Logout if a manager role user opens settings of an organisation #324

New issue

Closed

opened 2026-02-20 08:01:23 -05:00 by deekerman · 4 comments

deekerman commented 2026-02-20 08:01:23 -05:00

Owner

Copy link

Originally created by @kaotika on GitHub (Jun 17, 2019).

I added a user to an organisation with user rights. I changed the users permissions to manager later. If the user tries to open the settings menu of the organisation, the user will be logged out with a session timed out message.

Logs (rustbacktrace=full)

[2019-06-17 09:29:43][rocket::rocket][INFO] GET /api/collections application/json:
[2019-06-17 09:29:43][_][INFO] Matched: GET /api/collections (get_user_collections)
[2019-06-17 09:29:43][_][INFO] Outcome: Success
[2019-06-17 09:29:43][_][INFO] Response succeeded.
[2019-06-17 09:29:44][rocket::rocket][INFO] GET /api/organizations/0211c99f-2947-470e-9408-16a619436234/collections/64abcfbf-5d84-4ce2-ac5e-3e26a2d5ebb9/details application/json:
[2019-06-17 09:29:44][_][INFO] Matched: GET /api/organizations/<org_id>/collections/<coll_id>/details (get_org_collection_detail)
[2019-06-17 09:29:44][bitwarden_rs::auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2019-06-17 09:29:44][_][INFO] Outcome: Failure
[2019-06-17 09:29:44][_][WARN] Responding with 401 Unauthorized catcher.
[2019-06-17 09:29:44][_][INFO] Response succeeded.

Another related issue:

After relogin in the same window, the vault is greyed out completely and no ui element is usable. The page is operational after a reload.

Originally created by @kaotika on GitHub (Jun 17, 2019). I added a user to an organisation with `user` rights. I changed the users permissions to `manager` later. If the user tries to open the `settings` menu of the organisation, the user will be logged out with a `session timed out` message. Logs (`rustbacktrace=full`) ``` [2019-06-17 09:29:43][rocket::rocket][INFO] GET /api/collections application/json: [2019-06-17 09:29:43][_][INFO] Matched: GET /api/collections (get_user_collections) [2019-06-17 09:29:43][_][INFO] Outcome: Success [2019-06-17 09:29:43][_][INFO] Response succeeded. [2019-06-17 09:29:44][rocket::rocket][INFO] GET /api/organizations/0211c99f-2947-470e-9408-16a619436234/collections/64abcfbf-5d84-4ce2-ac5e-3e26a2d5ebb9/details application/json: [2019-06-17 09:29:44][_][INFO] Matched: GET /api/organizations/<org_id>/collections/<coll_id>/details (get_org_collection_detail) [2019-06-17 09:29:44][bitwarden_rs::auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint [2019-06-17 09:29:44][_][INFO] Outcome: Failure [2019-06-17 09:29:44][_][WARN] Responding with 401 Unauthorized catcher. [2019-06-17 09:29:44][_][INFO] Response succeeded. ``` Another related issue: After relogin in the same window, the vault is greyed out completely and no ui element is usable. The page is operational after a reload. 

deekerman closed this issue 2026-02-20 08:01:24 -05:00

deekerman commented 2026-02-20 08:01:24 -05:00

Author

Owner

Copy link

@mprasil commented on GitHub (Jun 17, 2019):

The "manager" permission level is not really supported in bitwarden_rs beyond very basic implementation that understands the order of privilege from user to owner. It is one of the feature requests in #246, but there isn't much traction as creating more organizations alleviates the need for more granular in-org permissions. (PR would be certainly welcome though)

As for the broken UI, it got unexpected reply from the server, this tends to break the UI in general. As you noted, reload does restore the functionality.

What did you try to accomplish with manager level? Maybe there's some other way to do the same or maybe there's some subset of the API that we can extend to support manager level of access.

@mprasil commented on GitHub (Jun 17, 2019): The "manager" permission level is not really supported in bitwarden_rs beyond very basic implementation that understands the order of privilege from `user` to `owner`. It is one of the feature requests in #246, but there isn't much traction as creating more organizations alleviates the need for more granular in-org permissions. (PR would be certainly welcome though) As for the broken UI, it got unexpected reply from the server, this tends to break the UI in general. As you noted, reload does restore the functionality. What did you try to accomplish with manager level? Maybe there's some other way to do the same or maybe there's some subset of the API that we can extend to support manager level of access.

deekerman commented 2026-02-20 08:01:24 -05:00

Author

Owner

Copy link

@kaotika commented on GitHub (Jun 17, 2019):

Ok, makes sense. I clicked on the collection name.
Maybe it's easier to hide the elements, that are not usable until they are fully implemented.
I intend to use it for a small team ~10 persons max, and I don't see a need for the manager role.

@kaotika commented on GitHub (Jun 17, 2019): Ok, makes sense. I clicked on the collection name. Maybe it's easier to hide the elements, that are not usable until they are fully implemented. I intend to use it for a small team ~10 persons max, and I don't see a need for the `manager` role.

deekerman commented 2026-02-20 08:01:24 -05:00

Author

Owner

Copy link

@mprasil commented on GitHub (Jun 17, 2019):

We can't just hide these parts, because they are valid for users with higher level of access. I think we need to improve some API responses to either not expose some info to managers or to implement collection managing functionality for manager.

@mprasil commented on GitHub (Jun 17, 2019): We can't just hide these parts, because they are valid for users with higher level of access. I think we need to improve some API responses to either not expose some info to managers or to implement collection managing functionality for manager.

deekerman commented 2026-02-20 08:01:24 -05:00

Author

Owner

Copy link

@mprasil commented on GitHub (Nov 11, 2019):

I think we can close this one as the question was answered.

@mprasil commented on GitHub (Nov 11, 2019): I think we can close this one as the question was answered.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#324

No description provided.