github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-12 01:45:56 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

Issue with group-level access permissions and collection management for managers #5262

New Issue
Closed
opened 2026-03-07 20:18:19 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-03-07 20:18:19 -06:00
Owner
Copy Link

Originally created by @fdaone on GitHub (Jun 28, 2023).

Tested with the most recent testing docker image (Digest:sha256:78f4cf6c42004d70afb8673ef55bd88f25b62094b41275e935947e4ed6e8db17)

Subject of the issue

Group-level access permissions are not working as intended with regards to collection management (for members with the manager role).

Deployment environment (Generated via diagnostics page)

  • Vaultwarden version: v1.28.1-e7f083de
  • Web-vault version: v2023.5.0
  • OS/Arch: linux/x86_64
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: false
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: PostgreSQL
  • Database version: PostgreSQL 14.2 (Ubuntu 14.2-1.pgdg20.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, 64-bit
  • Clients used: Issue is seen with the web-vault. Not using any other clients.
  • Reverse proxy and version: nginx/1.18.0 (Ubuntu)
  • Other relevant information:

Vaultwarden is started like this: docker run -d --env-file /opt/docker/vw-data-test/.env --name vw-test -v /opt/docker/vw-data-test:/data -p 0.0.0.0:8081:81 -p 0.0.0.0:3013:3013 --restart on-failure harbor/mirror/docker.io/vaultwarden/server@sha256:78f4cf6c42004d70afb8673ef55bd88f25b62094b41275e935947e4ed6e8db17

Steps to reproduce the issue

As an admin assign the manager role to Member.
Add Member to Group that has 'Can edit' on Collection.

Log in as Member. Go to Organizations (top menu). Collection cannot be edited/modified as one would expect with the manager role and 'Can edit'.

The small pop-up menu with 'Edit info','Access',Delete' is simply not accessible. Normally this small pop-up menu can be accessed by clicking the 3 small dots to the far right of a collection or by clicking the "arrow" (pointing down) right next to the collection name once you're already looking inside the collection in question. Neither the 3 dots, nor the arrow pointing down is shown in the web UI.

However, new collections can without problems be created. As such, create new NestedCollection with Collection as "parent" and give 'Can edit' to Group.

Now NestedCollection has been created, but Member also cannot edit/modify this one.

The ability to modify/edit collections only works, if Member gets 'Can edit' applied directly as a user-level access permission (which of course defeats the whole purpose of utilizing group-level access permissions which are highly convenient in many scenarios with several users).

Now comes the funny/puzzling part... If Member gets even just 'Can view' applied as a user-level access permission, the 'Can edit' access permission from the Group starts to work immediately.

Originally created by @fdaone on GitHub (Jun 28, 2023). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> Tested with the most recent testing docker image (Digest:sha256:78f4cf6c42004d70afb8673ef55bd88f25b62094b41275e935947e4ed6e8db17) <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> Group-level access permissions are not working as intended with regards to collection management (for members with the manager role). ### Deployment environment (Generated via diagnostics page) <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> * Vaultwarden version: v1.28.1-e7f083de * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: false * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Database type: PostgreSQL * Database version: PostgreSQL 14.2 (Ubuntu 14.2-1.pgdg20.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, 64-bit * Clients used: Issue is seen with the web-vault. Not using any other clients. * Reverse proxy and version: nginx/1.18.0 (Ubuntu) * Other relevant information: Vaultwarden is started like this: docker run -d --env-file /opt/docker/vw-data-test/.env --name vw-test -v /opt/docker/vw-data-test:/data -p 0.0.0.0:8081:81 -p 0.0.0.0:3013:3013 --restart on-failure harbor/mirror/docker.io/vaultwarden/server@sha256:78f4cf6c42004d70afb8673ef55bd88f25b62094b41275e935947e4ed6e8db17 ### Steps to reproduce the issue As an admin assign the manager role to Member. Add Member to Group that has 'Can edit' on Collection. Log in as Member. Go to Organizations (top menu). Collection cannot be edited/modified as one would expect with the manager role and 'Can edit'. The small pop-up menu with 'Edit info','Access',Delete' is simply not accessible. Normally this small pop-up menu can be accessed by clicking the 3 small dots to the far right of a collection or by clicking the "arrow" (pointing down) right next to the collection name once you're already looking inside the collection in question. Neither the 3 dots, nor the arrow pointing down is shown in the web UI. However, new collections can without problems be created. As such, create new NestedCollection with Collection as "parent" and give 'Can edit' to Group. Now NestedCollection has been created, but Member also cannot edit/modify this one. The ability to modify/edit collections only works, if Member gets 'Can edit' applied directly as a user-level access permission (which of course defeats the whole purpose of utilizing group-level access permissions which are highly convenient in many scenarios with several users). Now comes the funny/puzzling part... If Member gets even just 'Can view' applied as a user-level access permission, the 'Can edit' access permission from the Group starts to work immediately.
GiteaMirror added the troubleshootingbuglow priorityhelp wanted labels 2026-03-07 20:18:19 -06:00
GiteaMirror commented 2026-03-07 20:18:20 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jul 12, 2023):

