diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
index 437934c79e..834fc6d332 100644
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@@ -355,17 +355,19 @@ impl Cipher {
             // There's an edge case where a cipher can be in multiple collections
             // with inconsistent access flags. For example, a cipher could be in
             // one collection where the user has read-only access, but also in
-            // another collection where the user has read/write access. To handle
-            // this, we do a boolean OR of all values in each of the `read_only`
-            // and `hide_passwords` columns. This could ideally be done as part
-            // of the query, but Diesel doesn't support a max() or bool_or()
-            // function on booleans and this behavior isn't portable anyway.
+            // another collection where the user has read/write access. For a flag
+            // to be in effect for a cipher, upstream requires all collections the
+            // cipher is in to have that flag set. Therefore, we do a boolean AND
+            // of all values in each of the `read_only` and `hide_passwords` columns.
+            // This could ideally be done as part of the query, but Diesel doesn't
+            // support a min() or bool_and() function on booleans and this behavior
+            // isn't portable anyway.
             if let Ok(vec) = query.load::<(bool, bool)>(conn) {
-                let mut read_only = false;
-                let mut hide_passwords = false;
+                let mut read_only = true;
+                let mut hide_passwords = true;
                 for (ro, hp) in vec.iter() {
-                    read_only |= ro;
-                    hide_passwords |= hp;
+                    read_only &= ro;
+                    hide_passwords &= hp;
                 }
 
                 Some((read_only, hide_passwords))