Group members cannot add new entries to collection on testing-branch #2989
Labels
bug
Something isn't working
Comments
|
This indeed is an issue. We see some more issues with groups currently, and probably going to disable groups by default for now until we have worked out all the issues. You are still free to use it of course, but bugs like this will be in there until we have some time to look at this new feature a bit better. |
|
I have created a PR #2995 which puts this feature behind a flag, and disabled by default. |
farodin91
added a commit
to farodin91/vaultwarden
that referenced
this issue
Jan 5, 2023
Fixes dani-garcia#2989 Signed-off-by: Jan Jansen <jan.jansen@gdata.de>
farodin91
added a commit
to farodin91/vaultwarden
that referenced
this issue
Jan 6, 2023
Fixes dani-garcia#2989 Signed-off-by: Jan Jansen <jan.jansen@gdata.de>
|
Maybe I'm doing something wrong, but I'm encountering the same issue on 1.27 when the user is a manager, not a regular user. Here's my system info: Your environment (Generated via diagnostics page)
My user is a manager, has access control set to "access only selected collections" and none of the collections ticked. |
|
This probably is the same issue. Which has not been addressed. |
farodin91
added a commit
to farodin91/vaultwarden
that referenced
this issue
Feb 7, 2023
Fixes dani-garcia#2989 Signed-off-by: Jan Jansen <jan.jansen@gdata.de>
Ping-timeout
pushed a commit
to Ping-timeout/vaultwarden
that referenced
this issue
Apr 3, 2023
* Fix remaning inline format * Use more modern meta tag for charset encoding * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Optimize CipherSyncData for very large vaults As mentioned in dani-garcia#3111, using a very very large vault causes some issues. Mainly because of a SQLite limit, but, it could also cause issue on MariaDB/MySQL or PostgreSQL. It also uses a lot of memory, and memory allocations. This PR solves this by removing the need of all the cipher_uuid's just to gather the correct attachments. It will use the user_uuid and org_uuid's to get all attachments linked to both, weither the user has access to them or not. This isn't an issue, since the matching is done per cipher and the attachment data is only returned if there is a matching cipher to where the user has access to. I also modified some code to be able to use `::with_capacity(n)` where possible. This prevents re-allocations if the `Vec` increases size, which will happen a lot if there are a lot of ciphers. According to my tests measuring the time it takes to sync, it seems to have lowered the duration a bit more. Fixes dani-garcia#3111 * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Add avatar color support The new web-vault v2023.1.0 supports a custom color for the avatar. bitwarden/server#2330 This PR adds this feature. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Use more modern meta tag for charset encoding * Use more modern meta tag for charset encoding * Fix remaning inline format * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Use more modern meta tag for charset encoding * Fix remaning inline format * fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory * Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. * Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. * Add avatar color support The new web-vault v2023.1.0 supports a custom color for the avatar. bitwarden/server#2330 This PR adds this feature. * Update web vault to 2023.1.0 * include key into user.set_password * include key into user.set_password * Validate note sizes on key-rotation. We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes dani-garcia#3152 * include key into user.set_password * Update KDF Configuration and processing - Change default Password Hash KDF Storage from 100_000 to 600_000 iterations - Update Password Hash when the default iteration value is different - Validate password_iterations - Validate client-side KDF to prevent it from being set lower than 100_000 * include key into user.set_password * Validate note sizes on key-rotation. We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes dani-garcia#3152 * Updated web vault to 2023.1.1 and rust dependencies * Re-License Vaultwarden to AGPLv3 This commit prepares Vaultwarden for the Re-Licensing to AGPLv3 Solves #2450 * Remove `arm32v6`-specific tag This section of code seems to be breaking the Docker release workflow as of a few days ago, though it's unclear why. This tag only existed to work around an issue with Docker pulling the wrong image for ARMv6 platforms; that issue was resolved in Docker 20.10.0, which has been out for a few years now, so it seems like a reasonable time to drop this tag. * Rename `.buildx` Dockerfiles to `.buildkit` This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx. * Disable Hadolint check for consecutive `RUN` instructions (DL3059) This check doesn't seem to add enough value to justify the difficulties it tends to create when generating `RUN` instructions from a template. * added database migration * working implementation * fixes for current upstream main * "Spell-Jacking" mitigation ~ prevent sensitive data leak from spell checker. @see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords * Fix Javascript issue on non sqlite databases When a non sqlite database is used, loading the admin interface fails because the backup button is not generated. This PR is solves it by checking if the elements are valid. Also made some other changes and fixed some eslint errors. Showing `_post` errors is better now. Update jquery to latest version. Fixes dani-garcia#3166 * Allow listening on privileged ports (below 1024) as non-root This is done by running `setcap cap_net_bind_service=+ep` on the executable in the build stage (doing it in the runtime stage creates an extra copy of the executable that bloats the image). This only works when using the BuildKit-based