Manager Role can create a (nest) collection outside from the one he is assigned #309

New Issue

Closed

opened 2025-10-09 16:21:44 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-09 16:21:44 +03:00

Owner

Copy Link

Originally created by @joao-paixao on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.46.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********",
  "domain_origin": "*****://***********",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "***********",
  "smtp_password": null,
  "smtp_port": 1025,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

no

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 LTS

Clients

Web Vault

Client Version

2024.6.2c

Steps To Reproduce

Create a user with manager role.
Give the user access to a collection.
Login as manager user
Create a new collection (a nested collection)
Go to Nest Collection Under
Select No collection and Click Save

Expected Result

Manager is assign to collection SubCollection 1, he should only be allowed to create a new collection under the collection assigned.
Vault (Can't Create)
├── Collection 1 (Can't create)
│ └── SubCollection 1 (Can create)
├── Collection 2 (Can't create)
└── Unassigned

Actual Result

Manager is assign to collection SubCollection 1, he is allowed to create a new collection not under the collection assigned.

Vault (Can Create)
├── Collection 1 (Can't create)
│ └── SubCollection 1 (Can create)
├── Collection 2 (Can't create)
└── Unassigned

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

Originally created by @joao-paixao on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.46.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********", "domain_origin": "*****://***********", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "****", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*********************", "smtp_from_name": "Vaultwarden", "smtp_host": "***********", "smtp_password": null, "smtp_port": 1025, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.32.5 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy no ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04.1 LTS ### Clients Web Vault ### Client Version 2024.6.2c ### Steps To Reproduce Create a user with manager role. Give the user access to a collection. Login as manager user Create a new collection (a nested collection) Go to `Nest Collection Under` Select `No collection` and Click `Save` ### Expected Result Manager is assign to collection `SubCollection 1`, he should only be allowed to create a new collection under the collection assigned. **Vault (Can't Create)** ├── Collection 1 (Can't create) │ └── SubCollection 1 (Can create) ├── Collection 2 (Can't create) └── Unassigned ### Actual Result Manager is assign to collection `SubCollection 1`, he is allowed to create a new collection not under the collection assigned. **Vault (Can Create)** ├── Collection 1 (Can't create) │ └── SubCollection 1 (Can create) ├── Collection 2 (Can't create) └── Unassigned ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context _No response_

OVERLORD added the bug label 2025-10-09 16:21:44 +03:00

OVERLORD closed this issue 2025-10-09 16:21:45 +03:00

OVERLORD commented 2025-10-09 16:21:47 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Again, that seems like a client side (Bitwarden managed) item. Which is not under this projects control. And since we can't see a difference between nested or none nested collections we can't fix that on the server side.

@BlackDex commented on GitHub: Again, that seems like a client side (Bitwarden managed) item. Which is not under this projects control. And since we can't see a difference between nested or none nested collections we can't fix that on the server side.

OVERLORD commented 2025-10-09 16:21:47 +03:00

Author

Owner

Copy Link

@joao-paixao commented on GitHub:

If i have a user with Manager role and assign to the collection Development.
What i would expect is that only the Development (or other collection assigned to him) would appear as an option in the Nest Collection Under option.
But in fact he can simply self-assign to a new collection, which is fine, only if that new collection would remain nested under one of the assigned.

Example:

It would be fine to create a new collection under Development or OtherCollection.
But i don't understand why it exists the option No collection, making then possible to create a new collection NOT under one of the assigned to him.

@joao-paixao commented on GitHub: If i have a user with `Manager` role and assign to the collection `Development`. What i would expect is that only the `Development` (or other collection assigned to him) would appear as an option in the `Nest Collection Under` option. But in fact he can simply self-assign to a new collection, which is fine, only if that new collection would remain nested under one of the assigned. Example:  It would be fine to create a new collection under `Development` or `OtherCollection`. But i don't understand why it exists the option `No collection`, making then possible to create a new collection NOT under one of the assigned to him.

OVERLORD commented 2025-10-09 16:21:48 +03:00

Author

Owner

Copy Link

@joao-paixao commented on GitHub:

Ok, since this is a situation that cannot be controlled by you, I have nothing more to add.
Thank you and you can close the issue.

@joao-paixao commented on GitHub: Ok, since this is a situation that cannot be controlled by you, I have nothing more to add. Thank you and you can close the issue.

OVERLORD commented 2025-10-09 16:21:49 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I'm not totally sure what you mean here, if you could provide a more detailed steps to follow, maybe with some screenshots, that might help to clarify it

Vaultwarden can't see or know if a collection is nested or not.
That information is not shared or visible to the server.

For Vaultwarden it is just another collection with its own uuid, name and rights.

A manager (without access all directly or via group) can only access assigned collections and, as far as i know only nest under an assigned collection.
If that currently is not the case, then it probably is a bug in the client, and not something we can fix on the server side as we do not know if it is nested or not.

I do have a PR open to update the web-vault to a newer version which might solve your issue.

@BlackDex commented on GitHub: I'm not totally sure what you mean here, if you could provide a more detailed steps to follow, maybe with some screenshots, that might help to clarify it Vaultwarden can't see or know if a collection is nested or not. That information is not shared or visible to the server. For Vaultwarden it is just another collection with its own uuid, name and rights. A manager (without access all directly or via group) can only access assigned collections and, as far as i know only nest under an assigned collection. If that currently is not the case, then it probably is a bug in the client, and not something we can fix on the server side as we do not know if it is nested or not. I do have a PR open to update the web-vault to a newer version which might solve your issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#309