search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
35.04k stars 1.71k forks source link

[Bug] Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension. #4709

Open jb2barrels opened 1 week ago

jb2barrels commented 1 week ago

Subject of the issue

Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension.

Deployment environment

Expected behaviour

User role should be unable to revoke collection permissions using the Bitwarden extension. Additionally I assume they should also be unable to delete passwords from the organization, unless they are a higher role? Since the web vault works as expected for not being able to revoke an entries collections, I assume maybe a specific API call the extension does also needs to be updated?

Troubleshooting data

This is related to the changes after the following merged pull request:

stefan0xC commented 1 week ago

Can you please be more specific what the issue is or how to reproduce the issue? Because I'm not sure I understand it.

If I have a user that has only view permissions on a specific collection via a group (and no other write permission either directly or via another group) I cannot change items in that collection (and also not delete them so this seems to work as intended as far as I can tell). And if I try to add an item via the browser extension to a new collection (where I have write access) I'll get the error message "Cipher is not write accessible". (That the extension displays the collection as assignable when it is not is probably a bug in the client, not sure there's anything we can do about it.)

jb2barrels commented 1 week ago

@stefan0xC You may ignore the delete password entries part of my report - I believe I misunderstood the user roles regarding that part.

You will see in this example the test user has permission to modify collections on the extension which shouldn't be possible, but the web vault correctly does not have the permission to do so.

Additionally towards the bottom with screenshots, you will see a User is unable to add new entries to a vault which they have 'view only' permissions even though the User role indicates they should be able to atleast add entries. (You may correct me if i am wrong on interpreting this part)

example-permissions

Here is the detailed screenshots, incase this helps with replicating my scenario:

Username: TestUser Organization Role: User (Access and add items to assigned collections)

User's permissions: image image image

User's view of the vault, collections, and available entries: image

Collections:

image

Groups:

image

Unable to add new entries as user to a 'Can View' as User role (User role defined as 'Access and add items to assigned collections)

image

Correct Behavior of editing password entries collection's per web vault: image

Incorrect behavior of editing password entries collection's per web vault:

Same password entry '' with the ability to modify the collection entry checkboxes via the Browser extension on Google Chrome: image image image

Entry confirmed to have been modified using extension (as viewed by the web vault): image

stefan0xC commented 1 week ago

Thanks for the screenshots.

Unable to add new entries as user to a 'Can View' as User role

It seems very intentional that you can't add new items to a non-editable collection (or an organization, if you only have view permissions).

Correct Behavior of editing password entries collection's per web vault: image

This seems wrong to me. If the item is in a can edit collection, why shouldn't you be able to change the collection of that item? According to https://bitwarden.com/help/user-types-access-control/ you should be able to "add, edit, or remove items from assigned collections, unless assigned Can view permission."

So to me it seems there are two different issues: a) you can't change the assigned collections to items in the web-vault (whether or not you have the edit permission to a collection or even if you have been granted access to all current and future collections) b) you seem to be able to change the collections of items in view only collections in the browser extension (which is prevented by Vaultwarden because you really shouldn't be able to)

jb2barrels commented 1 week ago

I'll see if i can compare sometime this week the permissions to how official Bitwarden does it on their WebUI/Extensions. That way we can get concrete verification of what intended behavior we are expecting.

jb2barrels commented 3 days ago

@stefan0xC I have completed testing of permissions of the User role on the official Bitwarden instance, these were the results.

Test User - with User role in organization.