Fix conflict resolution logic for read_only and hide_passwords flags #2306

New Issue

MrUnknownDE · 2026-04-06T03:22:55+02:00

MrUnknownDE commented

2026-04-06 03:22:55 +02:00

Originally created by @jjlin on 10/29/2021

For one of these flags to be in effect for a cipher, upstream requires all of
(rather than any of) the collections the cipher is in to have that flag set.

Also, some of the logic for loading access restrictions was wrong. I think
that only malicious clients that also had knowledge of the UUIDs of ciphers
they didn't have access to would have been able to take advantage of that.

Fixes #2072.

*Originally created by @jjlin on 10/29/2021* For one of these flags to be in effect for a cipher, upstream requires all of (rather than any of) the collections the cipher is in to have that flag set. Also, some of the logic for loading access restrictions was wrong. I think that only malicious clients that also had knowledge of the UUIDs of ciphers they didn't have access to would have been able to take advantage of that. Fixes #2072.

MrUnknownDE closed this issue

2026-04-06 03:22:55 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#2306

Fix conflict resolution logic for read_only and hide_passwords flags #2306

Fix conflict resolution logic for `read_only` and `hide_passwords` flags #2306