You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a user is in 2 collections and one of them has the setting "Hide Passwords" set, all passwords that are in both collections will not be readable by the user, even if the user shares a login item from the collection with no "Hide Passwords" set.
Deployment environment
vaultwarden version: 1.23.0
Install method: vaultwarden/server:1.23.0-alpine in Kubernetes
Clients used: web
Reverse proxy and version: NA
MySQL/MariaDB or PostgreSQL version: postgresql13-server-13.4 with Patroni HA (2 hosts Oraclelinux 8)
Lets say user2 (or any other user from team2) wants to add login item windows1 to collection team3. user1 adds user2 to team3 with the option "Hide Passwords" so that user2 could not see the passwords for team3. user2 adds windows1 to collection team3. windows1 now is visible in two collections team2 and team3.
Expected behaviour
user2 can still read the passowrd from item windows1. user2 has no permissions to remove any items from team3. user2 has no permissions to add any items from team3 to team2 (passwords for items added from team3 to team2 are not readable).
Actual behaviour
user2 cannot view the password of windows1 any more, it is grayed out (user2 can remove windows1 from team3 and the password becomes visible again) user2 can also now add any other item from team3 to team2 and remove any item from team3. The passwords will not be possible to read, but user3 (or other users from team3) would not see any items in team3 any more.
Troubleshooting data
Used the web client with multiple users to test.
The text was updated successfully, but these errors were encountered:
Subject of the issue
If a user is in 2 collections and one of them has the setting "Hide Passwords" set, all passwords that are in both collections will not be readable by the user, even if the user shares a login item from the collection with no "Hide Passwords" set.
Deployment environment
Install method: vaultwarden/server:1.23.0-alpine in Kubernetes
Clients used: web
Reverse proxy and version: NA
MySQL/MariaDB or PostgreSQL version: postgresql13-server-13.4 with Patroni HA (2 hosts Oraclelinux 8)
Other relevant details: NA
Steps to reproduce
Lets say we have:
organiztaions: org1
collections: team1, team2, team3
users: user1, user2, user3, ...
login items in team1: linux1, linux2
login items in team2: windows1, windows2
login items in team3: router1, router2
collection access user1 (owner): all
collection access user2 (user): team2
collection access user3 (user): team3
Lets say user2 (or any other user from team2) wants to add login item windows1 to collection team3. user1 adds user2 to team3 with the option "Hide Passwords" so that user2 could not see the passwords for team3. user2 adds windows1 to collection team3. windows1 now is visible in two collections team2 and team3.
Expected behaviour
user2 can still read the passowrd from item windows1. user2 has no permissions to remove any items from team3. user2 has no permissions to add any items from team3 to team2 (passwords for items added from team3 to team2 are not readable).
Actual behaviour
user2 cannot view the password of windows1 any more, it is grayed out (user2 can remove windows1 from team3 and the password becomes visible again) user2 can also now add any other item from team3 to team2 and remove any item from team3. The passwords will not be possible to read, but user3 (or other users from team3) would not see any items in team3 any more.
Troubleshooting data
Used the web client with multiple users to test.
The text was updated successfully, but these errors were encountered: