Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read Only rights issue with Groups generating trash entry on user vault #3249

Closed
Misterbabou opened this issue Feb 16, 2023 · 1 comment · Fixed by #3254
Closed

Read Only rights issue with Groups generating trash entry on user vault #3249

Misterbabou opened this issue Feb 16, 2023 · 1 comment · Fixed by #3254
Labels
bug Something isn't working

Comments

@Misterbabou
Copy link
Contributor

Misterbabou commented Feb 16, 2023
edited

Subject of the issue

Read Only rights issue with Groups generating trash entry on user vault (with the groups beta feature enabled).

Deployment environment

  • vaultwarden version: 1.27.0-1ba8275d

  • Install method: Custom Built with docker with last allow editing/unhiding by group #3108 Merge (same issue with docker vaultwarden/server:testing )

  • Clients used: web vault

  • Reverse proxy and version: No

  • MySQL/MariaDB or PostgreSQL version: MariaDB 10.10.2 , Same issue with Sqlite

  • Environment settings:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://****************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 7,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "TestSRV",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "******************************************,****************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 15,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

  1. Create an organisation (or use existing)
  2. Add another user "U" (any name is fine) to the organisation (as a regular user)
  3. Create(or use existing) collection "C" (any name is fine : in my screenshot collection is named PASSWORD_RO)
  4. Create(or use existing) group "G" (any name is fine : in my test named GRP_RO)
    4.1. Give permission of that collection "C" to the group "G" with Read Only access
    4.2. Assign the user "U" to the group "G"
    4.3. Make sure that the user "U" does not have direct permission on the collection "C". In other words: the permission should be configured via the group only!
  5. Login as user "U"
    5.1. Add a new entry to the collection "C", "C" is shown even if the group is in RO access
    5.2 Save the entry -> Error message No rights to modify the collection
    5.3 A blanck entry is created automatically with nothing inside in the user "U" vault (see screenshot)

Expected behaviour

User can't select the collection "C" with rights read only (assign by a group)
This is already working for rights directly applied on user (user can't select collection with read only access)

Actual behaviour

User "U" can select a collection "C" with rights read only (assign by a group) and create automatically a trash entry in his personnal vault

Troubleshooting data

  • Vaultwarden Log :
vaultwarden    | [2023-02-16 10:15:48.252][request][INFO] POST /api/ciphers/create
vaultwarden    | [2023-02-16 10:15:48.279][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection
vaultwarden    | [2023-02-16 10:15:48.279][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request

  • Trash entry created :
    trash_entry_auto_created

  • Collection available list when creating entry with rights applied on groups
    collection_RO_available_add_entry_group_rights

  • Collection available list when creating entry with right applied directly to user (Expected behaviour with group)
    collection_RO_not_available_user_rights
@BlackDex BlackDex added the troubleshooting There might be bug or it could be user error, more info needed label Feb 16, 2023
@Misterbabou
Copy link
Contributor Author

Misterbabou commented Feb 16, 2023
edited

I modified Steps to reproduce to explain the steps better

I made new tests with those changing variable :

1 - image: vaultwarden/server:testing (last available), and MariaDB 10.10.2
2- image: vaultwarden/server:testing (last available) and Sqlite

I have still the same issue with those additional tests.

@Misterbabou Misterbabou mentioned this issue Feb 17, 2023
Merged
@BlackDex BlackDex added bug Something isn't working and removed troubleshooting There might be bug or it could be user error, more info needed labels Feb 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Collection Read Only access for groups Misterbabou/vaultwarden
2 participants
@BlackDex @Misterbabou