Manager Role can create a (nest) collection outside from the one he is assigned

[Joao-Paixao]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.46.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********", "domain_origin": "*****://***********", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "****", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*********************", "smtp_from_name": "Vaultwarden", "smtp_host": "***********", "smtp_password": null, "smtp_port": 1025, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

no

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 LTS

Clients

Web Vault

Client Version

2024.6.2c

Steps To Reproduce

Create a user with manager role. Give the user access to a collection. Login as manager user Create a new collection (a nested collection) Go to Nest Collection Under Select No collection and Click Save

Expected Result

Manager is assign to collection SubCollection 1, he should only be allowed to create a new collection under the collection assigned. Vault (Can't Create) ├── Collection 1 (Can't create) │ └── SubCollection 1 (Can create) ├── Collection 2 (Can't create) └── Unassigned

Actual Result

Manager is assign to collection SubCollection 1, he is allowed to create a new collection not under the collection assigned.

Vault (Can Create) ├── Collection 1 (Can't create) │ └── SubCollection 1 (Can create) ├── Collection 2 (Can't create) └── Unassigned

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

[BlackDex]

I'm not totally sure what you mean here, if you could provide a more detailed steps to follow, maybe with some screenshots, that might help to clarify it

Vaultwarden can't see or know if a collection is nested or not. That information is not shared or visible to the server.

For Vaultwarden it is just another collection with its own uuid, name and rights.

A manager (without access all directly or via group) can only access assigned collections and, as far as i know only nest under an assigned collection. If that currently is not the case, then it probably is a bug in the client, and not something we can fix on the server side as we do not know if it is nested or not.

I do have a PR open to update the web-vault to a newer version which might solve your issue.

[Joao-Paixao]

If i have a user with Manager role and assign to the collection Development. What i would expect is that only the Development (or other collection assigned to him) would appear as an option in the Nest Collection Under option. But in fact he can simply self-assign to a new collection, which is fine, only if that new collection would remain nested under one of the assigned.

Example: It would be fine to create a new collection under Development or OtherCollection. But i don't understand why it exists the option No collection, making then possible to create a new collection NOT under one of the assigned to him.

[BlackDex]

Again, that seems like a client side (Bitwarden managed) item. Which is not under this projects control. And since we can't see a difference between nested or none nested collections we can't fix that on the server side.

[Joao-Paixao]

Ok, since this is a situation that cannot be controlled by you, I have nothing more to add. Thank you and you can close the issue.