Volto security issues with My Folder (user folders)

I switched on Enable User Folders on existing site.
There happened to be no Members folder I discovered and created that manually in ZMI.

My Folder appeared nicely and added some private content. I created a second user with Editors right.

Switch to Volto as the editor user after restart of my browser and sureprisingly i could see and delete all My Folder stuff of the other user (who had admin +site rights btw).

Is that normal or a security leak?

That is normal expected behavior. You can view an editor as a light weight site administrator.
Editors cannot do the normal management things, like using the control panel and actually publishing content, but it can access and modify most (if not all) content, and Submit for publication.
Someone who can publish content, for example Site Administrator or Manager, can then actually publish it.
This is useful for sites where multiple people work on content, but a limited set of people have the responsibility to do final review.

Thanks for the explanation. I thought that private content was " for your own eyes only" (except site admins and site mngrs). Was not aware that Editors could Delete! private content in My Folder.

see https://training.plone.org/5/workflow/roles-and-permissions.html


A user with the Editor role by default does not have the ability to add content, but can modify(edit) content and use version control. An Editor can also manage properties of content and can submit content for publication. The Editor role should be used when a Contributor is sending a piece of content for review.

The Editor will review, and change, the content and then submit it for publication.z

Plone Foundation Code of Conduct