builder, since the `COPY` instruction doesn't copy capabilities on the legacy builder. * don't nullify key when editing emergency access the client does not send the key on every update of an emergency access contact so the field would be emptied on a change of the wait days or access level. * Replaced wrong mysql column type * improved security, disabling policy usage on email-disabled clients and some refactoring * rust lang specific improvements * completly hide reset password policy on email disabled instances * change description of domain configuration Vaultwarden send won't work if the domain includes a trailing slash. This should be documented, as it may lead to confusion amoung users. * improve wording of domain description * Generate distinct log messages for regex vs. IP blacklisting. When an icon will not be downloaded due to matching a configured blacklist, ensure that the log message indicates the type of blacklist that was matched. * Ensure that all results from check_domain_blacklist_reason are cached. * remove documentation of bug since I'm fixing it * fix trailing slash not being removed from domain * allow editing/unhiding by group Fixes dani-garcia#2989 Signed-off-by: Jan Jansen <jan.jansen@gdata.de> * Revert "fix trailing slash not being removed from domain" This reverts commit 679bc7a. * fix trailing slash in configuration builder * remove warn when sanitizing domain * add argon2 kdf fields * Add support for sendmail as a mail transport * check if SENDMAIL_COMMAND is valid using 'which' crate * add EXE_SUFFIX to sendmail executable when not specified * Updated Rust and crates - Updated Rust to v1.67.0 - Updated all crates except for `cookies` and `webauthn` * docs: add build status badge in readme * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Make the admin cookie lifetime adjustable * Add function to fetch user by email address * Apply Admin Session Lifetime to JWT * Apply rewording * docs: add build status badge in readme * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * docs: add build status badge in readme * Validate all needed fields for client API login During the client API login we need to have a `device_identifier`, `device_name` and `device_type`. When these were not provided Vaultwarden would panic. This PR add checks for these fields and makes sure it returns a better error message instead of causing a panic. * Fix Organization delete when groups are configured With existing groups configured within an org, deleting that org would fail because of Foreign Key issues. This PR fixes this by making sure the groups get deleted before the org does. Fixes dani-garcia#3247 * Fix Collection Read Only access for groups I messed up with identation sorry it's my first PR Fix Collection Read Only access for groups Fix Collection Read Only access for groups With indentation modification * Make the admin cookie lifetime adjustable * Apply Admin Session Lifetime to JWT * Apply rewording * Add missing collections/details endpoint, based on the existing one * Update web vault to v2023.2.0 and dependencies * Fix vault item display in org vault view In the org vault view, the Bitwarden web vault currently tries to fetch the groups for an org regardless of whether it claims to have group support. If this errors out, no vault items are displayed. * Add confirmation for removing 2FA and deauth sessions in admin panel * Fix the web-vault v2023.2.0 API calls - Supports the new Collection/Group/User editing UI's - Support `/partial` endpoint for cipher updating to allow folder and favorite update for read-only ciphers. - Prevent `Favorite`, `Folder`, `read-only` and `hide-passwords` from being added to the organizational sync. - Added and corrected some `Object` key's to the output json. Fixes dani-garcia#3279 * Some Admin Interface updates - Updated datatables - Added NTP Time check - Added Collections, Groups and Events count for orgs - Renamed `Items` to `Ciphers` - Some small style updates * Fix confirmation for removing 2FA and deauthing sessions in admin panel * Admin token Argon2 hashing support Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash. * Add HEAD routes to avoid spurious error messages Rocket automatically implements a HEAD route when there's a matching GET route, but relying on this behavior also means a spurious error gets logged due to <rwf2/Rocket#1098>. Add explicit HEAD routes for `/` and `/alive` to prevent uptime monitoring services from generating error messages like `No matching routes for HEAD /`. With these new routes, `HEAD /` only checks that the server can respond over the network, while `HEAD /alive` also checks that the database connection is alive, similar to `GET /alive`. * Fix web-vault Member UI show/edit/save There was a small bug left in regards to the web-vault v2023.2.0 fixes. This PR fixes the left items. I think all should be addressed now. When editing a User, you were not able to see or edit groups, or see wich collections a user bellonged to. Fixes dani-garcia#3311 * Upd Crates, Rust, MSRV, GHA and remove Backtrace - Changed MSRV to v1.65. Discussed this with @dani-garcia, and we will support **N-2**. This is/will be the same as for the `time` crate we use. Also updated the wiki regarding this https://github.com/dani-garcia/vaultwarden/wiki/Building-binary - Removed backtrace crate in favor of `std::backtrace` stable since v1.65 - Updated Rust to v1.67.1 - Updated all the crates - Updated the GHA action versions - Adjusted the GHA MSRV build to extract the MSRV from `Cargo.toml` * Merge ClientIp with Headers. Since we now use the `ClientIp` Guard on a lot more places, it also increases the size of binary, and the macro generated code because of this extra Guard. By merging the `ClientIp` Guard with the several `Header` guards we have it reduces the amount of code generated (including LLVM IR), but also a small speedup in build time. I also spotted some small `json!