[GH-ISSUE #6121] Cannot save Access to collections to an Admin user 1.34.3 #2348

New issue

Closed

opened 2026-03-03 02:17:24 +03:00 by kerem · 4 comments

kerem commented 2026-03-03 02:17:24 +03:00

Owner

Copy link

Originally created by @DaveSophoServices on GitHub (Jul 31, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6121

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "TMCamping Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "**********************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "TM Camping",
  "smtp_host": "****************************",
  "smtp_password": "***",
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx 1.22.1

Host/Server Operating System

Linux

Operating System Version

Debian GNU/Linux 12

Clients

Browser Extension, Web Vault

Client Version

2025.7.0

Steps To Reproduce

1. Go to 'Admin Console'
2. Click on 'Members'
3. Scroll down to user with admin role to modify
4. Click on the user with admin role to modify
5. Click 'Collections'
6. Click on a collection in 'Select Collections'
7. Click 'Save'

Expected Result

User should be saved with access to that collection.

Actual Result

the collection is not associated with that user. It doesn't appear in the line with the user details.

Clicking the user again shows the user is not associated with the collection

Logs

[2025-07-31 18:53:20.183][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users/2d04911e-42db-467f-989e-f0407924a24d?includeGroups=true
[2025-07-31 18:53:20.183][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/collections/details
[2025-07-31 18:53:20.190][response][INFO] (get_user) GET /api/organizations/<org_id>/users/<member_id>?<data..> [2] => 200 OK
[2025-07-31 18:53:20.202][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK
[2025-07-31 18:53:34.179][request][INFO] PUT /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users/2d04911e-42db-467f-989e-f0407924a24d
[2025-07-31 18:53:34.188][response][INFO] (put_member) PUT /api/organizations/<org_id>/users/<member_id> => 200 OK
[2025-07-31 18:53:34.315][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users?includeCollections=true
[2025-07-31 18:53:34.315][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/collections
[2025-07-31 18:53:34.320][response][INFO] (get_org_collections) GET /api/organizations/<org_id>/collections => 200 OK
[2025-07-31 18:53:34.341][response][INFO] (get_members) GET /api/organizations/<org_id>/users?<data..> => 200 OK

Screenshots or Videos

No response

Additional Context

This was noticed a few weeks ago, and we investigated it today.

Originally created by @DaveSophoServices on GitHub (Jul 31, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6121 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*******************", "domain_origin": "*****://*******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "TMCamping Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "**********************", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "TM Camping", "smtp_host": "****************************", "smtp_password": "***", "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx 1.22.1 ### Host/Server Operating System Linux ### Operating System Version Debian GNU/Linux 12 ### Clients Browser Extension, Web Vault ### Client Version 2025.7.0 ### Steps To Reproduce 1. Go to 'Admin Console' 2. Click on 'Members' 3. Scroll down to user with admin role to modify 4. Click on the user with admin role to modify 5. Click 'Collections' 6. Click on a collection in 'Select Collections' 7. Click 'Save' ### Expected Result User should be saved with access to that collection. ### Actual Result the collection is not associated with that user. It doesn't appear in the line with the user details. Clicking the user again shows the user is not associated with the collection ### Logs ```text [2025-07-31 18:53:20.183][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users/2d04911e-42db-467f-989e-f0407924a24d?includeGroups=true [2025-07-31 18:53:20.183][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/collections/details [2025-07-31 18:53:20.190][response][INFO] (get_user) GET /api/organizations/<org_id>/users/<member_id>?<data..> [2] => 200 OK [2025-07-31 18:53:20.202][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 200 OK [2025-07-31 18:53:34.179][request][INFO] PUT /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users/2d04911e-42db-467f-989e-f0407924a24d [2025-07-31 18:53:34.188][response][INFO] (put_member) PUT /api/organizations/<org_id>/users/<member_id> => 200 OK [2025-07-31 18:53:34.315][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/users?includeCollections=true [2025-07-31 18:53:34.315][request][INFO] GET /api/organizations/4d7e3076-6a5b-43a1-8aa9-f85c1b55b0d0/collections [2025-07-31 18:53:34.320][response][INFO] (get_org_collections) GET /api/organizations/<org_id>/collections => 200 OK [2025-07-31 18:53:34.341][response][INFO] (get_members) GET /api/organizations/<org_id>/users?<data..> => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context This was noticed a few weeks ago, and we investigated it today.

kerem 2026-03-03 02:17:24 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:17:25 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jul 31, 2025):

Admins and owners have access by default to all collections, and therefore not stored like that.

Only managers and users are currently stored.

<!-- gh-comment-id:3141093576 --> @BlackDex commented on GitHub (Jul 31, 2025): Admins and owners have access by default to all collections, and therefore not stored like that. Only managers and users are currently stored.

kerem commented 2026-03-03 02:17:25 +03:00

Author

Owner

Copy link

@DaveSophoServices commented on GitHub (Jul 31, 2025):

That makes sense, however, for the web browser plugin, it now shows all relevant passwords from all collections as potentials for auto-fill, whereas it used to just show the collections that were assigned to the particular admin. Is this a regular use case - or do people generally run an admin user and a regular user (like not running as root all the time)?

<!-- gh-comment-id:3141103658 --> @DaveSophoServices commented on GitHub (Jul 31, 2025): That makes sense, however, for the web browser plugin, it now shows all relevant passwords from all collections as potentials for auto-fill, whereas it used to just show the collections that were assigned to the particular admin. Is this a regular use case - or do people generally run an admin user and a regular user (like not running as root all the time)?

kerem commented 2026-03-03 02:17:25 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jul 31, 2025):

We do not yet have this fine grained control yet. A lot of changes need to be done.

Regarding admin and user and how people use it,i have no clue.

<!-- gh-comment-id:3141112829 --> @BlackDex commented on GitHub (Jul 31, 2025): We do not yet have this fine grained control yet. A lot of changes need to be done. Regarding admin and user and how people use it,i have no clue.

kerem commented 2026-03-03 02:17:25 +03:00

Author

Owner

Copy link

@DaveSophoServices commented on GitHub (Jul 31, 2025):

Thank you @BlackDex, "it's a feature, not a bug" :-)

<!-- gh-comment-id:3141123753 --> @DaveSophoServices commented on GitHub (Jul 31, 2025): Thank you @BlackDex, "it's a feature, not a bug" :-)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2348

No description provided.