Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Org managers can't create or manage collections #1136

Closed
jjlin opened this issue Sep 12, 2020 · 5 comments · Fixed by #1242
Closed

Org managers can't create or manage collections #1136

jjlin opened this issue Sep 12, 2020 · 5 comments · Fixed by #1242
Labels
bug Something isn't working enhancement New feature or request low priority Won't fix anytime soon, but will accept PR if provided

Comments

@jjlin
Copy link
Contributor

jjlin commented Sep 12, 2020
edited
Loading

According to https://bitwarden.com/help/article/user-types-access-control/#user-types, org managers should be able to:

  • Only administer a collection it is associated with by an Owner or Admin
  • Access and manage assigned collections in an organization
  • Create new collections and modify the assigned collections
  • Set user access for assigned collections

Attempting to create a new collection via the web vault results in

Screenshot 2020-09-12 003122

and log messages

[2020-09-12 00:29:38.993][request][INFO] POST /api/organizations/3c8806a6-2359-4c6c-b769-3fe52dab91bb/collections
[2020-09-12 00:29:38.995][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2020-09-12 00:29:38.995][response][INFO] POST /api/organizations/<org_id>/collections (post_organization_collections) => 401 Unauthorized

Attempting to manage an existing collection via the web vault results in the Your login session has expired UI message, and log messages

[2020-09-12 00:31:57.174][request][INFO] GET /api/organizations/3c8806a6-2359-4c6c-b769-3fe52dab91bb/collections/320a942c-d232-4273-96e5-d2c872f8d1d8/details
[2020-09-12 00:31:57.175][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2020-09-12 00:31:57.175][response][INFO] GET /api/organizations/<org_id>/collections/<coll_id>/details (get_org_collection_detail) => 401 Unauthorized

(This issue was first reported at https://bitwardenrs.discourse.group/t/manager-can-not-create-a-collection/287.)
@FLX-0x00
Copy link

FLX-0x00 commented Oct 7, 2020

We are facing with the same issue. Is there any workaround?

@BlackDex
Copy link
Collaborator

BlackDex commented Oct 9, 2020

@blacklist-arcc, and i don't think there actually is a workaround at this point

@BlackDex BlackDex added bug Something isn't working enhancement New feature or request low priority Won't fix anytime soon, but will accept PR if provided labels Oct 9, 2020
@matlink
Copy link
Contributor

matlink commented Nov 4, 2020

@BlackDex Any progress on it? It is not really a low priority for us :(

@matlink matlink mentioned this issue Nov 11, 2020
Closed
@matlink
Copy link
Contributor

matlink commented Nov 11, 2020

@jjlin @blacklist-arcc @BlackDex I've made a push request, trying to implement this. What I have tested is working so far (collection creation, managing users in it, delete managed collections).

@mvalois mvalois mentioned this issue Nov 12, 2020
Closed
@FLX-0x00
Copy link

We will test this in our staging environment. Feedback in the next business days

BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Nov 27, 2020
@BlackDex
Adding Manager Role support
c992bb5 
This has been requested a few times (dani-garcia#1136 & dani-garcia#246 & forum), and there already were two
(1:1 duplicate) PR's (dani-garcia#1222 & dani-garcia#1223) which needed some changes and no
followups or further comments unfortunally.

This PR adds two auth headers.
- ManagerHeaders
  Checks if the user-type is Manager or higher and if the manager is
part of that collection or not.
- ManagerHeadersLoose
  Check if the user-type is Manager or higher, but does not check if the
user is part of the collection, needed for a few features like
retreiving all the users of an org.

I think this is the safest way to implement this instead of having to
check this within every function which needs this manually.

Also some extra checks if a manager has access to all collections or
just a selection.
@BlackDex BlackDex mentioned this issue Nov 27, 2020
Merged
BlackDex added a commit to BlackDex/vaultwarden that referenced this issue Dec 2, 2020
@BlackDex
Adding Manager Role support
7cf8809 
This has been requested a few times (dani-garcia#1136 & dani-garcia#246 & forum), and there already were two
(1:1 duplicate) PR's (dani-garcia#1222 & dani-garcia#1223) which needed some changes and no
followups or further comments unfortunally.

This PR adds two auth headers.
- ManagerHeaders
  Checks if the user-type is Manager or higher and if the manager is
part of that collection or not.
- ManagerHeadersLoose
  Check if the user-type is Manager or higher, but does not check if the
user is part of the collection, needed for a few features like
retreiving all the users of an org.

I think this is the safest way to implement this instead of having to
check this within every function which needs this manually.

Also some extra checks if a manager has access to all collections or
just a selection.

fixes dani-garcia#1136
@BlackDex BlackDex mentioned this issue Dec 10, 2020
Open
61 tasks
Koisell pushed a commit to Koisell/vaultwarden that referenced this issue Feb 17, 2021
@BlackDex @Koisell
Adding Manager Role support
c73fbe8 
This has been requested a few times (dani-garcia#1136 & dani-garcia#246 & forum), and there already were two
(1:1 duplicate) PR's (dani-garcia#1222 & dani-garcia#1223) which needed some changes and no
followups or further comments unfortunally.

This PR adds two auth headers.
- ManagerHeaders
  Checks if the user-type is Manager or higher and if the manager is
part of that collection or not.
- ManagerHeadersLoose
  Check if the user-type is Manager or higher, but does not check if the
user is part of the collection, needed for a few features like
retreiving all the users of an org.

I think this is the safest way to implement this instead of having to
check this within every function which needs this manually.

Also some extra checks if a manager has access to all collections or
just a selection.

fixes dani-garcia#1136
thelittlefireman pushed a commit to thelittlefireman/bitwarden_rs that referenced this issue Mar 19, 2021
@BlackDex
Adding Manager Role support
eb6470c 
This has been requested a few times (dani-garcia#1136 & dani-garcia#246 & forum), and there already were two
(1:1 duplicate) PR's (dani-garcia#1222 & dani-garcia#1223) which needed some changes and no
followups or further comments unfortunally.

This PR adds two auth headers.
- ManagerHeaders
  Checks if the user-type is Manager or higher and if the manager is
part of that collection or not.
- ManagerHeadersLoose
  Check if the user-type is Manager or higher, but does not check if the
user is part of the collection, needed for a few features like
retreiving all the users of an org.

I think this is the safest way to implement this instead of having to
check this within every function which needs this manually.

Also some extra checks if a manager has access to all collections or
just a selection.

fixes dani-garcia#1136
@schewara schewara mentioned this issue Dec 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request low priority Won't fix anytime soon, but will accept PR if provided
Projects
None yet
Milestone
No milestone
4 participants
@jjlin @BlackDex @matlink @FLX-0x00