Problem with creating collections on 1.30.5

[dzhumshoot]

Hello! After updating from version 1.30.1 to 1.30.5 new collections are not created from the page https://myvault.com/#/vault when I click "New->Collection" and Vaultwarden is logging me out.

But if I go to the page https://myvault.com/#/organizations/uuid/vault the collections are created.

After rolling back to version 1.30.1 the problem is not reproduced.

I am the owner of the organization, the rights have not changed.

[BlackDex]

What is reported in the logs?

[dzhumshoot]

[2024-05-15 14:10:07.854][request][INFO] GET /api/organizations/9e12447b-6758-4162-b290-58fb28c6181e/collections/details [2024-05-15 14:10:07.854][request][INFO] GET /api/organizations/9e12447b-6758-4162-b290-58fb28c6181e/users [2024-05-15 14:10:07.855][request][INFO] GET /api/organizations/9e12447b-6758-4162-b290-58fb28c6181e/groups [2024-05-15 14:10:07.878][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2024-05-15 14:10:07.878][vaultwarden::api::core::organizations::][WARN] Request guard ManagerHeadersLoose failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2024-05-15 14:10:07.878][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2024-05-15 14:10:07.878][vaultwarden::api::core::organizations::][WARN] Request guard ManagerHeadersLoose failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2024-05-15 14:10:07.878][response][INFO] (get_groups) GET /api/organizations//groups => 401 Unauthorized [2024-05-15 14:10:07.878][response][INFO] (get_org_users) GET /api/organizations//users? => 401 Unauthorized [2024-05-15 14:10:07.909][auth][ERROR] Unauthorized Error: You need to be a Manager, Admin or Owner to call this endpoint [2024-05-15 14:10:07.909][vaultwarden::api::core::organizations::_][WARN] Request guard ManagerHeadersLoose failed: "You need to be a Manager, Admin or Owner to call this endpoint". [2024-05-15 14:10:07.909][response][INFO] (get_org_collections_details) GET /api/organizations//collections/details => 401 Unauthorized

On the page https://myvault.com/#/vault in selected Organization i'm Owner.

Similar to https://github.com/dani-garcia/vaultwarden/issues/4519 But I definitely have enough rights to create collections in the selected organization.

[dzhumshoot]

When I click "New->Collection" from https://myvault.com/#/vault Vaultwarden is logging me out.

[BlackDex]

Are you sure your user is a Manager, Admin or Owner? This message can not happen if you are one of those.

[BlackDex]

Check the /admin interface and verify if the user has one of those rights.

[dzhumshoot]

Yes, I am sure. On the old version 1.30.1, collections are created under this user in this organization, there are no changes in my rights when updating. And the problem occurs precisely when creating from the page https://myvault.com/#/vault If I go to the page https://myvault.com/#/organizations/DVP-Security/vault the collections are created.

[BlackDex]

Also, please try the testing tagged image and see if that solves your issue. Be sure to create a backup of your database first btw.

[BlackDex]

Very strange, I'm not able to reproduce this with 1.30.5. I can create a collection just fine via the main vault page.

Same when using the testing tagged version.

[BlackDex]

I also just checked, the endpoint used to create the collection is exactly the same for both locations. So that shouldn't be an issue. Maybe your reverse proxy is doing some magic stuff, or a browser extension is doing something? I don't know.

But running this via a local docker container with a new fresh database it works fine, and i tested it with an old (maybe even with some issues) database, and it also works fine there.

Also try a different browser and/or Private/Incognito mode.

[dzhumshoot]

Found the problem. In one of the organizations I had the role "User". The role was changed to "Manager" and collections began to be created from main vault page: https://myvault.com/#/vault But it worked on the old version 1.30.1. Is this how it should be on 1.30.5?

This seems to be the wrong behavior, during the collection creation stage I select the organization. And it would be more correct not to display those in which I have the “User” role at the stage of creating a new collection, as it worked in the old version.

[BlackDex]

It shouldn't be different between those versions. The only thing i can think off is that you might selected the wrong organization?

I do agree that UI wise it could be better in some cases. But that isn't something which is the main goal of this project.

I'm going to close this one as it seems to be fixed now with the correct rights.

[dzhumshoot]

Just create several organizations, in one of which you will have the "User" role. And try to create a collection while on the page https://myvault.com/#/vault by clicking "New->Collection, you will understand what I mean. At this stage I do not select an organization, I log in and immediately try to create a collection. The window for creating a new collection should open, as it did in the old version 1.30.1.

[dzhumshoot]

Please open this issue because there is a problem, the cause has been found, but there is no solution.

[stefan0xC]

Can you test with the testing image? As far as I've looked into it the bug seems to be caused by the web-vault version (web-v2024.1.2) and has already been fixed by switching to a newer version.

[dzhumshoot]

I deployed the test installation first to 1.30.5. The test user has the "User" role in one of the two test organizations (test_org2). Behavior is slightly different from a prod installation, but the essence is the same: under this user on the http://localhost/#/vault page, I click “New->Collection”, the collection creation window opens and when you select the organization “test_org2” Vaultwarden is logging me out. Then I updated to the "testing" version. On the page http://localhost/#/vault I click “New->Collection”, a window for creating a collection opens; I don’t have the organization “test_org2” at all (and that’s correct). The problem is not reproduced in the "testing" version. But on version 1.30.5 there is a problem. Is there any way to solve this?

[BlackDex]

To be short, Yes, use testing.

I just tested it again, having two users and two organizations, on which one of the users is manager of 1 org, and just a user in the other.

I can only see the org on which the user is an admin of, no others. And creating a collection works just fine. I also tested this on both 1.30.1 and 1.30.5, and both work fine actually.

The only time it borks for me, if i keep the browser cache after the update. So, start with 1.30.1, create the users/orgs, logout (No reload or refresh of the page/tab), update to 1.30.5, login, and try to create a collection. That will break indeed. It also breaks the other way around, so start with 1.30.5 and revert to 1.30.1.

My guess would be that either your browser, or your reverse proxy is caching the content and uses that to access the web-vault. Try to clear the cache, or force a reload/refresh of the page.

Again, i can create collections with a user being a member of two orgs, on which one it has a user roll, and on the other a manager or higher on both versions.

[stefan0xC]

To fix the issue you'd need to update the web-vault to a newer version.

If you rename the organization so that it will not be loaded first it will only log you out if you select the affected organization manually.

[BlackDex]

Ah, the order is important indeed. But if this doesn't cause issues with the testing tagged images, then i still call this issue resolved.