“Can edit” becomes ”Can manage” #243

New Issue

Closed

opened 2025-10-09 16:18:56 +03:00 by OVERLORD · 9 comments

OVERLORD commented 2025-10-09 16:18:56 +03:00

Owner

Copy Link

Originally created by @sbdiun on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.0
• Web-vault version: v2025.1.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Alpine)
• Database type: MySQL
• Database version: 8.0.36
• Environment settings overridden!: true
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, TRASH_AUTO_DELETE_DAYS, SIGNUPS_ALLOWED, ORG_CREATION_USERS, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://*******************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************************",
  "domain_origin": "*****://**********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 30,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 720,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "*****************************,******************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "105067",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.33.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Apache 2.4.62-1.el9_5.2

Host/Server Operating System

Linux

Operating System Version

AlmaLinux 9.5 (Teal Serval)

Clients

Web Vault

Client Version

v2025.1.1

Steps To Reproduce

1. Select a collection
2. Open the "Access" page
3. Ensure a User/group is configured
4. Set permission to "Can edit"
5. Click on "Save"
6. Re-Open the "Access" page

Expected Result

It is expected that the “Can edit” right is still displayed for the user/group.

Actual Result

“Can manage” is written as permission.

If you check in another session with one of the users who is in the group whether they have the “Can manage” right, you will see that the desired “Can edit” right is active (so you cannot change anything in the collection information or access)

But if you click on “Save”, the user/group really gets the right “Can manage” - which can easily be overseen if, for example, you actually want to add a new group

Logs

Screenshots or Videos

[2025-01-29 15:45:11.280][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/groups
[2025-01-29 15:45:11.281][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/details
[2025-01-29 15:45:11.282][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/users/mini-details
[2025-01-29 15:45:11.287][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 200 OK
[2025-01-29 15:45:11.288][response][INFO] (get_groups) GET /api/organizations/<org_id>/groups => 200 OK
[2025-01-29 15:45:11.304][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK
[2025-01-29 15:45:19.574][request][INFO] PUT /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/1b052b32-15ba-4767-8af2-7c48c533e780
[2025-01-29 15:45:19.608][response][INFO] (put_organization_collection_update) PUT /api/organizations/<org_id>/collections/<col_id> => 200 OK
[2025-01-29 15:45:29.974][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/groups
[2025-01-29 15:45:29.978][response][INFO] (get_groups) GET /api/organizations/<org_id>/groups => 200 OK
[2025-01-29 15:45:30.013][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/users/mini-details
[2025-01-29 15:45:30.017][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 200 OK
[2025-01-29 15:45:30.051][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/details
[2025-01-29 15:45:30.074][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK
[2025-01-29 15:45:34.031][request][INFO] PUT /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/1b052b32-15ba-4767-8af2-7c48c533e780
[2025-01-29 15:45:34.061][response][INFO] (put_organization_collection_update) PUT /api/organizations/<org_id>/collections/<col_id> => 200 OK

No event log was found.

