mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-18 01:49:32 -05:00
[GH-ISSUE #7210] manage field in sync response always false for User-type org members despite per-collection manage permission #35596
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @scrapix on GitHub (May 12, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7210
Prerequisites
Vaultwarden Support String
Description:
When a per-collection "Manage" permission is granted to a User-type org member (type 2) via the admin panel, the /api/sync response still returns "manage": false for that
collection.
Root cause:
In src/db/models/collection.rs, to_json_details() at line 102:
is_manager && (cu.manage || (!cu.read_only && !cu.hide_passwords)),
The cu.manage value from the users_collections table is gated behind is_manager (which is only true for MembershipType::Manager, type 3). For User-type members (type 2),
the expression short-circuits to false regardless of the actual cu.manage DB value.
Expected behavior:
If a per-collection manage permission is explicitly set in the users_collections table (visible in the admin panel as "Manage collection"), it should be reflected in the
sync response for all member types — not just Managers.
Suggested fix:
Change line 102 from:
is_manager && (cu.manage || (!cu.read_only && !cu.hide_passwords)),
to:
cu.manage || (is_manager && !cu.read_only && !cu.hide_passwords),
And similarly line 108 for group-based permissions.
This preserves the existing Manager implicit-manage behavior (full read/write implies manage) while also honoring the explicitly-set cu.manage flag for all member types.
Reproduction:
Version: Confirmed in current Vaultwarden source (to_json_details in src/db/models/collection.rs)
Vaultwarden Build Version
2026.4.1
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
traefik
Host/Server Operating System
Linux
Operating System Version
No response
Clients
CLI
Client Version
No response
Steps To Reproduce
Expected Result
Title: Fix: propagate per-collection manage flag for User-type org members
Body:
Summary
true
Changes
src/db/models/collection.rs — to_json_details():
Rationale
The admin panel allows granting "Manage collection" to any member type, and this is stored in the users_collections.manage column. However to_json_details() only propagated
this to the sync response for Manager+ roles. This made the per-collection manage permission effectively non-functional for User-type members.
The fix honors the explicitly-set manage flag for all member types, while preserving the existing implicit behavior where Managers with full read/write access (no
read_only, no hide_passwords) also get manage: true.
Test plan
Actual Result
can set a user as collection manager in admin console but not use this state on client
Logs
Screenshots or Videos
No response
Additional Context
No response
@BlackDex commented on GitHub (May 13, 2026):
The main reason is, because Vaultwarden doesn't support this.
There are different roles and rights for managing collections which currently are not working or break if the role is user but with manage permissions on a collection. That is why we return
edit.A lot needs to be changed to get this working properly, not just those lines.
This for me is a works as intended.
@scrapix commented on GitHub (May 13, 2026):
@BlackDex thanks for your quick feedback. I was unaware of this permission model. I thought Collection permissions were independant of user roles and permissions.
Quiete unfortunate though :(
@scrapix commented on GitHub (May 13, 2026):
Then to make the UX consistent, a regular "edit" user should net be assignable as manage collection user in admin panel