Observed
When a user receives a folder shared with read-only permission, and that folder is later moved to the trash bin, the recipient (read-only invitee) can permanently delete the folder from their trash view.
Expected
A user holding only read-only permission on a shared folder should not be able to permanently delete it — including from the trash bin. Only the folder owner (or a user with write/admin permission) should be allowed to delete.
Suspected scope
- Trash bin UI: the permanent-delete action is rendered regardless of the recipient's permission level on the shared vfolder.
- Backend authorization may already block the actual delete; if so, the UI is showing an action that always fails, which is itself a UX bug. If the backend allows it, that is a security/data-loss bug.
—
Captured while working on branch: 05-18-feat_fr-26_show_error_state_on_projectselect_when_no_accessible_projects
JIRA Issue: FR-2911
Observed
When a user receives a folder shared with read-only permission, and that folder is later moved to the trash bin, the recipient (read-only invitee) can permanently delete the folder from their trash view.
Expected
A user holding only read-only permission on a shared folder should not be able to permanently delete it — including from the trash bin. Only the folder owner (or a user with write/admin permission) should be allowed to delete.
Suspected scope
—
Captured while working on branch: 05-18-feat_fr-26_show_error_state_on_projectselect_when_no_accessible_projects
JIRA Issue: FR-2911