Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user sharing item to another collection that has "Hide Passwords" cannot read the password any more #2072

Closed
perkons opened this issue Oct 29, 2021 · 0 comments · Fixed by #2073
Closed

user sharing item to another collection that has "Hide Passwords" cannot read the password any more #2072

perkons opened this issue Oct 29, 2021 · 0 comments · Fixed by #2073
Labels
bug Something isn't working

Comments

@perkons
Copy link

perkons commented Oct 29, 2021

Subject of the issue

If a user is in 2 collections and one of them has the setting "Hide Passwords" set, all passwords that are in both collections will not be readable by the user, even if the user shares a login item from the collection with no "Hide Passwords" set.

Deployment environment

  • vaultwarden version: 1.23.0

  • Install method: vaultwarden/server:1.23.0-alpine in Kubernetes

  • Clients used: web

  • Reverse proxy and version: NA

  • MySQL/MariaDB or PostgreSQL version: postgresql13-server-13.4 with Patroni HA (2 hosts Oraclelinux 8)

  • Other relevant details: NA

Steps to reproduce

Lets say we have:

organiztaions: org1
collections: team1, team2, team3
users: user1, user2, user3, ...
login items in team1: linux1, linux2
login items in team2: windows1, windows2
login items in team3: router1, router2
collection access user1 (owner): all
collection access user2 (user): team2
collection access user3 (user): team3

Lets say user2 (or any other user from team2) wants to add login item windows1 to collection team3. user1 adds user2 to team3 with the option "Hide Passwords" so that user2 could not see the passwords for team3. user2 adds windows1 to collection team3. windows1 now is visible in two collections team2 and team3.

Expected behaviour

user2 can still read the passowrd from item windows1. user2 has no permissions to remove any items from team3. user2 has no permissions to add any items from team3 to team2 (passwords for items added from team3 to team2 are not readable).

Actual behaviour

user2 cannot view the password of windows1 any more, it is grayed out (user2 can remove windows1 from team3 and the password becomes visible again) user2 can also now add any other item from team3 to team2 and remove any item from team3. The passwords will not be possible to read, but user3 (or other users from team3) would not see any items in team3 any more.

Troubleshooting data

Used the web client with multiple users to test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix conflict resolution logic for read_only and hide_passwords flags jjlin/vaultwarden
2 participants
@BlackDex @perkons