Logout if a manager role user opens settings of an organisation #323

New Issue

Closed

opened 2026-02-04 19:36:08 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-04 19:36:08 +03:00

Owner

Copy Link

Originally created by @kaotika on GitHub (Jun 17, 2019).

I added a user to an organisation with user rights. I changed the users permissions to manager later. If the user tries to open the settings menu of the organisation, the user will be logged out with a session timed out message.

Logs (rustbacktrace=full)

[2019-06-17 09:29:43][rocket::rocket][INFO] GET /api/collections application/json:
[2019-06-17 09:29:43][_][INFO] Matched: GET /api/collections (get_user_collections)
[2019-06-17 09:29:43][_][INFO] Outcome: Success
[2019-06-17 09:29:43][_][INFO] Response succeeded.
[2019-06-17 09:29:44][rocket::rocket][INFO] GET /api/organizations/0211c99f-2947-470e-9408-16a619436234/collections/64abcfbf-5d84-4ce2-ac5e-3e26a2d5ebb9/details application/json:
[2019-06-17 09:29:44][_][INFO] Matched: GET /api/organizations/<org_id>/collections/<coll_id>/details (get_org_collection_detail)
[2019-06-17 09:29:44][bitwarden_rs::auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2019-06-17 09:29:44][_][INFO] Outcome: Failure
[2019-06-17 09:29:44][_][WARN] Responding with 401 Unauthorized catcher.
[2019-06-17 09:29:44][_][INFO] Response succeeded.

Another related issue:

After relogin in the same window, the vault is greyed out completely and no ui element is usable. The page is operational after a reload.

Originally created by @kaotika on GitHub (Jun 17, 2019). I added a user to an organisation with `user` rights. I changed the users permissions to `manager` later. If the user tries to open the `settings` menu of the organisation, the user will be logged out with a `session timed out` message. Logs (`rustbacktrace=full`) ``` [2019-06-17 09:29:43][rocket::rocket][INFO] GET /api/collections application/json: [2019-06-17 09:29:43][_][INFO] Matched: GET /api/collections (get_user_collections) [2019-06-17 09:29:43][_][INFO] Outcome: Success [2019-06-17 09:29:43][_][INFO] Response succeeded. [2019-06-17 09:29:44][rocket::rocket][INFO] GET /api/organizations/0211c99f-2947-470e-9408-16a619436234/collections/64abcfbf-5d84-4ce2-ac5e-3e26a2d5ebb9/details application/json: [2019-06-17 09:29:44][_][INFO] Matched: GET /api/organizations/<org_id>/collections/<coll_id>/details (get_org_collection_detail) [2019-06-17 09:29:44][bitwarden_rs::auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint [2019-06-17 09:29:44][_][INFO] Outcome: Failure [2019-06-17 09:29:44][_][WARN] Responding with 401 Unauthorized catcher. [2019-06-17 09:29:44][_][INFO] Response succeeded. ``` Another related issue: After relogin in the same window, the vault is greyed out completely and no ui element is usable. The page is operational after a reload. 

OVERLORD closed this issue 2026-02-04 19:36:18 +03:00

OVERLORD commented 2026-02-04 19:36:27 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Jun 17, 2019):

The "manager" permission level is not really supported in bitwarden_rs beyond very basic implementation that understands the order of privilege from user to owner. It is one of the feature requests in #246, but there isn't much traction as creating more organizations alleviates the need for more granular in-org permissions. (PR would be certainly welcome though)

As for the broken UI, it got unexpected reply from the server, this tends to break the UI in general. As you noted, reload does restore the functionality.

What did you try to accomplish with manager level? Maybe there's some other way to do the same or maybe there's some subset of the API that we can extend to support manager level of access.

@mprasil commented on GitHub (Jun 17, 2019): The "manager" permission level is not really supported in bitwarden_rs beyond very basic implementation that understands the order of privilege from `user` to `owner`. It is one of the feature requests in #246, but there isn't much traction as creating more organizations alleviates the need for more granular in-org permissions. (PR would be certainly welcome though) As for the broken UI, it got unexpected reply from the server, this tends to break the UI in general. As you noted, reload does restore the functionality. What did you try to accomplish with manager level? Maybe there's some other way to do the same or maybe there's some subset of the API that we can extend to support manager level of access.

OVERLORD commented 2026-02-04 19:36:35 +03:00

Author

Owner

Copy Link

@kaotika commented on GitHub (Jun 17, 2019):

Ok, makes sense. I clicked on the collection name.
Maybe it's easier to hide the elements, that are not usable until they are fully implemented.
I intend to use it for a small team ~10 persons max, and I don't see a need for the manager role.

@kaotika commented on GitHub (Jun 17, 2019): Ok, makes sense. I clicked on the collection name. Maybe it's easier to hide the elements, that are not usable until they are fully implemented. I intend to use it for a small team ~10 persons max, and I don't see a need for the `manager` role.

OVERLORD commented 2026-02-04 19:36:44 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Jun 17, 2019):

We can't just hide these parts, because they are valid for users with higher level of access. I think we need to improve some API responses to either not expose some info to managers or to implement collection managing functionality for manager.

@mprasil commented on GitHub (Jun 17, 2019): We can't just hide these parts, because they are valid for users with higher level of access. I think we need to improve some API responses to either not expose some info to managers or to implement collection managing functionality for manager.

OVERLORD commented 2026-02-04 19:36:48 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Nov 11, 2019):

I think we can close this one as the question was answered.

@mprasil commented on GitHub (Nov 11, 2019): I think we can close this one as the question was answered.

OVERLORD referenced this issue 2026-02-05 04:53:10 +03:00

[PR #323] [MERGED] Send email notifications when invitations are accepted/confirmed #2683

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#323