Users with custom role (old manager) in org cannot import into collections they have access rights to

[maluueu]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.1
• Web-vault version: v2025.1.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
• Environment settings overridden!: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: false
• Internet access via a proxy: false
• DNS Check: false
• Browser/Server Time Check: false
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*****************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************************",
  "domain_origin": "*****://***************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/logs/vaultwarden.log",
  "log_level": "debug",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "*********",
  "smtp_host": "********",
  "smtp_password": "***",
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

caddy v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04.1 LTS (noble)

Clients

Web Vault

Client Version

No response

Steps To Reproduce

1. Go to 'Tools'
2. Click on 'Import Data'
3. Select the vault
4. Select a collection which you have write access to
5. Select a KeePass 2 XML file and change file type to 'KeePass 2 (XML)'
6. Click on 'Import Data'

Expected Result

All entries from KeePass imported into selected collection.

Actual Result

User is logged out from Web Vault.
After logging back in nothing has been imported.

Logs in browser console:

401: Unauthorized
The request requires user authentication.

Rocket

Logs

[2025-02-14 14:06:06.114][request][INFO] POST /api/ciphers/import-organization?organizationId=***********************************************
[2025-02-14 14:06:06.124][auth][ERROR] Unauthorized Error: You need to be Admin or Owner to call this endpoint
[2025-02-14 14:06:06.124][vaultwarden::api::core::organizations::_][WARN] Request guard `AdminHeaders` failed: "You need to be Admin or Owner to call this endpoint".
[2025-02-14 14:06:06.125][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default.
[2025-02-14 14:06:06.125][response][INFO] (post_org_import) POST /api/ciphers/import-organization?<query..> => 401 Unauthorized
[2025-02-14 14:06:06.192][request][INFO] GET /
[2025-02-14 14:06:06.193][response][INFO] (web_index) GET / => 200 OK
[2025-02-14 14:06:06.206][vaultwarden::api::notifications][INFO] Closing WS connection from ***.***.***.***

Screenshots or Videos

No response

Additional Context

All the users are members of exactly one organization. They have all been assigned the role 'Custom' so they can create collections by themselves.
When importing the KeePass 2 store as an admin user or org owner it is working fine.

[maluueu]

Why do we require AdminHeaders here: organizations.rs#L1832?
Has this been forgotten when the Custom role was introduced?

[BlackDex]

Managers were never able to import data into organizations as far as i know.
Not sure how you are able to view this in the web-vault, as that isn't visible for me when i login with a user which has manager rights.

[BlackDex]

Hmm, looks like they are in the newer web-vault via the Password Vault import option.

[maluueu]

@BlackDex I can see that. But while we're at it, why aren't users with a manager/custom role allowed to import passwords into collections they have access to (or create a new one for them)? I mean, they have permissions to do it manually (create the collection + passwords), what's the difference in being able to just import an existing password store in one go?
If we allowed that, what would have to change? I'm afraid I'm not really familiar with Rust, or with this code base in general, but I could give it my best shot.

[stefan0xC]

@maluueu this seems to be a recent change by upstream, so the AdminHeaders check has now become too strict.

Allowing this via ManagerHeaders would be a bit tedious because the collection id is not part of the path param or the query

vaultwarden/src/auth.rs

Lines 671 to 674 in 359a4a0

	// col_id is usually the fourth path param ("/organizations/<org_id>/collections/<col_id>"),
	// but there could be cases where it is a query value.
	// First check the path, if this is not a valid uuid, try the query values.
	fn get_col_id(request: &Request<'_>) -> Option<CollectionId> {

We could use the ManagerHeadersLoose guard and then check the passed collection id manually if you are allowed to access them. Though this probably is not the right way either when this should be possible for any User that is allowed to manage a collection (bitwarden/clients@8c339ea) so we would probably have to implement a custom guard for that or change how we check for permissions (i.e. implement custom permissions and like upstream finally get rid of the manager role).