Additional Context

No response

Originally created by @sbdiun on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.0 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: MySQL * Database version: 8.0.36 * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: false (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, TRASH_AUTO_DELETE_DAYS, SIGNUPS_ALLOWED, ORG_CREATION_USERS, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": false, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://*******************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************************", "domain_origin": "*****://**********************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 30, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 720, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "*****************************,******************************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Vaultwarden", "smtp_host": "", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "105067", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.33.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Apache 2.4.62-1.el9_5.2 ### Host/Server Operating System Linux ### Operating System Version AlmaLinux 9.5 (Teal Serval) ### Clients Web Vault ### Client Version v2025.1.1 ### Steps To Reproduce 1. Select a collection 2. Open the "Access" page 3. Ensure a User/group is configured 4. Set permission to "Can edit" 5. Click on "Save" 6. Re-Open the "Access" page ### Expected Result It is expected that the “Can edit” right is still displayed for the user/group. ### Actual Result “Can manage” is written as permission. If you check in another session with one of the users who is in the group whether they have the “Can manage” right, you will see that the desired “Can edit” right is active (so you cannot change anything in the collection information or access) But if you click on “Save”, the user/group really gets the right “Can manage” - which can easily be overseen if, for example, you actually want to add a new group ### Logs ```text ``` ### Screenshots or Videos [2025-01-29 15:45:11.280][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/groups [2025-01-29 15:45:11.281][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/details [2025-01-29 15:45:11.282][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/users/mini-details [2025-01-29 15:45:11.287][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 200 OK [2025-01-29 15:45:11.288][response][INFO] (get_groups) GET /api/organizations/<org_id>/groups => 200 OK [2025-01-29 15:45:11.304][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK [2025-01-29 15:45:19.574][request][INFO] PUT /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/1b052b32-15ba-4767-8af2-7c48c533e780 [2025-01-29 15:45:19.608][response][INFO] (put_organization_collection_update) PUT /api/organizations/<org_id>/collections/<col_id> => 200 OK [2025-01-29 15:45:29.974][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/groups [2025-01-29 15:45:29.978][response][INFO] (get_groups) GET /api/organizations/<org_id>/groups => 200 OK [2025-01-29 15:45:30.013][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/users/mini-details [2025-01-29 15:45:30.017][response][INFO] (get_org_user_mini_details) GET /api/organizations/<org_id>/users/mini-details => 200 OK [2025-01-29 15:45:30.051][request][INFO] GET /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/details [2025-01-29 15:45:30.074][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK [2025-01-29 15:45:34.031][request][INFO] PUT /api/organizations/d09fb8b4-29e9-4cf8-af62-f92f7fc3d4bb/collections/1b052b32-15ba-4767-8af2-7c48c533e780 [2025-01-29 15:45:34.061][response][INFO] (put_organization_collection_update) PUT /api/organizations/<org_id>/collections/<col_id> => 200 OK No event log was found. ### Additional Context _No response_

OVERLORD added the bug label 2025-10-09 16:18:56 +03:00

OVERLORD closed this issue 2025-10-09 16:18:57 +03:00

OVERLORD commented 2025-10-09 16:18:59 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

Hello,
We have set up an organization in which we create main collections for individual teams, to which the team then has editing rights.
So that we (IT Service) do not have to create permanent collections and modify access for all teams, we would like to define one or more members of each team as managers who will then manage access to the collection.
However, not everyone from the team should be given management rights just because they are allowed to create and delete items in it.
Is there a way to do this?

The manager should also be allowed to create new (sub)collections.
However, he is currently not allowed to do this, but as an administrator he has too many rights, he should not be allowed to access collections from other teams. But I think this will be fixed by bug #5489, right?

@sbdiun commented on GitHub: Hello, We have set up an organization in which we create main collections for individual teams, to which the team then has editing rights. So that we (IT Service) do not have to create permanent collections and modify access for all teams, we would like to define one or more members of each team as managers who will then manage access to the collection. However, not everyone from the team should be given management rights just because they are allowed to create and delete items in it. Is there a way to do this? The manager should also be allowed to create new (sub)collections. However, he is currently not allowed to do this, but as an administrator he has too many rights, he should not be allowed to access collections from other teams. But I think this will be fixed by bug #5489, right?

OVERLORD commented 2025-10-09 16:18:59 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I think it works as expected.
The main reason here is that we want to try to keep compatible with the previous way of working where managers are able to manage collections and edit/delete ciphers.

So, if the user you are setting this for is a manger or higher, they will always get can manage rights instead of can edit.
A normal user will get can edit rights.

@BlackDex commented on GitHub: I think it works as expected. The main reason here is that we want to try to keep compatible with the previous way of working where managers are able to manage collections and edit/delete ciphers. So, if the user you are setting this for is a manger or higher, they will always get `can manage` rights instead of `can edit`. A normal user will get `can edit` rights.

OVERLORD commented 2025-10-09 16:18:59 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

Is there a way to do this?

Why don't you setup separate Organizations for each team? That way you could have the manager be Administrators for their team without them having access to other teams and they can also control who has access to what in their Organization.

I think this will be fixed by bug https://github.com/dani-garcia/vaultwarden/issues/5489, right?

It allows managers to create new collections yes and unless you give an manager access to all collections, they should only be able to change (and see) the collections they have been given full write access to (where Can edit automatically implies Can Manage for Manager / Custom users).

