Open jb2barrels opened 1 week ago
Can you please be more specific what the issue is or how to reproduce the issue? Because I'm not sure I understand it.
If I have a user that has only view permissions on a specific collection via a group (and no other write permission either directly or via another group) I cannot change items in that collection (and also not delete them so this seems to work as intended as far as I can tell). And if I try to add an item via the browser extension to a new collection (where I have write access) I'll get the error message "Cipher is not write accessible". (That the extension displays the collection as assignable when it is not is probably a bug in the client, not sure there's anything we can do about it.)
@stefan0xC You may ignore the delete password entries part of my report - I believe I misunderstood the user roles regarding that part.
You will see in this example the test user has permission to modify collections on the extension which shouldn't be possible, but the web vault correctly does not have the permission to do so.
Additionally towards the bottom with screenshots, you will see a User is unable to add new entries to a vault which they have 'view only' permissions even though the User role indicates they should be able to atleast add entries. (You may correct me if i am wrong on interpreting this part)
Username: TestUser Organization Role: User (Access and add items to assigned collections)
User's permissions:
User's view of the vault, collections, and available entries:
Collections:
Groups:
TESTING-GROUP-CAN-EDIT
TESTING-GROUP-CAN-VIEW
Unable to add new entries as user to a 'Can View' as User role (User role defined as 'Access and add items to assigned collections)
Correct Behavior of editing password entries collection's per web vault:
Incorrect behavior of editing password entries collection's per web vault:
Same password entry '' with the ability to modify the collection entry checkboxes via the Browser extension on Google Chrome:
Entry confirmed to have been modified using extension (as viewed by the web vault):
Thanks for the screenshots.
Unable to add new entries as user to a 'Can View' as User role
It seems very intentional that you can't add new items to a non-editable collection (or an organization, if you only have view permissions).
Correct Behavior of editing password entries collection's per web vault:
This seems wrong to me. If the item is in a can edit collection, why shouldn't you be able to change the collection of that item? According to https://bitwarden.com/help/user-types-access-control/ you should be able to "add, edit, or remove items from assigned collections, unless assigned Can view permission."
So to me it seems there are two different issues:
a) you can't change the assigned collections to items in the web-vault (whether or not you have the edit permission to a collection or even if you have been granted access to all current and future collections
)
b) you seem to be able to change the collections of items in view only collections in the browser extension (which is prevented by Vaultwarden because you really shouldn't be able to)
I'll see if i can compare sometime this week the permissions to how official Bitwarden does it on their WebUI/Extensions. That way we can get concrete verification of what intended behavior we are expecting.
@stefan0xC I have completed testing of permissions of the User role on the official Bitwarden instance, these were the results.
Test User - with User role in organization.
Has 'Can Manage' access to collection 'TestCollection-CanManage'
Has 'Can View' access to collection 'TestCollection-CanView'
Subject of the issue
Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension.
Deployment environment
vaultwarden version: Latest testing
Install method: Docker - vaultwarden/server:testing
Clients used: 2024.6.2 (Browser Extension, Google Chrome)
MySQL/MariaDB or PostgreSQL version: Postgres
Other relevant details: Web vault properly shows password collection checkboxes as grayed out when attempting to modify a password entry's collections as the user role. On the Bitwarden extension, these boxes are not greyed out and allow you to succesfully update a password entry's collections. Additionally the user role is able to delete passwords in the organization.
Expected behaviour
User role should be unable to revoke collection permissions using the Bitwarden extension. Additionally I assume they should also be unable to delete passwords from the organization, unless they are a higher role? Since the web vault works as expected for not being able to revoke an entries collections, I assume maybe a specific API call the extension does also needs to be updated?
Troubleshooting data
This is related to the changes after the following merged pull request: