As a user of an organization, I can't modify an item even though I have read/write access #80

New Issue

Closed

opened 2026-02-04 16:46:21 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2026-02-04 16:46:21 +03:00

Owner

Copy Link

Originally created by @janost on GitHub (Aug 30, 2018).

Reproduction steps:

• Using the latest docker container.
• Log in to the web UI as user of an organization. The user must not have access to all items in the organization, just read/write access to specific collection(s).
• Click on an item, edit something and click "Save".

Expected result:
The request succeeds and my changes have been saved, because I have read/write access to the collection where the item is shared.

Actual result:
Red error message pops up saying "You don't have permission to add cipher directly to organization".

Remarks:
The request succeeds if the user has access to all collections in the organization. ("This user can access and modify all items.")

Background:
Failing request is:
PUT https:///api/ciphers/<CIPHER_ID>

Originally created by @janost on GitHub (Aug 30, 2018). Reproduction steps: - Using the latest docker container. - Log in to the web UI as user of an organization. The user must not have access to all items in the organization, just read/write access to specific collection(s). - Click on an item, edit something and click "Save". Expected result: The request succeeds and my changes have been saved, because I have read/write access to the collection where the item is shared. Actual result: Red error message pops up saying "You don't have permission to add cipher directly to organization". Remarks: The request succeeds if the user has access to all collections in the organization. ("This user can access and modify all items.") Background: Failing request is: PUT https://<HOSTNAME>/api/ciphers/<CIPHER_ID>

OVERLORD added the bug label 2026-02-04 16:46:21 +03:00

OVERLORD closed this issue 2026-02-04 16:46:35 +03:00

OVERLORD commented 2026-02-04 16:46:43 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Aug 30, 2018):

Thanks for reporting that, this bug was introduced recently and hopefully should be fixed with d336d89.

@mprasil commented on GitHub (Aug 30, 2018): Thanks for reporting that, this bug was introduced recently and hopefully should be fixed with d336d89.

OVERLORD commented 2026-02-04 16:46:50 +03:00

Author

Owner

Copy Link

@janost commented on GitHub (Aug 30, 2018):

Awesome, thank you!
I'm going to test it and report back.

@janost commented on GitHub (Aug 30, 2018): Awesome, thank you! I'm going to test it and report back.

OVERLORD commented 2026-02-04 16:46:56 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Aug 30, 2018):

Just be aware that the PR wasn't merged yet and even after it's merged it takes about an hour to build the docker image, so if you want to test it now, you need to build your own image.

@mprasil commented on GitHub (Aug 30, 2018): Just be aware that the PR wasn't merged yet and even after it's merged it takes about an hour to build the docker image, so if you want to test it now, you need to build your own image.

OVERLORD commented 2026-02-04 16:47:15 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Aug 30, 2018):

The image is now building, give it about an hour and you can test the fix @janost .

@mprasil commented on GitHub (Aug 30, 2018): The image is [now building](https://hub.docker.com/r/mprasil/bitwarden/builds/bxenhmyeatac7ck5yhcsk66/), give it about an hour and you can test the fix @janost .

OVERLORD commented 2026-02-04 16:47:19 +03:00

Author

Owner

Copy Link

@janost commented on GitHub (Sep 3, 2018):

Seems to work great, thank you.

@janost commented on GitHub (Sep 3, 2018): Seems to work great, thank you.

OVERLORD referenced this issue 2026-02-05 04:48:47 +03:00

[PR #89] [MERGED] Add confirmed check to the OrgHeaders request guard #2578

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#80