starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Collection creation causes permission error in logs and logout in interface #502

New Issue
Closed
opened 2025-10-09 16:34:56 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2025-10-09 16:34:56 +03:00
Owner
Copy Link

Originally created by @Basecatcherz on GitHub.

Collection creation causes permission error in logs and logout in interface

Deployment environment

  • vaultwarden version: v1.30.5

  • Install method: Docker Image

  • Clients used: web vault

  • Reverse proxy and version: NGINX Proxy Manager v2.10.4

  • Other relevant details:

Steps to reproduce

  1. Login to web vault
  2. Select a vault
  3. Select: New --> Collection

Expected behaviour

Collection creation assistant opens.

Actual behaviour

Logout and permission erros in log.

Troubleshooting data

The vault was initially created by me. I set another account as owner, later.
I already tried every available role to get access with my account, again.

Logs

[2024-04-23 10:52:29.117][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/collections/details
[2024-04-23 10:52:29.118][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/users?
[2024-04-23 10:52:29.119][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2024-04-23 10:52:29.119][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2024-04-23 10:52:29.120][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized
[2024-04-23 10:52:29.120][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2024-04-23 10:52:29.120][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2024-04-23 10:52:29.120][response][INFO] (get_org_users) GET /api/organizations/<org_id>/users?<data..> => 401 Unauthorized
[2024-04-23 10:52:29.178][request][INFO] GET /api/config
[2024-04-23 10:52:29.178][response][INFO] (config) GET /api/config => 200 OK
[2024-04-23 10:52:29.231][vaultwarden::api::notifications][INFO] Closing WS connection from 192.168.2.134
Originally created by @Basecatcherz on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Collection creation causes permission error in logs and logout in interface <!-- Describe your issue here. --> ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: v1.30.5 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker Image * Clients used: web vault * Reverse proxy and version: NGINX Proxy Manager v2.10.4 * Other relevant details: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> 1. Login to web vault 2. Select a vault 3. Select: New --> Collection ### Expected behaviour Collection creation assistant opens. ### Actual behaviour Logout and permission erros in log. ### Troubleshooting data The vault was initially created by me. I set another account as owner, later. I already tried every available role to get access with my account, again. ### Logs ``` [2024-04-23 10:52:29.117][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/collections/details [2024-04-23 10:52:29.118][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/users? [2024-04-23 10:52:29.119][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2024-04-23 10:52:29.119][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2024-04-23 10:52:29.120][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized [2024-04-23 10:52:29.120][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2024-04-23 10:52:29.120][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2024-04-23 10:52:29.120][response][INFO] (get_org_users) GET /api/organizations/<org_id>/users?<data..> => 401 Unauthorized [2024-04-23 10:52:29.178][request][INFO] GET /api/config [2024-04-23 10:52:29.178][response][INFO] (config) GET /api/config => 200 OK [2024-04-23 10:52:29.231][vaultwarden::api::notifications][INFO] Closing WS connection from 192.168.2.134 ```
OVERLORD commented 2025-10-09 16:35:00 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

Also, the only way i can get this message via the web-vault is by setting a users as manager/admin/owner, with that user go to the org interface, open the collection creation form. With the other user demote that user to user again.

Fill in the form and and submit, that will generate the error, but that is expected.

@BlackDex commented on GitHub: Also, the only way i can get this message via the web-vault is by setting a users as manager/admin/owner, with that user go to the org interface, open the collection creation form. With the other user demote that user to user again. Fill in the form and and submit, that will generate the error, but that is expected.
OVERLORD commented 2025-10-09 16:35:00 +03:00
Author
Owner
Copy Link

@Basecatcherz commented on GitHub:

What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

I created the Vault using my personal account. Later, I created an account for administrative tasks, gave it the owner role and set my personal account as user.
When I tried to create a collection using my personal account I ran into the issue for the first time. To fix it I tried to give me admin, then manager, then owner. I changed the roles using /organizations/xxx-xxx-xxx-xxx-xxx/members, later using /admin/users/overview.

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.30.5
  • Web-vault version: v2024.1.2b
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.44.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************************",
  "domain_origin": "*****://***********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "**********************",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "**********************************",
  "smtp_host": "***********************************************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}
@Basecatcherz commented on GitHub: > What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the `/admin/users/overview` page? Also can you please post the support string from the `/admin/diagnostics` page? I created the Vault using my personal account. Later, I created an account for administrative tasks, gave it the owner role and set my personal account as user. When I tried to create a collection using my personal account I ran into the issue for the first time. To fix it I tried to give me admin, then manager, then owner. I changed the roles using `/organizations/xxx-xxx-xxx-xxx-xxx/members`, later using `/admin/users/overview`. ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************************", "domain_origin": "*****://***********************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "**********************", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************************", "smtp_from_name": "**********************************", "smtp_host": "***********************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details>
OVERLORD commented 2025-10-09 16:35:01 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

@BlackDex commented on GitHub: It works for me, at least when using `testing`. I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.
OVERLORD commented 2025-10-09 16:35:02 +03:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub:

The vault was initially created by me. I set another account as owner, later.
I already tried every available role to get access with my account, again.

What do you mean? Did the other owner change your role? Kicked you out of the organization?
How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

@stefan0xC commented on GitHub: > The vault was initially created by me. I set another account as owner, later. > I already tried every available role to get access with my account, again. What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the `/admin/users/overview` page? Also can you please post the support string from the `/admin/diagnostics` page?
OVERLORD commented 2025-10-09 16:35:03 +03:00
Author
Owner
Copy Link

@Basecatcherz commented on GitHub:

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

I can confirm that it works in testing.
I can also confirm that I like the new interface 😄

@Basecatcherz commented on GitHub: > It works for me, at least when using `testing`. > > I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect. I can confirm that it works in testing. I can also confirm that I like the new interface 😄
OVERLORD commented 2025-10-09 16:35:04 +03:00
Author
Owner
Copy Link

@Basecatcherz commented on GitHub:

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

But, even when I set my peronal account back to owner, as described above, I get this error. In testing it works fine.

@Basecatcherz commented on GitHub: > So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message. > > If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections. > > Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue. > > The solution is to make sure you granted the organization member the correct permission level to allow these actions. But, even when I set my peronal account back to owner, as described above, I get this error. In testing it works fine.
OVERLORD commented 2025-10-09 16:35:05 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes.
Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message.
Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

@BlackDex commented on GitHub: So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message. If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections. Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue. The solution is to make sure you granted the organization member the correct permission level to allow these actions.
OVERLORD commented 2025-10-09 16:35:06 +03:00
Author
Owner
Copy Link

@Basecatcherz commented on GitHub:

I now "fixed" the issue by removing my aacount from the vault an re-add it again.

@Basecatcherz commented on GitHub: I now "fixed" the issue by removing my aacount from the vault an re-add it again.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#502
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?