[GH-ISSUE #3249] Read Only rights issue with Groups generating trash entry on user vault #1510

New issue

Closed

opened 2026-03-03 02:09:47 +03:00 by kerem · 1 comment

kerem commented 2026-03-03 02:09:47 +03:00

Owner

Copy link

Originally created by @Misterbabou on GitHub (Feb 16, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3249

Subject of the issue

Read Only rights issue with Groups generating trash entry on user vault (with the groups beta feature enabled).

Deployment environment

• vaultwarden version: 1.27.0-1ba8275d

• Install method: Custom Built with docker with last #3108 Merge (same issue with docker vaultwarden/server:testing )

• Clients used: web vault

• Reverse proxy and version: No

• MySQL/MariaDB or PostgreSQL version: MariaDB 10.10.2 , Same issue with Sqlite

• Environment settings:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://****************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 7,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "TestSRV",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "******************************************,****************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 15,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

1. Create an organisation (or use existing)
2. Add another user "U" (any name is fine) to the organisation (as a regular user)
3. Create(or use existing) collection "C" (any name is fine : in my screenshot collection is named PASSWORD_RO)
4. Create(or use existing) group "G" (any name is fine : in my test named GRP_RO)
   4.1. Give permission of that collection "C" to the group "G" with Read Only access
   4.2. Assign the user "U" to the group "G"
   4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only!
5. Login as user "U"
   5.1. Add a new entry to the collection "C", "C" is shown even if the group is in RO access
   5.2 Save the entry -> Error message No rights to modify the collection
   5.3 A blanck entry is created automatically with nothing inside in the user "U" vault (see screenshot)

Expected behaviour

User can't select the collection "C" with rights read only (assign by a group)
This is already working for rights directly applied on user (user can't select collection with read only access)

Actual behaviour

User "U" can select a collection "C" with rights read only (assign by a group) and create automatically a trash entry in his personnal vault

Troubleshooting data

• Vaultwarden Log :

vaultwarden    | [2023-02-16 10:15:48.252][request][INFO] POST /api/ciphers/create
vaultwarden    | [2023-02-16 10:15:48.279][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection
vaultwarden    | [2023-02-16 10:15:48.279][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request

• Trash entry created :
  

• Collection available list when creating entry with rights applied on groups
  

• Collection available list when creating entry with right applied directly to user (Expected behaviour with group)
  

Originally created by @Misterbabou on GitHub (Feb 16, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3249 <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> Read Only rights issue with Groups generating trash entry on user vault (with the groups beta feature enabled). ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.27.0-1ba8275d <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Custom Built with docker with last #3108 Merge (same issue with docker vaultwarden/server:testing ) * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> web vault * Reverse proxy and version: <!-- if applicable --> No * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> MariaDB 10.10.2 , Same issue with Sqlite * Environment settings: ``` { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://****************************************************", "db_connection_retries": 15, "disable_2fa_remember": true, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 7, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "TestSRV", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "******************************************,****************************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": false, "password_iterations": 600000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 15, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> 1. Create an organisation (or use existing) 2. Add another user "U" (any name is fine) to the organisation (as a regular user) 3. Create(or use existing) collection "C" (any name is fine : in my screenshot collection is named PASSWORD_RO) 4. Create(or use existing) group "G" (any name is fine : in my test named GRP_RO) 4.1. Give permission of that collection "C" to the group "G" **with Read Only access** 4.2. Assign the user "U" to the group "G" 4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only! 5. Login as user "U" 5.1. Add a new entry to the collection "C", "C" is shown even if the group is in RO access 5.2 Save the entry -> Error message `No rights to modify the collection` 5.3 A blanck entry is created automatically with nothing inside in the user "U" vault (see screenshot) ### Expected behaviour <!-- Tell us what you expected to happen --> User can't select the collection "C" with rights read only (assign by a group) This is already working for rights directly applied on user (user can't select collection with read only access) ### Actual behaviour <!-- Tell us what actually happened --> User "U" can select a collection "C" with rights read only (assign by a group) and create automatically a trash entry in his personnal vault ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> - Vaultwarden Log : ``` vaultwarden | [2023-02-16 10:15:48.252][request][INFO] POST /api/ciphers/create vaultwarden | [2023-02-16 10:15:48.279][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection vaultwarden | [2023-02-16 10:15:48.279][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request ``` - Trash entry created :  - Collection available list when creating entry with rights applied on groups  - Collection available list when creating entry with right applied directly to user (Expected behaviour with group) 

kerem 2026-03-03 02:09:47 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:09:49 +03:00

Author

Owner

Copy link

@Misterbabou commented on GitHub (Feb 16, 2023):

I modified Steps to reproduce to explain the steps better

I made new tests with those changing variable :

1 - image: vaultwarden/server:testing (last available), and MariaDB 10.10.2
2- image: vaultwarden/server:testing (last available) and Sqlite

I have still the same issue with those additional tests.

<!-- gh-comment-id:1433098217 --> @Misterbabou commented on GitHub (Feb 16, 2023): I modified **Steps to reproduce** to explain the steps better I made new tests with those changing variable : 1 - image: vaultwarden/server:testing (last available), and MariaDB 10.10.2 2- image: vaultwarden/server:testing (last available) and Sqlite I have still the same issue with those additional tests.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1510

No description provided.