Users with custom role (old manager) in org cannot import into collections they have access rights to #185

New Issue

AtHeartEngineer · 2025-07-08T08:42:04-04:00

AtHeartEngineer commented

2025-07-08 08:42:04 -04:00

Originally created by @maluueu on 2/14/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.33.1
Web-vault version: v2025.1.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: PostgreSQL
Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
Environment settings overridden!: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: false
Internet access via a proxy: false
DNS Check: false
Browser/Server Time Check: false
Server/NTP Time Check: n/a
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*****************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************************",
  "domain_origin": "*****://***************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/logs/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "*********",
  "smtp_host": "********",
  "smtp_password": "***",
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 LTS (noble)

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Go to 'Tools'
Click on 'Import Data'
Select the vault
Select a collection which you have write access to
Select a KeePass 2 XML file and change file type to 'KeePass 2 (XML)'
Click on 'Import Data'

Expected Result

All entries from KeePass imported into selected collection.

Actual Result

User is logged out from Web Vault.
After logging back in nothing has been imported.

Logs in browser console:

401: Unauthorized
The request requires user authentication.

Rocket

Logs

[2025-02-14 14:06:06.114][request][INFO] POST /api/ciphers/import-organization?organizationId=***********************************************
[2025-02-14 14:06:06.124][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2025-02-14 14:06:06.124][vaultwarden::api::core::organizations::_][WARN] Request guard `AdminHeaders` failed: "You need to be Admin or Owner to call this endpoint".
[2025-02-14 14:06:06.125][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default.
[2025-02-14 14:06:06.125][response][INFO] (post_org_import) POST /api/ciphers/import-organization?<query..> => 401 Unauthorized
[2025-02-14 14:06:06.192][request][INFO] GET /
[2025-02-14 14:06:06.193][response][INFO] (web_index) GET / => 200 OK
[2025-02-14 14:06:06.206][vaultwarden::api::notifications][INFO] Closing WS connection from ***.***.***.***

Screenshots or Videos

No response

Additional Context

All the users are members of exactly one organization. They have all been assigned the role 'Custom' so they can create collections by themselves.
When importing the KeePass 2 store as an admin user or org owner it is working fine.

*Originally created by @maluueu on 2/14/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.1 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Environment settings overridden!: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: false * Internet access via a proxy: false * DNS Check: false * Browser/Server Time Check: false * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*****************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***************************", "domain_origin": "*****://***************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/logs/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "****", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "**********************", "smtp_from_name": "*********", "smtp_host": "********", "smtp_password": "***", "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.33.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY= ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04.1 LTS (noble) ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Go to 'Tools' 2. Click on 'Import Data' 3. Select the vault 4. Select a collection which you have write access to 5. Select a KeePass 2 XML file and change file type to 'KeePass 2 (XML)' 6. Click on 'Import Data' ### Expected Result All entries from KeePass imported into selected collection. ### Actual Result User is logged out from Web Vault. After logging back in nothing has been imported. Logs in browser console: ``` 401: Unauthorized The request requires user authentication. Rocket ``` ### Logs ```text [2025-02-14 14:06:06.114][request][INFO] POST /api/ciphers/import-organization?organizationId=*********************************************** [2025-02-14 14:06:06.124][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint [2025-02-14 14:06:06.124][vaultwarden::api::core::organizations::_][WARN] Request guard `AdminHeaders` failed: "You need to be Admin or Owner to call this endpoint". [2025-02-14 14:06:06.125][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default. [2025-02-14 14:06:06.125][response][INFO] (post_org_import) POST /api/ciphers/import-organization?<query..> => 401 Unauthorized [2025-02-14 14:06:06.192][request][INFO] GET / [2025-02-14 14:06:06.193][response][INFO] (web_index) GET / => 200 OK [2025-02-14 14:06:06.206][vaultwarden::api::notifications][INFO] Closing WS connection from ***.***.***.*** ``` ### Screenshots or Videos _No response_ ### Additional Context All the users are members of exactly one organization. They have all been assigned the role 'Custom' so they can create collections by themselves. When importing the KeePass 2 store as an admin user or org owner it is working fine.

AtHeartEngineer closed this issue

2025-07-08 08:42:05 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2025-07-08 08:42:06 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#185