github/vaultwarden
1
1
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-01-11 03:57:56 -05:00
Code Issues 13 Packages Projects Releases Wiki Activity

Organisation User with "Can Manage" permissions cannot access "Edit Access" of Collection #180

New Issue
Closed
opened 2025-07-08 08:41:57 -04:00 by AtHeartEngineer · 0 comments
AtHeartEngineer commented 2025-07-08 08:41:57 -04:00
Owner
Copy Link

Originally created by @yurix73 on 2/18/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.33.2
  • Web-vault version: v2025.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.48.0
  • Environment settings overridden!: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 5,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 5000000,
  "org_creation_users": "*****************************,**************************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 1000000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 7200,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 50000,
  "user_send_limit": 50000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.2

Deployment method

Official Container Image

Custom deployment method

Vaultwarden behind Nginx Reverse Proxy

Reverse Proxy

nginx/1.22.1

Host/Server Operating System

Linux

Operating System Version

Debian 12 (bookworm)

Clients

Web Vault

Client Version

Chromium Version 133.0.6943.53 (Official Build) (64-bit)

Steps To Reproduce

  1. I login with a User that has Member Role "User" and "Can Manage" permissions to a parent collection that features multiple child collection for which I also have "Can Manage" permissions
  2. Select a Collection that I have "Can Manage" Permissions for.
  3. I Click on some child Collection within that parent Collection
  4. I open the hamburger menu for that subcollection
  5. Click on 'Edit Access'

Expected Result

Because this user has "Can Manage" Permissions I should be able see a Modal to edit who has access to selected Collection.

Image

Actual Result

I get redirected to the login page

Logs

[2025-02-18 09:48:11.198][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/collections/details
[2025-02-18 09:48:11.198][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.198][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.198][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized
[2025-02-18 09:48:11.201][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/users/mini-details
[2025-02-18 09:48:11.202][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.202][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.203][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 401 Unauthorized
[2025-02-18 09:48:11.298][vaultwarden::api::notifications][INFO] Closing WS connection from IP_CENSORED
[2025-02-18 09:48:11.956][request][INFO] GET /icons/VAULTWARDEN_URL_CENSORED/icon.png
[2025-02-18 09:48:11.956][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK

Screenshots or Videos

Image

Image

Image

Additional Context

No response

*Originally created by @yurix73 on 2/18/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.48.0 * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: false ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Failed HTTP Checks:** ```yaml 2FA Connector calls: Header: 'x-frame-options' is present while it should not ``` **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********************", "domain_origin": "*****://*********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 5, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 5000000, "org_creation_users": "*****************************,**************************", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 1000000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "************", "signups_verify": true, "signups_verify_resend_limit": 3, "signups_verify_resend_time": 7200, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************************", "smtp_from_name": "Vaultwarden", "smtp_host": "********************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 50000, "user_send_limit": 50000, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.33.2 ### Deployment method Official Container Image ### Custom deployment method Vaultwarden behind Nginx Reverse Proxy ### Reverse Proxy nginx/1.22.1 ### Host/Server Operating System Linux ### Operating System Version Debian 12 (bookworm) ### Clients Web Vault ### Client Version Chromium Version 133.0.6943.53 (Official Build) (64-bit) ### Steps To Reproduce 1. I login with a User that has Member Role "User" and "Can Manage" permissions to a parent collection that features multiple child collection for which I also have "Can Manage" permissions 2. Select a Collection that I have "Can Manage" Permissions for. 3. I Click on some child Collection within that parent Collection 4. I open the hamburger menu for that subcollection 5. Click on 'Edit Access' ### Expected Result Because this user has "Can Manage" Permissions I should be able see a Modal to edit who has access to selected Collection. ![Image](https://github.com/user-attachments/assets/5955b982-7eee-4764-951c-e1495815608d) ### Actual Result I get redirected to the login page ### Logs ```text [2025-02-18 09:48:11.198][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/collections/details [2025-02-18 09:48:11.198][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2025-02-18 09:48:11.198][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2025-02-18 09:48:11.198][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized [2025-02-18 09:48:11.201][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/users/mini-details [2025-02-18 09:48:11.202][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2025-02-18 09:48:11.202][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2025-02-18 09:48:11.203][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 401 Unauthorized [2025-02-18 09:48:11.298][vaultwarden::api::notifications][INFO] Closing WS connection from IP_CENSORED [2025-02-18 09:48:11.956][request][INFO] GET /icons/VAULTWARDEN_URL_CENSORED/icon.png [2025-02-18 09:48:11.956][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK ``` ### Screenshots or Videos ![Image](https://github.com/user-attachments/assets/fdea87ce-89e1-40d8-9357-4d29f21a20ad) ![Image](https://github.com/user-attachments/assets/5b5d114d-be73-415a-ad17-c7dea42927b8) ![Image](https://github.com/user-attachments/assets/db678a33-a240-4434-84a5-01d715f179c5) ### Additional Context _No response_
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
enhancement
enhancement
enhancement
enhancement
low priority
low priority
low priority
question
No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
AtHeartEngineer
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/vaultwarden#180
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?