[GH-ISSUE #936] Impossible to delete user if it is the only owner of an organization #662

New issue

Closed

opened 2026-03-03 02:01:55 +03:00 by kerem · 5 comments

kerem commented 2026-03-03 02:01:55 +03:00

Owner

Copy link

Originally created by @spudjb on GitHub (Mar 29, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/936

Subject of the issue

If a user exists who created an organization that they are the only owner of, it is impossible to delete them.

Your environment

• Bitwarden_rs version: 1.14.1-5471088e

• Install method: Docker image
• Clients used: admin page
• Reverse proxy and version:
• Version of mysql/postgresql:
• Other relevant information:

Steps to reproduce

1. Start with admin_token set
2. Create a user, and create an organization with that user
3. Navigate to /admin/ and attempt to delete the user

Expected behaviour

It should be possible to delete this user, or at least prevent future logins somehow. Alternatively, users should be prevented from creating organizations.

Actual behaviour

The user could not be deleted with the following error message:

Error deleting user
Can't delete last owner

Relevant logs

[2020-03-28 23:08:43][request][INFO] POST /admin/users/<uuid>/delete
[2020-03-28 23:08:43][error][ERROR] Can't delete last owner
[2020-03-28 23:08:43][response][INFO] POST /admin/users/<uuid>/delete (delete_user) => 400 Bad Request

Originally created by @spudjb on GitHub (Mar 29, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/936 <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue If a user exists who created an organization that they are the only owner of, it is impossible to delete them. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.14.1-5471088e <!-- How the server was installed: Docker image / package / built from source --> * Install method: Docker image * Clients used: admin page * Reverse proxy and version: <!-- if applicable --> * Version of mysql/postgresql: <!-- if applicable --> * Other relevant information: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> 1. Start with admin_token set 2. Create a user, and create an organization with that user 3. Navigate to /admin/ and attempt to delete the user ### Expected behaviour It should be possible to delete this user, or at least prevent future logins somehow. Alternatively, users should be prevented from creating organizations. ### Actual behaviour The user could not be deleted with the following error message: > Error deleting user > Can't delete last owner ### Relevant logs ``` [2020-03-28 23:08:43][request][INFO] POST /admin/users/<uuid>/delete [2020-03-28 23:08:43][error][ERROR] Can't delete last owner [2020-03-28 23:08:43][response][INFO] POST /admin/users/<uuid>/delete (delete_user) => 400 Bad Request ```

kerem 2026-03-03 02:01:55 +03:00

• closed this issue
• added the
  enhancement
  good first issue
  bug
  labels

kerem commented 2026-03-03 02:01:56 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Mar 30, 2020):

Hmm, for this we need to do two things I think:

• When trying to delete a user that's the last owner from the admin page, we should detect the error and offer to also delete the organization. This could just be a dialog after the delete user confim dialog.

• On the other side, we should also allow one way to promote a different user to owner, in case we want to keep the organization in place. We can't make another user join, because that would require access for the crypto keys, but we can change a users organization level, probably by clicking on the organization name from the user entry in the admin page, we could show a dialog there to switch users level.

<!-- gh-comment-id:606214186 --> @dani-garcia commented on GitHub (Mar 30, 2020): Hmm, for this we need to do two things I think: - When trying to delete a user that's the last owner from the admin page, we should detect the error and offer to also delete the organization. This could just be a dialog after the delete user confim dialog. - On the other side, we should also allow one way to promote a different user to owner, in case we want to keep the organization in place. We can't make another user join, because that would require access for the crypto keys, but we can change a users organization level, probably by clicking on the organization name from the user entry in the admin page, we could show a dialog there to switch users level.

kerem commented 2026-03-03 02:01:56 +03:00

Author

Owner

Copy link

@spudjb commented on GitHub (Mar 30, 2020):

I think it would be best to offer both:

• An admin API to delete any organization
• An admin API to promote/demote/removd users in organizations (if
  possible?)

