web-vault v2024.12.0 Manage role permission issue

[Misterbabou]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.7-bc913d11
• Web-vault version: v2024.12.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: MySQL
• Database version: 11.6.2-MariaDB-ubu2404
• Environment settings overridden!: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: false
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, TRASH_AUTO_DELETE_DAYS, ORG_CREATION_USERS, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, DISABLE_2FA_REMEMBER

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://****************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********",
  "domain_origin": "*****://*********",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 7,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden GO/PST",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 15,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7-bc913d11

Deployment method

Build from source

Custom deployment method

No response

Reverse Proxy

No proxy

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Issue 1:

1. Go to your organisation as organisation owner
2. Create a collection
3. Click on Groups and create a new group and link the new collection with Can edit permission and press Save
4. Click on the new created group: tab Collections the permission show is Can manage instead of Can edit

Issue 2:

1. Go to your organisation as organisation owner
2. Create a collection
3. Click on 'Members' and edit a Role user member. on collections tab link the new collection with Can manage Permission and press Save
4. Click again on the member : tab Collections the permission show is Can edit instead of Can manage

Expected Result

Keep the permission previously set in the web-vault

Actual Result

• For Members permission Can manage become Can edit
• For Groups permission Can edit become Can manage

Logs

No response

Screenshots or Videos

No response

Additional Context

Thanks for the work added in #5219

The feature might not be added yet but for now, users with Can manage permissions (on collection) can't manage collection in the Password Manager.

On Vaulwarden Side:

(note Issue 1 and 2 prevent me to have a Can Manage in User permission and a Can edit in group permission)

User vault:

user can't edit the Collection even if they have Can manage permission

On Bitwarden side:

User vault:

User can edit the collection with Can manage permission

[BlackDex]

I'm not sure how you got the Can Manage rights for users, since that is currently not something Vaultwarden supports, and thus have this function. It only works for Owners, Admins and Managers which have access_all rights currently, which means, for users this doesn't work.

This is the same as reported in #5361.
Which in the end means, we need to add support for this specific cbac (Collection based access control) or whatever we want to call it.

[BlackDex]

FYI @chrpinedo

[Misterbabou]

I understand that Collection based access control is not implemented yet.

However the UI behavior described above might be an issue in the future as it change Permission (at least on UI side):

For Members permission Can manage become Can edit after a save. I didn't manage to set Can manage
For Groups permission Can edit become Can manage after a save. I didn't manage to set Can edit

See the Steps to reproduce above