Read Only rights issue with Groups generating trash entry on user vault #1743

New Issue

MrUnknownDE · 2026-04-06T02:18:17+02:00

MrUnknownDE commented

2026-04-06 02:18:17 +02:00

Originally created by @Misterbabou on 2/16/2023

Subject of the issue

Read Only rights issue with Groups generating trash entry on user vault (with the groups beta feature enabled).

Deployment environment

vaultwarden version: 1.27.0-1ba8275d

Install method: Custom Built with docker with last #3108 Merge (same issue with docker vaultwarden/server:testing )
Clients used: web vault
Reverse proxy and version: No
MySQL/MariaDB or PostgreSQL version: MariaDB 10.10.2 , Same issue with Sqlite
Environment settings:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://****************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 7,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "TestSRV",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "******************************************,****************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 15,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

Create an organisation (or use existing)
Add another user "U" (any name is fine) to the organisation (as a regular user)
Create(or use existing) collection "C" (any name is fine : in my screenshot collection is named PASSWORD_RO)
Create(or use existing) group "G" (any name is fine : in my test named GRP_RO)
4.1. Give permission of that collection "C" to the group "G" with Read Only access
4.2. Assign the user "U" to the group "G"
4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only!
Login as user "U"
5.1. Add a new entry to the collection "C", "C" is shown even if the group is in RO access
5.2 Save the entry -> Error message No rights to modify the collection
5.3 A blanck entry is created automatically with nothing inside in the user "U" vault (see screenshot)

Expected behaviour

User can't select the collection "C" with rights read only (assign by a group)
This is already working for rights directly applied on user (user can't select collection with read only access)

Actual behaviour

User "U" can select a collection "C" with rights read only (assign by a group) and create automatically a trash entry in his personnal vault

Troubleshooting data

Vaultwarden Log :

vaultwarden    | [2023-02-16 10:15:48.252][request][INFO] POST /api/ciphers/create
vaultwarden    | [2023-02-16 10:15:48.279][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection
vaultwarden    | [2023-02-16 10:15:48.279][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request

Trash entry created :
Collection available list when creating entry with rights applied on groups
Collection available list when creating entry with right applied directly to user (Expected behaviour with group)

*Originally created by @Misterbabou on 2/16/2023*   ### Subject of the issue  Read Only rights issue with Groups generating trash entry on user vault (with the groups beta feature enabled). ### Deployment environment     * vaultwarden version: 1.27.0-1ba8275d  * Install method: Custom Built with docker with last #3108 Merge (same issue with docker vaultwarden/server:testing ) * Clients used:  web vault * Reverse proxy and version:  No * MySQL/MariaDB or PostgreSQL version:  MariaDB 10.10.2 , Same issue with Sqlite * Environment settings: ``` { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://****************************************************", "db_connection_retries": 15, "disable_2fa_remember": true, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 7, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "TestSRV", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "******************************************,****************************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": false, "password_iterations": 600000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 15, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` ### Steps to reproduce  1. Create an organisation (or use existing) 2. Add another user "U" (any name is fine) to the organisation (as a regular user) 3. Create(or use existing) collection "C" (any name is fine : in my screenshot collection is named PASSWORD_RO) 4. Create(or use existing) group "G" (any name is fine : in my test named GRP_RO) 4.1. Give permission of that collection "C" to the group "G" **with Read Only access** 4.2. Assign the user "U" to the group "G" 4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only! 5. Login as user "U" 5.1. Add a new entry to the collection "C", "C" is shown even if the group is in RO access 5.2 Save the entry -> Error message `No rights to modify the collection` 5.3 A blanck entry is created automatically with nothing inside in the user "U" vault (see screenshot) ### Expected behaviour  User can't select the collection "C" with rights read only (assign by a group) This is already working for rights directly applied on user (user can't select collection with read only access) ### Actual behaviour  User "U" can select a collection "C" with rights read only (assign by a group) and create automatically a trash entry in his personnal vault ### Troubleshooting data  - Vaultwarden Log : ``` vaultwarden | [2023-02-16 10:15:48.252][request][INFO] POST /api/ciphers/create vaultwarden | [2023-02-16 10:15:48.279][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection vaultwarden | [2023-02-16 10:15:48.279][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request ``` - Trash entry created : ![trash_entry_auto_created](https://user-images.githubusercontent.com/58564168/219347270-8c1e5431-40cc-4a41-9f40-0939b55e6c0b.png) - Collection available list when creating entry with rights applied on groups ![collection_RO_available_add_entry_group_rights](https://user-images.githubusercontent.com/58564168/219347512-5182fd5b-1af3-4d97-b814-74801c413921.png) - Collection available list when creating entry with right applied directly to user (Expected behaviour with group) ![collection_RO_not_available_user_rights](https://user-images.githubusercontent.com/58564168/219347808-707cc5ba-677f-4a0d-aed4-c4477b525c37.png)

MrUnknownDE closed this issue

2026-04-06 02:18:17 +02:00

Sign in to join this conversation.

No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1743