Collection creation causes permission error in logs and logout in interface about vaultwarden HOT 8 CLOSED

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

from vaultwarden.

The vault was initially created by me. I set another account as owner, later.
I already tried every available role to get access with my account, again.

What do you mean? Did the other owner change your role? Kicked you out of the organization?
How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

from vaultwarden.

Also, the only way i can get this message via the web-vault is by setting a users as manager/admin/owner, with that user go to the org interface, open the collection creation form. With the other user demote that user to user again.

Fill in the form and and submit, that will generate the error, but that is expected.

from vaultwarden.

It works for me, at least when using testing.

I suggest to test that version, but it actually looks like the either the token is expired or not correct, or something else during the login is incorrect.

I can confirm that it works in testing.
I can also confirm that I like the new interface 😄

from vaultwarden.

What do you mean? Did the other owner change your role? Kicked you out of the organization? How did you try to get access? Did you add yourself in the database? Did you change your role in the /admin/users/overview page? Also can you please post the support string from the /admin/diagnostics page?

I created the Vault using my personal account. Later, I created an account for administrative tasks, gave it the owner role and set my personal account as user.
When I tried to create a collection using my personal account I ran into the issue for the first time. To fix it I tried to give me admin, then manager, then owner. I changed the roles using /organizations/xxx-xxx-xxx-xxx-xxx/members, later using /admin/users/overview.

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5
• Web-vault version: v2024.1.2b
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************************",
  "domain_origin": "*****://***********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "**********************",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "**********************************",
  "smtp_host": "***********************************************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

from vaultwarden.

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes.
Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message.
Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

from vaultwarden.

So, what i see here is what i described in my previous post. You changed your personal member account to a user level. Users are not allowed to create collections, which is why you see that message.

If you have a special admin user to manage the organization, you need to use that user to make those changes. Else, give your personal member account manager rights, which is the least privileged level, but that is still able to create collections.

Vaultwarden does a valid and correct check for these privileges and that is why you get that message. Since we are not able to reproduce this without actually braking it in a way it should be broken, and your description too me seems that this was also the case I'm going to close this issue.

The solution is to make sure you granted the organization member the correct permission level to allow these actions.

But, even when I set my peronal account back to owner, as described above, I get this error. In testing it works fine.

from vaultwarden.

I now "fixed" the issue by removing my aacount from the vault an re-add it again.

from vaultwarden.