starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #4855] Account recovery administration not enforcing Single orginization policy to be enabled. #2003

New issue
Closed
opened 2026-03-03 02:14:13 +03:00 by kerem · 3 comments
kerem commented 2026-03-03 02:14:13 +03:00
Owner
Copy link

Originally created by @ghost on GitHub (Aug 14, 2024).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4855

Originally assigned to: @BlackDex on GitHub.

Subject of the issue

Account recovery administration is not enforcing "Single orginization" policy to be enabled. You are able to enable the "Account recovery administration" organization policy without the "Single organization" policy being enabled.

Deployment environment

  • vaultwarden version: 1.32.0

  • Install method: Docker through tag: vaultwarden/server:1.32.0

  • Clients used:

  • Reverse proxy and version: nginx

  • MySQL/MariaDB or PostgreSQL version:

  • Other relevant details:

Steps to reproduce

Enable the Account recovery administration without the Single Organizaton policy being enabled.

Expected behaviour

Not being able to enable it.

Actual behaviour

You can enable it

Troubleshooting data

image

Originally created by @ghost on GitHub (Aug 14, 2024). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/4855 Originally assigned to: @BlackDex on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> Account recovery administration is not enforcing "Single orginization" policy to be enabled. You are able to enable the "Account recovery administration" organization policy without the "Single organization" policy being enabled. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.32.0 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker through tag: vaultwarden/server:1.32.0 * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version: <!-- if applicable --> nginx * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> * Other relevant details: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> Enable the Account recovery administration without the Single Organizaton policy being enabled. ### Expected behaviour <!-- Tell us what you expected to happen --> Not being able to enable it. ### Actual behaviour <!-- Tell us what actually happened --> You can enable it ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> ![image](https://github.com/user-attachments/assets/bad9fd3c-d704-45b9-8b0f-7f7f4468913d)
kerem 2026-03-03 02:14:13 +03:00
kerem commented 2026-03-03 02:14:14 +03:00
Author
Owner
Copy link

@louisfgr commented on GitHub (Aug 16, 2024):

I mentioned this some time ago in #4113. I'm afraid that this requirement could cause some problems for users who need access to multiple organizations if those organizations don't want to give up the account recovery option.

Even though I think this requirement makes sense for Bitwarden's use case, I find it impractical for Vaultwarden.
Especially since it was recommended to use organisations before group support was introduced (#1623).

Regardless of this, the warning in the policy settings should of course be in line with reality, whether this means adjusting the functionality or the warning.

<!-- gh-comment-id:2293063618 --> @louisfgr commented on GitHub (Aug 16, 2024): I mentioned this some time ago in #4113. I'm afraid that this requirement could cause some problems for users who need access to multiple organizations if those organizations don't want to give up the account recovery option. Even though I think this requirement makes sense for Bitwarden's use case, I find it impractical for Vaultwarden. Especially since it was recommended to use organisations before group support was introduced (#1623). Regardless of this, the warning in the policy settings should of course be in line with reality, whether this means adjusting the functionality or the warning.
kerem commented 2026-03-03 02:14:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 16, 2024):

Not sure how I missed your earlier post about this. I apologize for this.

One concern about this setting not being enforced is if you reset User A's password, you can gain access to other organizations which that User A is also a part of. I suspect that this might be the reason for the inital setting of enforcing one organization per user with this policy.
My (possible wrongfull) impression is that organiazitons are suppose to be kind of indepentent from each other. This not being enforced kinda negates that.

<!-- gh-comment-id:2293623871 --> @ghost commented on GitHub (Aug 16, 2024): Not sure how I missed your earlier post about this. I apologize for this. One concern about this setting not being enforced is if you reset User A's password, you can gain access to other organizations which that User A is also a part of. I suspect that this might be the reason for the inital setting of enforcing one organization per user with this policy. My (possible wrongfull) impression is that organiazitons are suppose to be kind of indepentent from each other. This not being enforced kinda negates that.
kerem commented 2026-03-03 02:14:14 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Aug 19, 2024):

The only way i can see to fix this issue is to add another config option which will enforce this option if wanted/needed.
Which we could make a default in a later release for example.

<!-- gh-comment-id:2296283155 --> @BlackDex commented on GitHub (Aug 19, 2024): The only way i can see to fix this issue is to add another config option which will enforce this option if wanted/needed. Which we could make a default in a later release for example.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2003
No description provided.