Organization permission issues #690

New Issue

Closed

opened 2026-02-04 22:14:01 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 22:14:01 +03:00

Owner

Copy Link

Originally created by @new2t on GitHub (Apr 18, 2020).

Subject of the issue

Your environment

• Bitwarden_rs version:

• Install method:
• Clients used:
• Reverse proxy and version:
• Version of mysql/postgresql:
• Other relevant information:

Steps to reproduce

Invite and Confirm a user with USER TYPE="User" and ACCESS CONTROL="This user can access only the selected collections." and select no collections.

Expected behaviour

Read Only user cannot add item to the organization.

Actual behaviour

Log in as the user and add an item, either from the organization or set the ownership to the organization. The COLLETIONS will show "There are no collections to list.", but pressing save will create an item in the organization in the "Unassigned" collection.

Additionally, if the user is added to a collection with "Read Only" persmissions, this collection will show in COLLECTIONS when adding an item. If the Read Only Collection is selected, then pressing save will generate a "No rights to modify the collection" error, however an item will be created in the USER's vault with null values.

These behaviors are not present in the official release.

Relevant logs

Originally created by @new2t on GitHub (Apr 18, 2020). <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue <!-- Describe your issue here.--> ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: <!-- How the server was installed: Docker image / package / built from source --> * Install method: * Clients used: <!-- if applicable --> * Reverse proxy and version: <!-- if applicable --> * Version of mysql/postgresql: <!-- if applicable --> * Other relevant information: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> Invite and Confirm a user with USER TYPE="User" and ACCESS CONTROL="This user can access only the selected collections." and select no collections. ### Expected behaviour <!-- Tell us what should happen --> Read Only user cannot add item to the organization. ### Actual behaviour <!-- Tell us what happens instead --> Log in as the user and add an item, either from the organization or set the ownership to the organization. The COLLETIONS will show "There are no collections to list.", but pressing save will create an item in the organization in the "Unassigned" collection. Additionally, if the user is added to a collection with "Read Only" persmissions, this collection will show in COLLECTIONS when adding an item. If the Read Only Collection is selected, then pressing save will generate a "No rights to modify the collection" error, however an item will be created in the USER's vault with null values. These behaviors are not present in the official release. ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. -->

OVERLORD added the good first issuebug labels 2026-02-04 22:14:01 +03:00

OVERLORD closed this issue 2026-02-04 22:14:03 +03:00

OVERLORD commented 2026-02-04 22:14:05 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Dec 12, 2020):

This is an issue indeed. We do have to find a good way to solve this, since all ciphers added already too an organization without a collection need to be linked to one before we can even go and fix this.

The only way would be to have at least owners and admins still have access to those (which probably is already the case since there is not check on collections for them). But then owners or admins do need to go and check if all the ciphers/items do have a collection!

I also see someone tried to create a PR for this, but it has not been picked up after some review requests to change some stuff.
What we should fix is no org item can be without a collection.

Maybe we could add some counter to the admin page to show how many cipher linked to a connection aren't linked to a collection. That would at least make it visible :).

Thanks for reporting this issue.

@BlackDex commented on GitHub (Dec 12, 2020): This is an issue indeed. We do have to find a good way to solve this, since all ciphers added already too an organization without a collection need to be linked to one before we can even go and fix this. The only way would be to have at least owners and admins still have access to those (which probably is already the case since there is not check on collections for them). But then owners or admins do need to go and check if all the ciphers/items do have a collection! I also see someone tried to create a PR for this, but it has not been picked up after some review requests to change some stuff. What we should fix is no org item can be without a collection. Maybe we could add some counter to the admin page to show how many cipher linked to a connection aren't linked to a collection. That would at least make it visible :). Thanks for reporting this issue.

OVERLORD commented 2026-02-04 22:14:08 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jan 31, 2021):

@new2t, i have created a PR which would solve this issue.
It's a PR with a lot of changes, so it could take some time for it to be merged because of checks and maybe some additional changes which have to be made.

@BlackDex commented on GitHub (Jan 31, 2021): @new2t, i have created a PR which would solve this issue. It's a PR with a lot of changes, so it could take some time for it to be merged because of checks and maybe some additional changes which have to be made.

OVERLORD referenced this issue 2026-02-05 04:55:29 +03:00

[PR #690] [MERGED] Added http favicon url when response failed #2750

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug good first issue

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#690