starred/vaultwarden

Fork 0

mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00

[GH-ISSUE #5127] Organization Member Management / User invitation broken #2078

New issue

Closed

opened 2026-03-03 02:15:08 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 02:15:08 +03:00

Owner

Originally created by @spacepope on GitHub (Oct 24, 2024).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5127

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.32.2
Web-vault version: v2024.6.2c
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.46.0
Clients used:
Reverse proxy and version:
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx (Synology reverse proxy)

Host/Server Operating System

NAS/SAN

Operating System Version

DSM 7.2.1-69057 Update 5

Clients

Web Vault

Client Version

v2024.6.2c

Steps To Reproduce

What i did (not sure if this is reproducible by everyone):

Logged in to WebVault and on Admin Console / Organization Members deleted an already registered user (because he lost his 2FA).
Re-Added / invited the user with the same mail address --> User clicked on the link within the mail but could not register, as he gets redirected to the normal login page (clicking on the register button there results in "registration not allowed")
Added / invited the user with another mail address --> User could register after clicking on the invitation mail link.
Refreshed the Member page, but the user is still displayed as invited.
Tried to assign user to a collection, but after clicking save there is still no collection assigned.

Expected Result

After re-inviting a deleted user (from member management page within WebVault), the user should be able to register a new account.
After an invited user accepted the invitation and registered a new account, the user should not be in status "invited" within WebVaults member management page.

Actual Result

As already described in the steps above:

After re-inviting a deleted user, the user is not able to register a new account.
After an invited user accepted the invitation and created a new account, the user stays in status "invited" and can not be assigned to a collection.

Logs

No response

Screenshots or Videos

No response

Additional Context

After enabling Vaultwardens admin page to generate the log string for this issue, i noticed in the user tab, that the user, which i deleted within WebVault's organization member page, still exists within the database.
Kind of makes sense to not loose data, but within WebVault there is no way to see that the user still exists, or is there?

Originally created by @spacepope on GitHub (Oct 24, 2024). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5127 ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.2 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.46.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://********************", "domain_origin": "*****://********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*****************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*****************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx (Synology reverse proxy) ### Host/Server Operating System NAS/SAN ### Operating System Version DSM 7.2.1-69057 Update 5 ### Clients Web Vault ### Client Version v2024.6.2c ### Steps To Reproduce What i did (not sure if this is reproducible by everyone): 1. Logged in to WebVault and on Admin Console / Organization Members deleted an already registered user (because he lost his 2FA). 2. Re-Added / invited the user with the same mail address --> User clicked on the link within the mail but could not register, as he gets redirected to the normal login page (clicking on the register button there results in "registration not allowed") 3. Added / invited the user with another mail address --> User could register after clicking on the invitation mail link. 4. Refreshed the Member page, but the user is still displayed as invited. 5. Tried to assign user to a collection, but after clicking save there is still no collection assigned. ### Expected Result - After re-inviting a deleted user (from member management page within WebVault), the user should be able to register a new account. - After an invited user accepted the invitation and registered a new account, the user should not be in status "invited" within WebVaults member management page. ### Actual Result As already described in the steps above: - After re-inviting a deleted user, the user is not able to register a new account. - After an invited user accepted the invitation and created a new account, the user stays in status "invited" and can not be assigned to a collection. ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context After enabling Vaultwardens admin page to generate the log string for this issue, i noticed in the user tab, that the user, which i deleted within WebVault's organization member page, still exists within the database. Kind of makes sense to not loose data, but within WebVault there is no way to see that the user still exists, or is there?

kerem

2026-03-03 02:15:08 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-03 02:15:09 +03:00

Author

Owner

@BlackDex commented on GitHub (Oct 24, 2024):

Removing a user from an org doesn't delete the account, as you figured out your self too. A user might still have personal items or is part of more then on org. Therefore, such users need to login to accept the invite, and can't create a new account.
The user status will be updated if a user fully accepted the invite, and then the owner/admin needs to refresh/reload the page to see the changed status. Mostly clicking away from the members overview and back again is enough.

This is all works as intended.

@BlackDex commented on GitHub (Oct 24, 2024): 1. Removing a user from an org doesn't delete the account, as you figured out your self too. A user might still have personal items or is part of more then on org. Therefore, such users need to login to accept the invite, and can't create a new account. 2. The user status will be updated if a user fully accepted the invite, and then the owner/admin needs to refresh/reload the page to see the changed status. Mostly clicking away from the members overview and back again is enough. This is all works as intended.

kerem referenced this issue

2026-03-03 09:25:37 +03:00

[PR #2078] [MERGED] Fix missing encrypted key after emergency access reject #3052