github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-12 01:45:56 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

Users with custom role (old manager) in org cannot import into collections they have access rights to #5838

New Issue
Closed
opened 2026-03-07 20:40:03 -06:00 by GiteaMirror · 7 comments
GiteaMirror commented 2026-03-07 20:40:03 -06:00
Owner
Copy Link

Originally created by @maluueu on GitHub (Feb 14, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.33.1
  • Web-vault version: v2025.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
  • Environment settings overridden!: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: false
  • Internet access via a proxy: false
  • DNS Check: false
  • Browser/Server Time Check: false
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*****************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************************",
  "domain_origin": "*****://***************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/logs/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "*********",
  "smtp_host": "********",
  "smtp_password": "***",
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 LTS (noble)

Clients

Web Vault

Client Version

No response

Steps To Reproduce

  1. Go to 'Tools'
  2. Click on 'Import Data'
  3. Select the vault
  4. Select a collection which you have write access to
  5. Select a KeePass 2 XML file and change file type to 'KeePass 2 (XML)'
  6. Click on 'Import Data'

Expected Result

All entries from KeePass imported into selected collection.

Actual Result

User is logged out from Web Vault.
After logging back in nothing has been imported.

Logs in browser console:

401: Unauthorized
The request requires user authentication.

Rocket

Logs

[2025-02-14 14:06:06.114][request][INFO] POST /api/ciphers/import-organization?organizationId=***********************************************
[2025-02-14 14:06:06.124][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2025-02-14 14:06:06.124][vaultwarden::api::core::organizations::_][WARN] Request guard `AdminHeaders` failed: "You need to be Admin or Owner to call this endpoint".
[2025-02-14 14:06:06.125][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default.
[2025-02-14 14:06:06.125][response][INFO] (post_org_import) POST /api/ciphers/import-organization?<query..> => 401 Unauthorized
[2025-02-14 14:06:06.192][request][INFO] GET /
[2025-02-14 14:06:06.193][response][INFO] (web_index) GET / => 200 OK
[2025-02-14 14:06:06.206][vaultwarden::api::notifications][INFO] Closing WS connection from ***.***.***.***

Screenshots or Videos

No response

Additional Context

All the users are members of exactly one organization. They have all been assigned the role 'Custom' so they can create collections by themselves.
When importing the KeePass 2 store as an admin user or org owner it is working fine.

Originally created by @maluueu on GitHub (Feb 14, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.1 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Environment settings overridden!: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: false * Internet access via a proxy: false * DNS Check: false * Browser/Server Time Check: false * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*****************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***************************", "domain_origin": "*****://***************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/logs/vaultwarden.log", "log_level": "debug", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "****", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "**********************", "smtp_from_name": "*********", "smtp_host": "********", "smtp_password": "***", "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.33.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY= ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04.1 LTS (noble) ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Go to 'Tools' 2. Click on 'Import Data' 3. Select the vault 4. Select a collection which you have write access to 5. Select a KeePass 2 XML file and change file type to 'KeePass 2 (XML)' 6. Click on 'Import Data' ### Expected Result All entries from KeePass imported into selected collection. ### Actual Result User is logged out from Web Vault. After logging back in nothing has been imported. Logs in browser console: ``` 401: Unauthorized The request requires user authentication. Rocket ``` ### Logs ```text [2025-02-14 14:06:06.114][request][INFO] POST /api/ciphers/import-organization?organizationId=*********************************************** [2025-02-14 14:06:06.124][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint [2025-02-14 14:06:06.124][vaultwarden::api::core::organizations::_][WARN] Request guard `AdminHeaders` failed: "You need to be Admin or Owner to call this endpoint". [2025-02-14 14:06:06.125][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default. [2025-02-14 14:06:06.125][response][INFO] (post_org_import) POST /api/ciphers/import-organization?<query..> => 401 Unauthorized [2025-02-14 14:06:06.192][request][INFO] GET / [2025-02-14 14:06:06.193][response][INFO] (web_index) GET / => 200 OK [2025-02-14 14:06:06.206][vaultwarden::api::notifications][INFO] Closing WS connection from ***.***.***.*** ``` ### Screenshots or Videos _No response_ ### Additional Context All the users are members of exactly one organization. They have all been assigned the role 'Custom' so they can create collections by themselves. When importing the KeePass 2 store as an admin user or org owner it is working fine.
GiteaMirror added the bug label 2026-03-07 20:40:03 -06:00
GiteaMirror commented 2026-03-07 20:40:04 -06:00
Author
Owner
Copy Link

@maluueu commented on GitHub (Feb 14, 2025):

Why do we require AdminHeaders here: organizations.rs#L1832?
Has this been forgotten when the Custom role was introduced?

