[Bug]: Able to download other users transaction info, even when they have end2end encryption enabled.

[maxdalat]

Verified issue does not already exist?

• I have searched and found no existing issue
• I will be providing steps how to reproduce the bug (in most cases this will also mean uploading a demo budget file)

What happened?

When I wanted to make a new account for someone, I tried to set up simplefin thinking that it would restart simplefin as if the other budget was separate. I found that instead, I was able to download all the transaction info, even when I didn't give my encryption key.

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Chrome

Operating System

Mac OSX

[maxdalat]

Oh what I meant by operating system, I was thinking about my laptop, sorry. In terms of docker, I am running it on a server with ubuntu 20.04 and have it connected through tailscale. I code through my laptop and open actual on my laptop. I was just thinking that this applies to any system so I didn't really think about what I put. Sorry about that confusion.

[youngcw]

So you are seeing the other account's bank accounts in your simplefin account list? The file encryption key has nothing to do with simplefin, it only affects the budget files. If you want to have separate simplefin accounts you need to use different Actual servers and different simplefin accounts.

[maxdalat]

In actual documentation, it says that if you want to share the server with other people, you can set up separate budgets, and keep them separate by having encryption keys so that both need their own password. All I am asking for is a solution so that people who share a server, but have different budgets, are both able to implement simplefin completely separate from each other. I am trying to make different simplefin accounts, so that each person has their own subscription and key and everything is kept seperated. Lmk if you need any more clarification cause its kinda hard to explain.

[youngcw]

As of now there can only be one simplefin connection per server. So all budget files within a server can see all transaction data from simplefin. The docs you mention don't include bank syncing, just budget files.

There is ongoing work to add user support the the server which should make it so you can have separate simplefin credentials. On simpefin's side, there is no way to select just a subset of accounts, so you would need multiple simplefin accounts to not have access to each others data, and there isn't anything Actual can do about that.

For now, the only way to not see each others data and have separate bank syncing with simplefin, is to have separate servers and separate simplefin accounts.