Organisation User with "Can Manage" permissions cannot access "Edit Access" of Collection #5842

New Issue

Closed

opened 2026-03-07 20:40:09 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-03-07 20:40:09 -06:00

Owner

Copy Link

Originally created by @yurix73 on GitHub (Feb 18, 2025).

Originally assigned to: @BlackDex on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.2
• Web-vault version: v2025.1.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.48.0
• Environment settings overridden!: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 5,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 5000000,
  "org_creation_users": "*****************************,**************************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 1000000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 7200,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 50000,
  "user_send_limit": 50000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.2

Deployment method

Official Container Image

Custom deployment method

Vaultwarden behind Nginx Reverse Proxy

Reverse Proxy

nginx/1.22.1

Host/Server Operating System

Linux

Operating System Version

Debian 12 (bookworm)

Clients

Web Vault

Client Version

Chromium Version 133.0.6943.53 (Official Build) (64-bit)

Steps To Reproduce

1. I login with a User that has Member Role "User" and "Can Manage" permissions to a parent collection that features multiple child collection for which I also have "Can Manage" permissions
2. Select a Collection that I have "Can Manage" Permissions for.
3. I Click on some child Collection within that parent Collection
4. I open the hamburger menu for that subcollection
5. Click on 'Edit Access'

Expected Result

Because this user has "Can Manage" Permissions I should be able see a Modal to edit who has access to selected Collection.

Actual Result

I get redirected to the login page

Logs

[2025-02-18 09:48:11.198][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/collections/details
[2025-02-18 09:48:11.198][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.198][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.198][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized
[2025-02-18 09:48:11.201][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/users/mini-details
[2025-02-18 09:48:11.202][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.202][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.203][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 401 Unauthorized
[2025-02-18 09:48:11.298][vaultwarden::api::notifications][INFO] Closing WS connection from IP_CENSORED
[2025-02-18 09:48:11.956][request][INFO] GET /icons/VAULTWARDEN_URL_CENSORED/icon.png
[2025-02-18 09:48:11.956][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK

Screenshots or Videos

Additional Context

No response

Originally created by @yurix73 on GitHub (Feb 18, 2025). Originally assigned to: @BlackDex on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.48.0 * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: false ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Failed HTTP Checks:** ```yaml 2FA Connector calls: Header: 'x-frame-options' is present while it should not ``` **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********************", "domain_origin": "*****://*********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 5, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 5000000, "org_creation_users": "*****************************,**************************", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 1000000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "************", "signups_verify": true, "signups_verify_resend_limit": 3, "signups_verify_resend_time": 7200, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************************", "smtp_from_name": "Vaultwarden", "smtp_host": "********************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 50000, "user_send_limit": 50000, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.33.2 ### Deployment method Official Container Image ### Custom deployment method Vaultwarden behind Nginx Reverse Proxy ### Reverse Proxy nginx/1.22.1 ### Host/Server Operating System Linux ### Operating System Version Debian 12 (bookworm) ### Clients Web Vault ### Client Version Chromium Version 133.0.6943.53 (Official Build) (64-bit) ### Steps To Reproduce 1. I login with a User that has Member Role "User" and "Can Manage" permissions to a parent collection that features multiple child collection for which I also have "Can Manage" permissions 2. Select a Collection that I have "Can Manage" Permissions for. 3. I Click on some child Collection within that parent Collection 4. I open the hamburger menu for that subcollection 5. Click on 'Edit Access' ### Expected Result Because this user has "Can Manage" Permissions I should be able see a Modal to edit who has access to selected Collection.  ### Actual Result I get redirected to the login page ### Logs ```text [2025-02-18 09:48:11.198][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/collections/details [2025-02-18 09:48:11.198][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2025-02-18 09:48:11.198][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2025-02-18 09:48:11.198][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized [2025-02-18 09:48:11.201][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/users/mini-details [2025-02-18 09:48:11.202][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2025-02-18 09:48:11.202][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2025-02-18 09:48:11.203][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 401 Unauthorized [2025-02-18 09:48:11.298][vaultwarden::api::notifications][INFO] Closing WS connection from IP_CENSORED [2025-02-18 09:48:11.956][request][INFO] GET /icons/VAULTWARDEN_URL_CENSORED/icon.png [2025-02-18 09:48:11.956][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK ``` ### Screenshots or Videos    ### Additional Context _No response_

