Organisation User with "Can Manage" permissions cannot access "Edit Access" of Collection

[yurix73]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.2
• Web-vault version: v2025.1.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.48.0
• Environment settings overridden!: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: false

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Failed HTTP Checks:

2FA Connector calls:
Header: 'x-frame-options' is present while it should not

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 5,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 5000000,
  "org_creation_users": "*****************************,**************************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 1000000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "************",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 7200,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 50000,
  "user_send_limit": 50000,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.2

Deployment method

Official Container Image

Custom deployment method

Vaultwarden behind Nginx Reverse Proxy

Reverse Proxy

nginx/1.22.1

Host/Server Operating System

Linux

Operating System Version

Debian 12 (bookworm)

Clients

Web Vault

Client Version

Chromium Version 133.0.6943.53 (Official Build) (64-bit)

Steps To Reproduce

1. I login with a User that has Member Role "User" and "Can Manage" permissions to a parent collection that features multiple child collection for which I also have "Can Manage" permissions
2. Select a Collection that I have "Can Manage" Permissions for.
3. I Click on some child Collection within that parent Collection
4. I open the hamburger menu for that subcollection
5. Click on 'Edit Access'

Expected Result

Because this user has "Can Manage" Permissions I should be able see a Modal to edit who has access to selected Collection.

Actual Result

I get redirected to the login page

Logs

[2025-02-18 09:48:11.198][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/collections/details
[2025-02-18 09:48:11.198][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.198][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.198][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized
[2025-02-18 09:48:11.201][request][INFO] GET /api/organizations/10b15084-32dc-4410-8197-e21c8395c7a9/users/mini-details
[2025-02-18 09:48:11.202][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2025-02-18 09:48:11.202][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2025-02-18 09:48:11.203][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 401 Unauthorized
[2025-02-18 09:48:11.298][vaultwarden::api::notifications][INFO] Closing WS connection from IP_CENSORED
[2025-02-18 09:48:11.956][request][INFO] GET /icons/VAULTWARDEN_URL_CENSORED/icon.png
[2025-02-18 09:48:11.956][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK

Screenshots or Videos

Additional Context

No response

[BlackDex]

We currently do not allow users to be able to manage.
We might need to block that right in some way, but the other issue is, that users then are not able to delete items from collections anymore.

We currently only allow managers or higher to actually manage a collection, and not users.
So, if you want someone to be able to manage specific collections, change the role to custom for now.

[stefan0xC]

While checking the changes for the new web-v2025.2.1 I noticed bitwarden/clients@8c339ea so it seems like we should make possible for Managers

[BlackDex]

Isn't that more for flexible collections? We do not (yet) support those.
Else we should some how instead of logging them out, provide a Vaultwarden specific warning maybe?
Like, Vaultwarden does not support this for normal user accounts or something similar?

Or, someone would like to fix the whole manage throughout the whole code. But that is a mess from my point of view, mainly because of how collections and groups are linked and the queries which need to be done. I still didn't found the time (or drive) yet to try and fix and refactor that. Also because the SSO PR might have effect on it, and i want to make some other database handling changes before trying to refactor that part of the code if I will do it my self (Doesn't prevent anybody else though).

[stefan0xC]

Oh, sorry for the confusion I think I answered to the wrong issue #5592