Add manage role for collections and groups (#5386)

* Add manage role for collections and groups This commit will add the manage role/column to collections and groups. We need this to allow users part of a collection either directly or via groups to be able to delete ciphers. Without this, they are only able to either edit or view them when using new clients, since these check the manage role. Still trying to keep it compatible with previous versions and able to revert to an older Vaultwarden version and the `access_all` feature of the older installations. In a future version we should really check and fix these rights and create some kind of migration step to also remove the `access_all` feature and convert that to a `manage` option. But this commit at least creates the base for this already. This should resolve #5367 Signed-off-by: BlackDex <black.dex@gmail.com> * Fix an issue with access_all If owners or admins do not have the `access_all` flag set, in case they do not want to see all collection on the password manager view, they didn't see any collections at all anymore. This should fix that they are still able to view all the collections and have access to it. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
2025-09-14 12:35:57 +03:00 · 2025-01-21 23:33:41 +01:00
parent ef2695de0c
commit d1dee04615
16 changed files with 184 additions and 70 deletions
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@@ -29,6 +29,7 @@ db_object! {
        pub groups_uuid: GroupId,
        pub read_only: bool,
        pub hide_passwords: bool,
+        pub manage: bool,
    }

    #[derive(Identifiable, Queryable, Insertable)]
@@ -92,7 +93,7 @@ impl Group {
                    "id": entry.collections_uuid,
                    "readOnly": entry.read_only,
                    "hidePasswords": entry.hide_passwords,
-                    "manage": !entry.read_only && !entry.hide_passwords,
+                    "manage": entry.manage,
                })
            })
            .collect();
@@ -118,12 +119,19 @@ impl Group {
 }

 impl CollectionGroup {
-    pub fn new(collections_uuid: CollectionId, groups_uuid: GroupId, read_only: bool, hide_passwords: bool) -> Self {
+    pub fn new(
+        collections_uuid: CollectionId,
+        groups_uuid: GroupId,
+        read_only: bool,
+        hide_passwords: bool,
+        manage: bool,
+    ) -> Self {
        Self {
            collections_uuid,
            groups_uuid,
            read_only,
            hide_passwords,
+            manage,
        }
    }

@@ -131,11 +139,12 @@ impl CollectionGroup {
        // If both read_only and hide_passwords are false, then manage should be true
        // You can't have an entry with read_only and manage, or hide_passwords and manage
        // Or an entry with everything to false
+        // For backwards compaibility and migration proposes we keep checking read_only and hide_password
        json!({
            "id": self.groups_uuid,
            "readOnly": self.read_only,
            "hidePasswords": self.hide_passwords,
-            "manage": !self.read_only && !self.hide_passwords,
+            "manage": self.manage || (!self.read_only && !self.hide_passwords),
        })
    }
 }
@@ -319,6 +328,7 @@ impl CollectionGroup {
                        collections_groups::groups_uuid.eq(&self.groups_uuid),
                        collections_groups::read_only.eq(&self.read_only),
                        collections_groups::hide_passwords.eq(&self.hide_passwords),
+                        collections_groups::manage.eq(&self.manage),
                    ))
                    .execute(conn)
                {
@@ -333,6 +343,7 @@ impl CollectionGroup {
                                collections_groups::groups_uuid.eq(&self.groups_uuid),
                                collections_groups::read_only.eq(&self.read_only),
                                collections_groups::hide_passwords.eq(&self.hide_passwords),
+                                collections_groups::manage.eq(&self.manage),
                            ))
                            .execute(conn)
                            .map_res("Error adding group to collection")
@@ -347,12 +358,14 @@ impl CollectionGroup {
                        collections_groups::groups_uuid.eq(&self.groups_uuid),
                        collections_groups::read_only.eq(self.read_only),
                        collections_groups::hide_passwords.eq(self.hide_passwords),
+                        collections_groups::manage.eq(self.manage),
                    ))
                    .on_conflict((collections_groups::collections_uuid, collections_groups::groups_uuid))
                    .do_update()
                    .set((
                        collections_groups::read_only.eq(self.read_only),
                        collections_groups::hide_passwords.eq(self.hide_passwords),
+                        collections_groups::manage.eq(self.manage),
                    ))
                    .execute(conn)
                    .map_res("Error adding group to collection")