@stefan0xC commented on GitHub: > Is there a way to do this? Why don't you setup separate Organizations for each team? That way you could have the manager be Administrators for their team without them having access to other teams and they can also control who has access to what in their Organization. > I think this will be fixed by bug https://github.com/dani-garcia/vaultwarden/issues/5489, right? It allows managers to create new collections yes and unless you give an manager access to all collections, they should only be able to change (and see) the collections they have been given full write access to (where `Can edit` automatically implies `Can Manage` for Manager / Custom users).

OVERLORD commented 2025-10-09 16:19:00 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

One more question: The custom role implies that you can configure something, for example, could the right to create collections be restricted? Where can you set the permissions in Vaultwarden, or is that a misunderstanding on my part?

We currently use the Custom role as a placeholder for the deprecated (i.e. removed) Manager role. We don't yet have support for custom permissions. If they were implemented we could probably also get rid of this hack (cf. #5219).

@stefan0xC commented on GitHub: > One more question: The custom role implies that you can configure something, for example, could the right to create collections be restricted? Where can you set the permissions in Vaultwarden, or is that a misunderstanding on my part? We currently use the Custom role as a placeholder for the deprecated (i.e. removed) Manager role. We don't yet have support for custom permissions. If they were implemented we could probably also get rid of this hack (cf. #5219).

OVERLORD commented 2025-10-09 16:19:01 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

Ok, then we'll probably go that way.

One more question: The custom role implies that you can configure something, for example, could the right to create collections be restricted?
Where can you set the permissions in Vaultwarden, or is that a misunderstanding on my part?

@sbdiun commented on GitHub: Ok, then we'll probably go that way. One more question: The custom role implies that you can configure something, for example, could the right to create collections be restricted? Where can you set the permissions in Vaultwarden, or is that a misunderstanding on my part?

OVERLORD commented 2025-10-09 16:19:02 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

In any case, thank you very much for your answers
:-)

@sbdiun commented on GitHub: In any case, thank you very much for your answers :-)

OVERLORD commented 2025-10-09 16:19:02 +03:00

Author

Owner

Copy Link

@sbdiun commented on GitHub:

I think I found the answer on this Bitwarden help page, but in a strange way:
The German version contains an English comment announcing exactly that in a later version. On the original page, the comment is missing.

https://bitwarden.com/de-de/help/collection-management/#collection-management-settings

“Collection management settings will be available for self-hosted Bitwarden servers in a subsequent release.”

Is there any hope that you can take it over?

@sbdiun commented on GitHub: I think I found the answer on this Bitwarden help page, but in a strange way: The German version contains an English comment announcing exactly that in a later version. On the original page, the comment is missing. https://bitwarden.com/de-de/help/collection-management/#collection-management-settings “Collection management settings will be available for self-hosted Bitwarden servers in a subsequent release.” Is there any hope that you can take it over?

OVERLORD commented 2025-10-09 16:19:02 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

That has nothing to do with the way how Vaultwarden works right now.

The main reason Vaultwarden works as currently is the case is because we were stuck on web-vault v2024.6.x which was very old. To support the newer web-vault we needed a way to either mimic the manager role in an easy way, or change everything regarding the whole custom roles which has a great impact and needs very good testing.

That kind of change will take a much longer to fix, since we check on several places now if someone is a manger, admin or owner to be allowed to handle special endpoints. Switching to the more fine grained custom role needs careful testing and changing these permission checks.

So, until someone (me or someone else) is going to start on that, this hackisch way of mimicking the old manager role will stay as-is.

@BlackDex commented on GitHub: That has nothing to do with the way how Vaultwarden works right now. The main reason Vaultwarden works as currently is the case is because we were stuck on web-vault v2024.6.x which was very old. To support the newer web-vault we needed a way to either mimic the manager role in an easy way, or change everything regarding the whole custom roles which has a great impact and needs very good testing. That kind of change will take a much longer to fix, since we check on several places now if someone is a manger, admin or owner to be allowed to handle special endpoints. Switching to the more fine grained custom role needs careful testing and changing these permission checks. So, until someone (me or someone else) is going to start on that, this hackisch way of mimicking the old manager role will stay as-is.

OVERLORD commented 2025-10-09 16:19:02 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

moving this as not planned right now to discussions Ideas.

@BlackDex commented on GitHub: moving this as not planned right now to discussions Ideas.

OVERLORD referenced this issue 2025-10-09 18:29:59 +03:00

[PR #243] [MERGED] Bump vault version to 2.5.0 [wip] #3780

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#243