()` optimizations which also reduced the amount of code generated. * Add support for `/api/devices/knowndevice` with HTTP header params Upstream PR: bitwarden/server#2682 * Update Rust, MSRV and Crates - Updated all the crates - Updated Rust and MSRV * Update web vault to v2023.3.0 and dependencies * add endpoint to bulk delete groups * add endpoint to bulk delete collections * don't use `assert()` in production code Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> * Add support for Quay.io and GHCR.io as registries - Added support for Quay.io - Added support for GHCR.io To enable support for these container image registries the following needs to be added. As `Actions secrets and variables` - `Secrets` - `DOCKERHUB_TOKEN` and `DOCKERHUB_USERNAME` - `QUAY_TOKEN` and `QUAY_USERNAME` As `Actions secrets and variables` - `Variables` - `Repository Variables` - `DOCKERHUB_REPO` - `GHCR_REPO` - `QUAY_REPO` The `DOCKERHUB_REPO` currently configured in `Secrets` can be removed if wanted, probably best after this PR has been merged. If one of the vars/secrets are not configured it will skip that specific registry! * Some small fixes and updates - Updated workflows to use new checkout version This probably fixes the curl download for hadolint also. - Updated crates including Rocket to the latest rc3 :party: - Applied 2 nightly clippy lints to prevent future clippy issues. * Update web vault to v2023.3.0b * Decode knowndevice `X-Request-Email` as base64url with no padding The clients end up removing the padding characters [1][2]. [1] https://github.com/bitwarden/clients/blob/web-v2023.3.0/libs/common/src/misc/utils.ts#L141-L143 [2] https://github.com/bitwarden/mobile/blob/v2023.3.1/src/Core/Utilities/CoreHelpers.cs#L227-L234 * Fix password reset issues There was used a wrong macro to produce an error message when mailing the user his password was reset failed. It was using `error!()` which does not return an `Err` and aborts the rest of the code. This resulted in the users password still being resetted, but not being notified. This PR fixes this by using `err!()`. Also, do not set the user object as mutable until it really is needed. Second, when a user was using the new Argon2id KDF with custom values like memory and parallelism, that would have rendered the password incorrect. The endpoint which should return all the data did not returned all the new Argon2id values. Fixes dani-garcia#3388 Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> * support `/users/<uuid>/invite/resend` admin api * fmt * always return KdfMemory and KdfParallelism the client will ignore the value of theses fields in case of `PBKDF2` (whether they are unset or left from trying out `Argon2id` as KDF). with `Argon2id` those fields should never be `null` but always in a valid state. if they are `null` (how would that even happen?) the client still assumes default values for `Argon2id` (i.e. m=64 and p=4) and if they are set to something else login will fail anyway. * clear kdf memory and parallelism with pbkdf2 when changing back from argon2id to PBKDF2 the unused parameters should be set to 0. also fix small bug in _register * add mail check * add check user state * Revert setcap, update rust and crates - Revert dani-garcia#3170 as discussed in #3387 In hindsight it's better to not have this feature - Update Dockerfile.j2 for easy version changes. Just change it in one place instead of multiple - Updated to Rust to latest patched version - Updated crates to latest available - Pinned mimalloc to an older version, as it breaks on musl builds * Fix sending out multiple websocket notifications For some reason I encountered a strange bug which resulted in sending out multiple websocket notifications for the exact same user. Added a `distinct()` for the query to filter out multiple uuid's. --------- Signed-off-by: Jan Jansen <jan.jansen@gdata.de> Co-authored-by: BlackDex <black.dex@gmail.com> Co-authored-by: Rychart Redwerkz <redwerkz@users.noreply.github.com> Co-authored-by: GeekCorner <45696571+GeekCornerGH@users.noreply.github.com> Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> Co-authored-by: sirux88 <sirux88@gmail.com> Co-authored-by: Jeremy Lin <jjlin@users.noreply.github.com> Co-authored-by: Daniel Hammer <daniel.hammer+oss@gmail.com> Co-authored-by: Stefan Melmuk <stefan.melmuk@gmail.com> Co-authored-by: BlockListed <44610569+BlockListed@users.noreply.github.com> Co-authored-by: Kevin P. Fleming <kevin@km6g.us> Co-authored-by: Jan Jansen <jan.jansen@gdata.de> Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx> Co-authored-by: soruh <mail@soruh.de> Co-authored-by: r3drun3 <simone.ragonesi@kiratech.it> Co-authored-by: Misterbabou <58564168+Misterbabou@users.noreply.github.com> Co-authored-by: Nils Mittler <nmittler@bcf-pc03.desktop> Co-authored-by: Jeremy Lin <jeremy.lin@gmail.com> Co-authored-by: Jonathan Elias Caicedo <jonathan@jcaicedo.com> Co-authored-by: Dylan Pinsonneault <dylanp2222@gmail.com> Co-authored-by: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Co-authored-by: Nikolay Nikolaev <nikolaevn.home@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Subject of the issue
When using the groups-feature on the testing-branch, a "regular" group-member (non-manager) cannot create any entries in a collection, that is given access to via groups.
Deployment environment
Your environment (Generated via diagnostics page)
Steps to reproduce
4.1. Give permission of that collection "C" to the group "G"
4.2. Assign the user "U" to the group "G"
4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only!
5.1. Add a new entry to the collection "C"
Expected behavior
The entry should be added to the collection.
Actual behavior
An error toast appears in the top right: "You lack the necessary permissions to perform this action."
The text was updated successfully, but these errors were encountered: