web-vault v2024.12.0 Manage role permission issue #2125

New Issue

Closed

opened 2026-02-05 03:21:14 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 03:21:14 +03:00

Owner

Copy Link

Originally created by @Misterbabou on GitHub (Jan 8, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.7-bc913d11
• Web-vault version: v2024.12.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: MySQL
• Database version: 11.6.2-MariaDB-ubu2404
• Environment settings overridden!: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: false
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, TRASH_AUTO_DELETE_DAYS, ORG_CREATION_USERS, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, DISABLE_2FA_REMEMBER

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://****************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********",
  "domain_origin": "*****://*********",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 7,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden GO/PST",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 15,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7-bc913d11

Deployment method

Build from source

Custom deployment method

No response

Reverse Proxy

No proxy

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Issue 1:

1. Go to your organisation as organisation owner
2. Create a collection
3. Click on Groups and create a new group and link the new collection with Can edit permission and press Save
4. Click on the new created group: tab Collections the permission show is Can manage instead of Can edit

Issue 2:

1. Go to your organisation as organisation owner
2. Create a collection
3. Click on 'Members' and edit a Role user member. on collections tab link the new collection with Can manage Permission and press Save
4. Click again on the member : tab Collections the permission show is Can edit instead of Can manage

Expected Result

Keep the permission previously set in the web-vault

Actual Result

• For Members permission Can manage become Can edit
• For Groups permission Can edit become Can manage

Logs

No response

Screenshots or Videos

No response

Additional Context

Thanks for the work added in #5219

The feature might not be added yet but for now, users with Can manage permissions (on collection) can't manage collection in the Password Manager.

On Vaulwarden Side:

(note Issue 1 and 2 prevent me to have a Can Manage in User permission and a Can edit in group permission)

User vault:

user can't edit the Collection even if they have Can manage permission

On Bitwarden side:

User vault:

User can edit the collection with Can manage permission

Originally created by @Misterbabou on GitHub (Jan 8, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.7-bc913d11 * Web-vault version: v2024.12.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 11.6.2-MariaDB-ubu2404 * Environment settings overridden!: true * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, TRASH_AUTO_DELETE_DAYS, ORG_CREATION_USERS, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, DISABLE_2FA_REMEMBER **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://****************************************************", "db_connection_retries": 15, "disable_2fa_remember": true, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********", "domain_origin": "*****://*********", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 7, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden GO/PST", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***************************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 15, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.7-bc913d11 ### Deployment method Build from source ### Custom deployment method _No response_ ### Reverse Proxy No proxy ### Host/Server Operating System Linux ### Operating System Version Ubuntu 22.04 ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce Issue 1: 1. Go to your organisation as organisation owner 2. Create a collection 3. Click on `Groups` and create a new group and link the new collection with `Can edit` permission and press `Save` 4. Click on the new created group: tab `Collections` the permission show is `Can manage` instead of `Can edit` Issue 2: 1. Go to your organisation as organisation owner 2. Create a collection 3. Click on 'Members' and edit a Role user member. on `collections` tab link the new collection with `Can manage` Permission and press `Save` 4. Click again on the member : tab `Collections` the permission show is `Can edit` instead of `Can manage` ### Expected Result Keep the permission previously set in the web-vault ### Actual Result - For Members permission `Can manage` become `Can edit` - For Groups permission `Can edit` become `Can manage` ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context Thanks for the work added in #5219 The feature might not be added yet but for now, users with `Can manage` permissions (on collection) can't manage collection in the Password Manager. **On Vaulwarden Side:**  (note Issue 1 and 2 prevent me to have a `Can Manage` in User permission and a `Can edit` in group permission) User vault:  user can't edit the Collection even if they have `Can manage` permission **On Bitwarden side:**  User vault:  User can edit the collection with `Can manage` permission

OVERLORD added the bug label 2026-02-05 03:21:14 +03:00

OVERLORD closed this issue 2026-02-05 03:21:16 +03:00

OVERLORD commented 2026-02-05 03:21:22 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jan 8, 2025):

I'm not sure how you got the Can Manage rights for users, since that is currently not something Vaultwarden supports, and thus have this function. It only works for Owners, Admins and Managers which have access_all rights currently, which means, for users this doesn't work.

This is the same as reported in #5361.
Which in the end means, we need to add support for this specific cbac (Collection based access control) or whatever we want to call it.

@BlackDex commented on GitHub (Jan 8, 2025): I'm not sure how you got the `Can Manage` rights for users, since that is currently not something Vaultwarden supports, and thus have this function. It only works for Owners, Admins and Managers which have access_all rights currently, which means, for users this doesn't work. This is the same as reported in #5361. Which in the end means, we need to add support for this specific cbac (Collection based access control) or whatever we want to call it.

OVERLORD commented 2026-02-05 03:21:25 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jan 8, 2025):

FYI @chrpinedo

@BlackDex commented on GitHub (Jan 8, 2025): FYI @chrpinedo

OVERLORD commented 2026-02-05 03:21:29 +03:00

Author

Owner

Copy Link

@Misterbabou commented on GitHub (Jan 8, 2025):

I understand that Collection based access control is not implemented yet.

However the UI behavior described above might be an issue in the future as it change Permission (at least on UI side):

For Members permission Can manage become Can edit after a save. I didn't manage to set Can manage
For Groups permission Can edit become Can manage after a save. I didn't manage to set Can edit

See the Steps to reproduce above

@Misterbabou commented on GitHub (Jan 8, 2025): I understand that Collection based access control is not implemented yet. However the UI behavior described above might be an issue in the future as it change Permission (at least on UI side): For Members permission `Can manage` become `Can edit` after a save. I didn't manage to set `Can manage` For Groups permission `Can edit` become `Can manage` after a save. I didn't manage to set `Can edit` See the **Steps to reproduce** above

OVERLORD commented 2026-02-05 03:21:33 +03:00

Author

Owner

Copy Link

@raultaboraz commented on GitHub (Jan 21, 2025):

I have exactly the same issue (I opened by mistake a thread in Bitwarden forum)

@raultaboraz commented on GitHub (Jan 21, 2025): I have exactly the same issue (I opened by mistake [a thread in Bitwarden forum](https://community.bitwarden.com/t/cant-delete-items-from-my-organization-this-behaviour-has-suddenly-changed/78929))

OVERLORD referenced this issue 2026-02-05 05:08:41 +03:00

[PR #2125] [MERGED] Enabled trust-dns and some updates. #3025

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2125