[PR #2073] [MERGED] Fix conflict resolution logic for `read_only` and `hide_passwords` flags #3050

New issue

Closed

opened 2026-03-03 09:25:37 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 09:25:37 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/2073
Author: @jjlin
Created: 10/29/2021
Status: ✅ Merged
Merged: 11/1/2021
Merged by: @dani-garcia

Base: main ← Head: fix-access-logic

📝 Commits (1)

6cbb724 Fix conflict resolution logic for read_only and hide_passwords flags

📊 Changes

1 file changed (+24 additions, -21 deletions)

View changed files

📝 src/db/models/cipher.rs (+24 -21)

📄 Description

For one of these flags to be in effect for a cipher, upstream requires all of
(rather than any of) the collections the cipher is in to have that flag set.

Also, some of the logic for loading access restrictions was wrong. I think
that only malicious clients that also had knowledge of the UUIDs of ciphers
they didn't have access to would have been able to take advantage of that.

Fixes #2072.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/2073 **Author:** [@jjlin](https://github.com/jjlin) **Created:** 10/29/2021 **Status:** ✅ Merged **Merged:** 11/1/2021 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `fix-access-logic` --- ### 📝 Commits (1) - [`6cbb724`](https://github.com/dani-garcia/vaultwarden/commit/6cbb72406980bb0127b378a770195066bacaf02e) Fix conflict resolution logic for `read_only` and `hide_passwords` flags ### 📊 Changes **1 file changed** (+24 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `src/db/models/cipher.rs` (+24 -21) </details> ### 📄 Description For one of these flags to be in effect for a cipher, upstream requires all of (rather than any of) the collections the cipher is in to have that flag set. Also, some of the logic for loading access restrictions was wrong. I think that only malicious clients that also had knowledge of the UUIDs of ciphers they didn't have access to would have been able to take advantage of that. Fixes #2072. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>