starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Single Orginization policy erroneously removed all members from org #1813

New Issue
Closed
opened 2026-02-05 01:53:47 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2026-02-05 01:53:47 +03:00
Owner
Copy Link

Originally created by @Spunkie on GitHub (Dec 28, 2023).

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.30.1
  • Web-vault version: v2023.10.0
  • OS/Arch: linux/aarch64
  • Running within Docker: true (Base: Alpine)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.44.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Polished Geek",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "****************",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": "73981",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Steps to reproduce

I was trying to turn on the Account recovery administration org policy but it required the Single Organization policy to be turned on first. When turning on the Single Organization policy it does warn that:

Organization members who are not owners or admins and are already a member of another organization will be removed from your organization.

But I didn't expect this to apply to anyone on our vaultwarden instance because our instance only has a single org on it.

Expected behaviour

I would have expected the policy to turn on and that no one would be removed from my org.

Actual behaviour

All non-admin/owners were removed from my org.

Originally created by @Spunkie on GitHub (Dec 28, 2023). ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.1 * Web-vault version: v2023.10.0 * OS/Arch: linux/aarch64 * Running within Docker: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Polished Geek", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "****************", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": "73981", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Steps to reproduce I was trying to turn on the `Account recovery administration` org policy but it required the `Single Organization` policy to be turned on first. When turning on the `Single Organization` policy it does warn that: ``` Organization members who are not owners or admins and are already a member of another organization will be removed from your organization. ``` But I didn't expect this to apply to anyone on our vaultwarden instance because our instance only has a single org on it. ### Expected behaviour I would have expected the policy to turn on and that no one would be removed from my org. ### Actual behaviour All non-admin/owners were removed from my org.
OVERLORD added the bug label 2026-02-05 01:53:47 +03:00
OVERLORD commented 2026-02-05 01:53:53 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 28, 2023):

What happened is the expected behavior as described at Bitwarden.
https://bitwarden.com/help/policies/#single-organization

@BlackDex commented on GitHub (Dec 28, 2023): What happened is the expected behavior as described at Bitwarden. https://bitwarden.com/help/policies/#single-organization
OVERLORD commented 2026-02-05 01:53:55 +03:00
Author
Owner
Copy Link

@Spunkie commented on GitHub (Dec 28, 2023):

@BlackDex I've read the passage you linked multiple times and it's still unexpected to me.

Users in the organization who are members of multiple organizations will be removed from your organization when you turn on this policy.

None of the ejected memebers were part of multiple orgs. Sorry I'm being dense here, can you point out the exact wording that I'm missing that would make this expected behavior?

This policy is enforced even for users who have only accepted invitation to your organization.

There is that passage, but I'm pretty sure this is refering to members that have accepted an invite to an org but not yet been confirmed by an admin.

@Spunkie commented on GitHub (Dec 28, 2023): @BlackDex I've read the passage you linked multiple times and it's still unexpected to me. > Users in the organization **who are members of multiple organizations** will be removed from your organization when you turn on this policy. None of the ejected memebers were part of multiple orgs. Sorry I'm being dense here, can you point out the exact wording that I'm missing that would make this expected behavior? ___ > This policy is enforced even for users who have only [accepted](https://bitwarden.com/help/managing-users/#accept) invitation to your organization. There is that passage, but I'm pretty sure this is refering to members that have accepted an invite to an org but not yet been confirmed by an admin.
OVERLORD commented 2026-02-05 01:54:01 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 28, 2023):

Are you sure the users were not part of any other org?
Because the code tells me they should have.

cbdcf8ef9f/src/api/core/organizations.rs (L1741..L1764)

It checks if the count of organisations is greater then 1 and if there user isn't an admin or owner or not in an invited state, if then the count is more then 1, those users will be deleted.

So that tells me the users should be in a different organization too.
Double check the admin interface and see too which orgs they are a member.

@BlackDex commented on GitHub (Dec 28, 2023): Are you sure the users were not part of any other org? Because the code tells me they should have. https://github.com/dani-garcia/vaultwarden/blob/cbdcf8ef9f1ba0f4ad63f14d366ee778979a91ee/src/api/core/organizations.rs#L1741..L1764 It checks if the count of organisations is greater then 1 and if there user isn't an admin or owner or not in an invited state, if then the count is more then 1, those users will be deleted. So that tells me the users should be in a different organization too. Double check the admin interface and see too which orgs they are a member.
OVERLORD commented 2026-02-05 01:54:05 +03:00
Author
Owner
Copy Link

@Spunkie commented on GitHub (Dec 28, 2023):

@BlackDex Unless they are talking about orgs outside my instance then yes, there is only one org on my instance:
image

@Spunkie commented on GitHub (Dec 28, 2023): @BlackDex Unless they are talking about orgs outside my instance then yes, there is only one org on my instance: ![image](https://github.com/dani-garcia/vaultwarden/assets/1653976/671da4af-ac98-4887-9d2a-e1835660f63f)
OVERLORD commented 2026-02-05 01:54:10 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 28, 2023):

And the user count there doesn't match the amount of users you are expecting? Those 18 are all admin or owner level users?

@BlackDex commented on GitHub (Dec 28, 2023): And the user count there doesn't match the amount of users you are expecting? Those 18 are all admin or owner level users?
OVERLORD commented 2026-02-05 01:54:14 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 28, 2023):

Looks like the query which does the count is wrong.
Thanks for reporting.

@BlackDex commented on GitHub (Dec 28, 2023): Looks like the query which does the count is wrong. Thanks for reporting.
OVERLORD commented 2026-02-05 01:54:16 +03:00
Author
Owner
Copy Link

@tessus commented on GitHub (Jan 1, 2024):

@BlackDex sorry for asking in this PR, but it is related. Isn't every user in the pseudo org vaultwarden when they are invited to no specific org?
I never saw anything in the code that would exclude users that are in this pseudo group.

@tessus commented on GitHub (Jan 1, 2024): @BlackDex sorry for asking in this PR, but it is related. Isn't every user in the pseudo org `vaultwarden` when they are invited to no specific org? I never saw anything in the code that would exclude users that are in this pseudo group.
OVERLORD commented 2026-02-05 01:54:19 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 1, 2024):

That is only a group used for invites, nothing used for anything else.

@BlackDex commented on GitHub (Jan 1, 2024): That is only a group used for invites, nothing used for anything else.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1813
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?