search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
34.78k stars 1.69k forks source link

Collection creation causes permission error in logs and logout in interface #4519

Closed Basecatcherz closed 2 months ago

Basecatcherz commented 2 months ago

Collection creation causes permission error in logs and logout in interface

Deployment environment

Steps to reproduce

  1. Login to web vault
  2. Select a vault
  3. Select: New --> Collection

Expected behaviour

Collection creation assistant opens.

Actual behaviour

Logout and permission erros in log.

Troubleshooting data

The vault was initially created by me. I set another account as owner, later. I already tried every available role to get access with my account, again.

Logs

[2024-04-23 10:52:29.117][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/collections/details
[2024-04-23 10:52:29.118][request][INFO] GET /api/organizations/18e6e129-7f05-4e60-9059-fb6aec233876/users?
[2024-04-23 10:52:29.119][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2024-04-23 10:52:29.119][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2024-04-23 10:52:29.120][response][INFO] (get_org_collections_details) GET /api/organizations/<org_id>/collections/details => 401 Unauthorized
[2024-04-23 10:52:29.120][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint
[2024-04-23 10:52:29.120][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "You need to be a Manager, Admin or Owner to call this endpoint".
[2024-04-23 10:52:29.120][response][INFO] (get_org_users) GET /api/organizations/<org_id>/users?<data..> => 401 Unauthorized
[2024-04-23 10:52:29.178][request][INFO] GET /api/config
[2024-04-23 10:52:29.178][response][INFO] (config) GET /api/config => 200 OK
[2024-04-23 10:52:29.231][vaultwarden::api::notifications][INFO] Closing WS connection from 192.168.2.134
BlackDex commented 2 months ago

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

stefan0xC commented 2 months ago

The vault was initially created by me. I set another account as owner, later. I already tried every available role to get access with my account, again.

What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

BlackDex commented 2 months ago

Also, the only way i can get this message via the web-vault is by setting a users as manager/admin/owner, with that user go to the org interface, open the collection creation form. With the other user demote that user to user again.

Fill in the form and and submit, that will generate the error, but that is expected.

Basecatcherz commented 2 months ago

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

I can confirm that it works in testing. I can also confirm that I like the new interface 😄

Basecatcherz commented 2 months ago

What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

I created the Vault using my personal account. Later, I created an account for administrative tasks, gave it the owner role and set my personal account as user. When I tried to create a collection using my personal account I ran into the issue for the first time. To fix it I tried to give me admin, then manager, then owner. I changed the roles using /organizations/xxx-xxx-xxx-xxx-xxx/members, later using /admin/users/overview.

Your environment (Generated via diagnostics page)

Config (Generated via diagnostics page)

Show Running Config **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************************", "domain_origin": "*****://***********************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "**********************", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************************", "smtp_from_name": "**********************************", "smtp_host": "***********************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```
BlackDex commented 2 months ago

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

Basecatcherz commented 2 months ago

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

But, even when I set my peronal account back to owner, as described above, I get this error. In testing it works fine.

Basecatcherz commented 2 months ago

I now "fixed" the issue by removing my aacount from the vault an re-add it again.