Then these could be used to clean up the situation prior to removing the
user.

On Mon, Mar 30, 2020, 22:00 Daniel García notifications@github.com wrote:

Hmm, for this we need to do two things I think:

When trying to delete a user that's the last owner from the admin
page, we should detect the error and offer to also delete the organization.
This could just be a dialog after the delete user confim dialog.

On the other side, we should also allow one way to promote a different
user to owner, in case we want to keep the organization in place. We can't
make another user join, because that would require access for the crypto
keys, but we can change a users organization level, probably by clicking on
the organization name from the user entry in the admin page, we could show
a dialog there to switch users level.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/dani-garcia/bitwarden_rs/issues/936#issuecomment-606214186,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALVACUVRZG6KXOLKKFWGWS3RKD27VANCNFSM4LV23F3A
.

<!-- gh-comment-id:606222256 --> @spudjb commented on GitHub (Mar 30, 2020): I think it would be best to offer both: * An admin API to delete any organization * An admin API to promote/demote/removd users in organizations (if possible?) Then these could be used to clean up the situation prior to removing the user. On Mon, Mar 30, 2020, 22:00 Daniel García <notifications@github.com> wrote: > Hmm, for this we need to do two things I think: > > - > > When trying to delete a user that's the last owner from the admin > page, we should detect the error and offer to also delete the organization. > This could just be a dialog after the delete user confim dialog. > - > > On the other side, we should also allow one way to promote a different > user to owner, in case we want to keep the organization in place. We can't > make another user join, because that would require access for the crypto > keys, but we can change a users organization level, probably by clicking on > the organization name from the user entry in the admin page, we could show > a dialog there to switch users level. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/dani-garcia/bitwarden_rs/issues/936#issuecomment-606214186>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ALVACUVRZG6KXOLKKFWGWS3RKD27VANCNFSM4LV23F3A> > . >

kerem commented 2026-03-03 02:01:56 +03:00

Author

Owner

Copy link

@jjlin commented on GitHub (Mar 31, 2020):

It might make sense to do this by implementing the relevant pieces of the Bitwarden public API (https://docs.bitwarden.com/), which could be the foundation of a full implementation later on.

<!-- gh-comment-id:606444540 --> @jjlin commented on GitHub (Mar 31, 2020): It might make sense to do this by implementing the relevant pieces of the Bitwarden public API (https://docs.bitwarden.com/), which could be the foundation of a full implementation later on.

kerem commented 2026-03-03 02:01:57 +03:00

Author

Owner

Copy link

@speedygonzales391 commented on GitHub (Oct 16, 2020):

Any progress about this?

<!-- gh-comment-id:709820306 --> @speedygonzales391 commented on GitHub (Oct 16, 2020): Any progress about this?

kerem commented 2026-03-03 02:01:57 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Feb 3, 2021):

I'm currently working on a way to change a user-type from the users/overview page.
That way you can at least promote an other user to admin if that user is already a member of that same organization.

And i'm adding a delete org on the organization overview page.

I find it tricky to offer a new dialog asking to delete the org also if that users is the last owner.
I'm afraid that people will quickly press yes, yes, yes even if we add extra are you sure too dialog boxes.
People just do not read. Therefore i will add it to the org overview where it will be clear to delete an org and not a user.

<!-- gh-comment-id:772667083 --> @BlackDex commented on GitHub (Feb 3, 2021): I'm currently working on a way to change a user-type from the users/overview page. That way you can at least promote an other user to admin if that user is already a member of that same organization. And i'm adding a delete org on the organization overview page. I find it tricky to offer a new dialog asking to delete the org also if that users is the last owner. I'm afraid that people will quickly press yes, yes, yes even if we add extra `are you sure too` dialog boxes. People just do not read. Therefore i will add it to the org overview where it will be clear to delete an org and not a user.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#662

No description provided.