[PR #6878] fix: grant manage permission to Manager on collection creation #3865

New issue

Open

opened 2026-03-03 10:38:10 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 10:38:10 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6878
Author: @rafaelfariasbsb
Created: 2/26/2026
Status: 🔄 Open

Base: main ← Head: fix/manager-collection-manage-permission

📝 Commits (1)

541ea01 fix: grant manage permission to Manager on collection creation

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 src/api/core/organizations.rs (+1 -1)

📄 Description

Summary

Fixes a bug where a Manager without access_all could create a new collection but was unable to edit it afterward
The CollectionUser record was being saved with manage=false, causing the ManagerHeaders guard to reject edit requests with "The current user isn't a manager for this collection"
Changed the manage parameter from false to true when saving the CollectionUser for the creating Manager

Details

In src/api/core/organizations.rs (line 524), the collection creation endpoint saves a CollectionUser entry for the Manager:

CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &conn).await?;

The last parameter (manage) was false, so subsequent calls to Collection::is_coll_manageable_by_user() via the ManagerHeaders guard would fail since:

users_collections.manage is false
access_all is false (condition to enter this code block)
The user is a Manager, not Admin/Owner

This was not reproduced when testing with a Manager that had Manage all collections enabled, because access_all=true bypasses this code path entirely.

Test plan

Create a Manager user without Manage all collections
Grant the Manager permission to create collections
Log in as the Manager and create a new collection
Verify the Manager can edit the newly created collection
Verify the Manager can update permissions on the collection
Verify existing collection behavior is unchanged for Admins/Owners

Fixes #6871

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6878 **Author:** [@rafaelfariasbsb](https://github.com/rafaelfariasbsb) **Created:** 2/26/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/manager-collection-manage-permission` --- ### 📝 Commits (1) - [`541ea01`](https://github.com/dani-garcia/vaultwarden/commit/541ea0141685f52a8f8a6bd84db4e914392a7b68) fix: grant manage permission to Manager on collection creation ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/organizations.rs` (+1 -1) </details> ### 📄 Description ## Summary - Fixes a bug where a Manager without `access_all` could create a new collection but was unable to edit it afterward - The `CollectionUser` record was being saved with `manage=false`, causing the `ManagerHeaders` guard to reject edit requests with "The current user isn't a manager for this collection" - Changed the `manage` parameter from `false` to `true` when saving the `CollectionUser` for the creating Manager ## Details In `src/api/core/organizations.rs` (line 524), the collection creation endpoint saves a `CollectionUser` entry for the Manager: ```rust CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &conn).await?; ``` The last parameter (`manage`) was `false`, so subsequent calls to `Collection::is_coll_manageable_by_user()` via the `ManagerHeaders` guard would fail since: 1. `users_collections.manage` is `false` 2. `access_all` is `false` (condition to enter this code block) 3. The user is a Manager, not Admin/Owner This was not reproduced when testing with a Manager that had `Manage all collections` enabled, because `access_all=true` bypasses this code path entirely. ## Test plan - [ ] Create a Manager user **without** `Manage all collections` - [ ] Grant the Manager permission to create collections - [ ] Log in as the Manager and create a new collection - [ ] Verify the Manager can edit the newly created collection - [ ] Verify the Manager can update permissions on the collection - [ ] Verify existing collection behavior is unchanged for Admins/Owners Fixes #6871 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>