey commented 3 weeks ago

Setting to import mode for keeshare means no changes are written back to the main shared file (which can be set read only by permission). Your setup also means the source of truth is not impacted anyway.

Either way, a read only mode at any level is just not possible for us. We would have to undergo a massive rewrite of all GUI code and move to database transactional changes. At this time that is just not going to happen. As such we won't be able to entertain a request like this.

droidmonkey commented 3 weeks ago

Upon further reflection, I bet I can implement something like this as a keeshare feature when using the import method. However it would only apply within keepassxc. Using any other keepass application would not honor read only.

taurus227 commented 3 weeks ago

Thank you! Yes, I would be happy with a KeeShare-specific feature. However, I realized that it's not actually a "read-only import" that I need, but more of a "one-way sync". Examples: if an entry is deleted from the imported file, it should also be removed from the group. And if it's renamed in the imported file, it should also be renamed in the group, not duplicated under both the old and new names.

droidmonkey commented 3 weeks ago

Import should do those things right now as long as the entry uuid doesn't change.