fix: grant manage permission to Manager on collection creation #90

New Issue

MrUnknownDE · 2026-04-05T20:29:50+02:00

MrUnknownDE commented

2026-04-05 20:29:50 +02:00

Originally created by @rafaelfariasbsb on 2/26/2026

Summary

Fixes a bug where a Manager without access_all could create a new collection but was unable to edit it afterward
The CollectionUser record was being saved with manage=false, causing the ManagerHeaders guard to reject edit requests with "The current user isn't a manager for this collection"
Changed the manage parameter from false to true when saving the CollectionUser for the creating Manager

Details

In src/api/core/organizations.rs (line 524), the collection creation endpoint saves a CollectionUser entry for the Manager:

CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &conn).await?;

The last parameter (manage) was false, so subsequent calls to Collection::is_coll_manageable_by_user() via the ManagerHeaders guard would fail since:

users_collections.manage is false
access_all is false (condition to enter this code block)
The user is a Manager, not Admin/Owner

This was not reproduced when testing with a Manager that had Manage all collections enabled, because access_all=true bypasses this code path entirely.

Test plan

Create a Manager user without Manage all collections
Grant the Manager permission to create collections
Log in as the Manager and create a new collection
Verify the Manager can edit the newly created collection
Verify the Manager can update permissions on the collection
Verify existing collection behavior is unchanged for Admins/Owners

Fixes #6871

*Originally created by @rafaelfariasbsb on 2/26/2026* ## Summary - Fixes a bug where a Manager without `access_all` could create a new collection but was unable to edit it afterward - The `CollectionUser` record was being saved with `manage=false`, causing the `ManagerHeaders` guard to reject edit requests with "The current user isn't a manager for this collection" - Changed the `manage` parameter from `false` to `true` when saving the `CollectionUser` for the creating Manager ## Details In `src/api/core/organizations.rs` (line 524), the collection creation endpoint saves a `CollectionUser` entry for the Manager: ```rust CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &conn).await?; ``` The last parameter (`manage`) was `false`, so subsequent calls to `Collection::is_coll_manageable_by_user()` via the `ManagerHeaders` guard would fail since: 1. `users_collections.manage` is `false` 2. `access_all` is `false` (condition to enter this code block) 3. The user is a Manager, not Admin/Owner This was not reproduced when testing with a Manager that had `Manage all collections` enabled, because `access_all=true` bypasses this code path entirely. ## Test plan - [ ] Create a Manager user **without** `Manage all collections` - [ ] Grant the Manager permission to create collections - [ ] Log in as the Manager and create a new collection - [ ] Verify the Manager can edit the newly created collection - [ ] Verify the Manager can update permissions on the collection - [ ] Verify existing collection behavior is unchanged for Admins/Owners Fixes #6871

MrUnknownDE closed this issue

2026-04-05 20:29:51 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#90