@maluueu commented on GitHub (Feb 14, 2025): Why do we require AdminHeaders here: [organizations.rs#L1832](https://github.com/dani-garcia/vaultwarden/blob/d5c353427d07d3749569906897b79b1604afcdd5/src/api/core/organizations.rs#L1832)? Has this been forgotten when the Custom role was introduced?
GiteaMirror commented 2026-03-07 20:40:04 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Feb 14, 2025):

Managers were never able to import data into organizations as far as i know.
Not sure how you are able to view this in the web-vault, as that isn't visible for me when i login with a user which has manager rights.

@BlackDex commented on GitHub (Feb 14, 2025): Managers were never able to import data into organizations as far as i know. Not sure how you are able to view this in the web-vault, as that isn't visible for me when i login with a user which has manager rights.
GiteaMirror commented 2026-03-07 20:40:05 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Feb 14, 2025):

Hmm, looks like they are in the newer web-vault via the Password Vault import option.

@BlackDex commented on GitHub (Feb 14, 2025): Hmm, looks like they are in the newer web-vault via the Password Vault import option.
GiteaMirror commented 2026-03-07 20:40:05 -06:00
Author
Owner
Copy Link

@maluueu commented on GitHub (Feb 17, 2025):

@BlackDex I can see that. But while we're at it, why aren't users with a manager/custom role allowed to import passwords into collections they have access to (or create a new one for them)? I mean, they have permissions to do it manually (create the collection + passwords), what's the difference in being able to just import an existing password store in one go?
If we allowed that, what would have to change? I'm afraid I'm not really familiar with Rust, or with this code base in general, but I could give it my best shot.

@maluueu commented on GitHub (Feb 17, 2025): @BlackDex I can see that. But while we're at it, why aren't users with a manager/custom role allowed to import passwords into collections they have access to (or create a new one for them)? I mean, they have permissions to do it manually (create the collection + passwords), what's the difference in being able to just import an existing password store in one go? If we allowed that, what would have to change? I'm afraid I'm not really familiar with Rust, or with this code base in general, but I could give it my best shot.
GiteaMirror commented 2026-03-07 20:40:06 -06:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Feb 20, 2025):

@maluueu this seems to be a recent change by upstream, so the AdminHeaders check has now become too strict.

Allowing this via ManagerHeaders would be a bit tedious because the collection id is not part of the path param or the query 359a4a088a/src/auth.rs (L671-L674)

We could use the ManagerHeadersLoose guard and then check the passed collection id manually if you are allowed to access them. Though this probably is not the right way either when this should be possible for any User that is allowed to manage a collection (8c339ead19) so we would probably have to implement a custom guard for that or change how we check for permissions (i.e. implement custom permissions and like upstream finally get rid of the manager role).

@stefan0xC commented on GitHub (Feb 20, 2025): @maluueu this seems to be a recent change by upstream, so the `AdminHeaders` check has now become too strict. Allowing this via `ManagerHeaders` would be a bit tedious because the collection id is not part of the path param or the query https://github.com/dani-garcia/vaultwarden/blob/359a4a088a6ddd9577bd695295d91e5abaec66df/src/auth.rs#L671-L674 We could use the `ManagerHeadersLoose` guard and then check the passed collection id manually if you are allowed to access them. Though this probably is not the right way either when this should be possible for any User that is allowed to manage a collection (https://github.com/bitwarden/clients/commit/8c339ead1992c2641375a6c167ddd3249e5b146c) so we would probably have to implement a custom guard for that or change how we check for permissions (i.e. implement custom permissions and like upstream finally get rid of the manager role).
GiteaMirror commented 2026-03-07 20:40:06 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (May 21, 2025):

I'm working on this btw, but Bitwarden also checks if a user has access to the collection or not and if not return's a warning/error.

We can do the same.

@BlackDex commented on GitHub (May 21, 2025): I'm working on this btw, but Bitwarden also checks if a user has access to the collection or not and if not return's a warning/error. We can do the same.
GiteaMirror commented 2026-03-07 20:40:06 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (May 21, 2025):

Ok, i have it fixed in my #5798 PR via 419d98b7a5

@BlackDex commented on GitHub (May 21, 2025): Ok, i have it fixed in my #5798 PR via https://github.com/BlackDex/vaultwarden/commit/419d98b7a5a30bb019a9425172f053ed9f7ceda6
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#5838
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?