KC-1315, KC-1329: Fix share-folder record expiration and ROE handling#2168
Merged
Merged
Conversation
This comment has been minimized.
This comment has been minimized.
sali-ks
reviewed
Jun 25, 2026
sali-ks
approved these changes
Jun 25, 2026
sali-ks
approved these changes
Jun 25, 2026
242f85f to
0c51824
Compare
dcd973e to
4820349
Compare
0c51824 to
00cb187
Compare
ae1f3ed to
8d8fcf6
Compare
sali-ks
approved these changes
Jul 8, 2026
pvagare-ks
approved these changes
Jul 9, 2026
…g re-shares When share-folder was used with -r and --expire-in, expiration was applied to SharedFolderUpdateRecord, which caused the record to be removed from the owner's vault when the timer expired. Route per-record expiration and -roe through the record share API (revoke then re-grant) instead, keep folder user updates for access only, sync before granting, and skip redundant user updates when sharing additional records to the same recipient.
7e69ec0 to
0663292
Compare
358da0c to
e61ccec
Compare
sk-keeper
pushed a commit
that referenced
this pull request
Jul 9, 2026
…#2168) * Fix share-folder record expiration removing owner records and breaking re-shares When share-folder was used with -r and --expire-in, expiration was applied to SharedFolderUpdateRecord, which caused the record to be removed from the owner's vault when the timer expired. Route per-record expiration and -roe through the record share API (revoke then re-grant) instead, keep folder user updates for access only, sync before granting, and skip redundant user updates when sharing additional records to the same recipient. * Share-folder: expire folder and record access together; log expiry in output * updated test file * Fix share-folder remove vault deletion; clean up access grant/remove logs * Fix share folder expire in and -r combination * Separate folder and record flag usage to fix multiple remove related issue * Fix -p and -o flags and 1mi expiry * Restrict outside records to be shared via -r * Update help --------- Co-authored-by: amangalampalli-ks <amangalampalli@keepersecurity.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes
share-folderbehavior for KC-1315 and KC-1329. Folder access (-e,-p,-o,--expire-in/at,-roe) and record permissions (-r,-d,-s) are now independent flag groups. Expiration applies only to folder user/team access, not per-record timers. Remove with-erevokes folder access only and no longer removes records from the folder.Changes
KC-1315 — Expiration
--expire-in/--expire-atapply only to folder user/team protos (SharedFolderUpdateUser/SharedFolderUpdateTeam), notSharedFolderUpdateRecord-rupdatecan_edit/can_shareonly (no expiration or ROE on records)1mi) using millisecond-precision timestampsKC-1329 — Remove semantics
-a removewith-erevokes folder access only; does not callsharedFolderRemoveRecord-r/-d/-scan be combined with remove to update record permissions in the same requestValidation & safety
-d/-srequire a record target (-r,-r *, or-r @existing)-rwith a specific record UID/name must already be in the folder; rejects foreign records instead of linking them viasharedFolderAddRecord-eReliability
-p/-oalways update folder user permissions even when-ris presentHelp & tests
share-folderhelp into folder access vs record permissions groups-ois mutually exclusive with--expire-at/--expire-in(matches Vault behavior)test_command_register.pyFlag model
-a,-e,-p,-o,--expire-in/at,-roe-r,-d,-s-p/-oand-d/-sare independent within their groups.