GiteaMirror added the bug label 2026-03-07 20:40:09 -06:00

GiteaMirror closed this issue 2026-03-07 20:40:10 -06:00

GiteaMirror commented 2026-03-07 20:40:10 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Feb 18, 2025):

We currently do not allow users to be able to manage.
We might need to block that right in some way, but the other issue is, that users then are not able to delete items from collections anymore.

We currently only allow managers or higher to actually manage a collection, and not users.
So, if you want someone to be able to manage specific collections, change the role to custom for now.

@BlackDex commented on GitHub (Feb 18, 2025): We currently do not allow users to be able to manage. We might need to block that right in some way, but the other issue is, that users then are not able to delete items from collections anymore. We currently only allow managers or higher to actually manage a collection, and not users. So, if you want someone to be able to manage specific collections, change the role to `custom` for now.

GiteaMirror commented 2026-03-07 20:40:10 -06:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Feb 19, 2025):

While checking the changes for the new web-v2025.2.1 I noticed 8c339ead19 so it seems like we should make possible for Managers

@stefan0xC commented on GitHub (Feb 19, 2025): While checking the changes for the new `web-v2025.2.1` I noticed https://github.com/bitwarden/clients/commit/8c339ead1992c2641375a6c167ddd3249e5b146c so it seems like we should make possible for Managers

GiteaMirror commented 2026-03-07 20:40:10 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Feb 19, 2025):

Isn't that more for flexible collections? We do not (yet) support those.
Else we should some how instead of logging them out, provide a Vaultwarden specific warning maybe?
Like, Vaultwarden does not support this for normal user accounts or something similar?

Or, someone would like to fix the whole manage throughout the whole code. But that is a mess from my point of view, mainly because of how collections and groups are linked and the queries which need to be done. I still didn't found the time (or drive) yet to try and fix and refactor that. Also because the SSO PR might have effect on it, and i want to make some other database handling changes before trying to refactor that part of the code if I will do it my self (Doesn't prevent anybody else though).

@BlackDex commented on GitHub (Feb 19, 2025): Isn't that more for flexible collections? We do not (yet) support those. Else we should some how instead of logging them out, provide a Vaultwarden specific warning maybe? Like, `Vaultwarden does not support this for normal user accounts` or something similar? Or, someone would like to fix the whole manage throughout the whole code. But that is a mess from my point of view, mainly because of how collections and groups are linked and the queries which need to be done. I still didn't found the time (or drive) yet to try and fix and refactor that. Also because the SSO PR might have effect on it, and i want to make some other database handling changes before trying to refactor that part of the code if I will do it my self (Doesn't prevent anybody else though).

GiteaMirror commented 2026-03-07 20:40:11 -06:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Feb 20, 2025):

Oh, sorry for the confusion I think I answered to the wrong issue #5592

@stefan0xC commented on GitHub (Feb 20, 2025): Oh, sorry for the confusion I think I answered to the wrong issue #5592

GiteaMirror commented 2026-03-07 20:40:11 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (May 19, 2025):

I Think this should be solved via the #5798 PR, i can not reproduce this there.
Also, keep in mind that a Child Collection (or nested collection as they are called at Bitwarden) have there own rights, and nothing is inherited from the parent!

@BlackDex commented on GitHub (May 19, 2025): I Think this should be solved via the #5798 PR, i can not reproduce this there. Also, keep in mind that a Child Collection (or nested collection as they are called at Bitwarden) have there own rights, and nothing is inherited from the parent!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#5842