Confirmed.
It probably has the same issue as #3413 in regards to a query which is probably not optimized.

We need to try and solve this in a good manner, and i did not had the time yet to take a very good look at all the group queries to find a sane way to solve this all.

So, if anybody has a good idea, normalize this data differently, or other sane ways, please help out by creating a PR or provide some good pointers :).

@BlackDex commented on GitHub (Jul 12, 2023): Confirmed. It probably has the same issue as #3413 in regards to a query which is probably not optimized. We need to try and solve this in a good manner, and i did not had the time yet to take a very good look at all the group queries to find a sane way to solve this all. So, if anybody has a good idea, normalize this data differently, or other sane ways, please help out by creating a PR or provide some good pointers :).
GiteaMirror commented 2026-03-07 20:18:21 -06:00
Author
Owner
Copy Link

@fdaone commented on GitHub (Mar 18, 2024):

Thank you so much to everyone who made this happen. Really appreciate it. I have just tested the newest docker testing release. Works as intended now. 🥳 🙌

@fdaone commented on GitHub (Mar 18, 2024): Thank you so much to everyone who made this happen. Really appreciate it. I have just tested the newest docker testing release. Works as intended now. 🥳 🙌
GiteaMirror commented 2026-03-07 20:18:21 -06:00
Author
Owner
Copy Link

@tnargwoxow commented on GitHub (Sep 17, 2024):

This item is still listed as an outstanding issue but is closed. Is this fully complete? Love the work on this =)

@tnargwoxow commented on GitHub (Sep 17, 2024): This item is still listed as an outstanding issue but is closed. Is this fully complete? Love the work on this =)
GiteaMirror commented 2026-03-07 20:18:21 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 17, 2024):

@tnargwoxow What we are currently missing is the fully new way of permission handling used by Bitwarden right now.
Bitwarden does not have a Manager role anymore. This also keeps us stuck at the v2024.6.2 web-vault version, since all versions after that do not have the old implementation anymore.

What we would need is functionality which works with these new roles. And the old roles need to be migrated in some way.

Also, Groups and Collections need to be reviewed in such a way that we do not need to create such complex queries using multiple layers of join's or sub-queries or stuff like that. Maybe better to de-normalize and merge several tables to make our query lives easier :).

@BlackDex commented on GitHub (Sep 17, 2024): @tnargwoxow What we are currently missing is the fully new way of permission handling used by Bitwarden right now. Bitwarden does not have a Manager role anymore. This also keeps us stuck at the v2024.6.2 web-vault version, since all versions after that do not have the old implementation anymore. What we would need is functionality which works with these new roles. And the old roles need to be migrated in some way. Also, Groups and Collections need to be reviewed in such a way that we do not need to create such complex queries using multiple layers of join's or sub-queries or stuff like that. Maybe better to de-normalize and merge several tables to make our query lives easier :).
GiteaMirror commented 2026-03-07 20:18:22 -06:00
Author
Owner
Copy Link

@tnargwoxow commented on GitHub (Sep 17, 2024):

@BlackDex Understood! Thanks a lot of all the work on this! Ok this sounds like a tricky change. Is there an open issue on this? Or it's just generally understood? I ask primarily so 1: I can track it and keep on top of changes there and 2: If there ends up being something I or someone I know can do to help move towards catching up with the new web vault.
My guess though is this is a very large change and something that really requires dedicated planning time.

@tnargwoxow commented on GitHub (Sep 17, 2024): @BlackDex Understood! Thanks a lot of all the work on this! Ok this sounds like a tricky change. Is there an open issue on this? Or it's just generally understood? I ask primarily so 1: I can track it and keep on top of changes there and 2: If there ends up being something _I_ or someone I know can do to help move towards catching up with the new web vault. My guess though is this is a very large change and something that really requires dedicated planning time.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug help wanted low priority troubleshooting
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#5262
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?