Bug with managing access to shared vaults?

Options
tom5280
tom5280
Community Member
in Families

I ran into a couple of strange issues this morning with managing access to shared vaults.

I have a vault that I shared with a family member. I gave that family member viewing and editing permission. I then removed myself from the shared vault. 1Password web UI let me remove myself, who is the only person that can manage the vault. So now my other family member had a vault in their account that they can add/remove items from but they can't manage it, meaning they can't delete it, add a manager, or readd me to the vault.

My issues:
It doesn't seem 1Password should allow you to remove the only remaining person with manage permission on a vault. That vault essentially becomes stuck on your account, no way to administer or remove it.

The other issue appears to be a security problem, after I removed myself from the vault I still had the manage vault page in my browser history. Once I realized the mistake I made by removing the only manager on the vault, I tried to browse to the manage vault page in my history and was able to see the settings page for the vault and add myself back with manage permission, even though I had been removed from the vault. This was lucky, as the vault would have become stuck on my family members account, but still concerning that I could add myself back when I didn't actually have permission to do so.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Safari

Comments

  • Tertius3
    Tertius3
    Community Member
    Options

    Anybody with the family account organizer role can add any access to himself to any shared vault, even if he currently hasn't access. He has hardcoded managing permission, even if he isn't listed as managing allowed. So it's not possible some vault gets orphaned.

    If the family organizer removed himself completely from some vault or was never listed, he can still click the "Share" button in vault details where all the people with access are listed and add himself again.

  • tom5280
    tom5280
    Community Member
    Options

    Where do you see the vault to add access back? For me the vaults don’t show in the UI if I don’t have access to them.

  • Tertius3
    Tertius3
    Community Member
    edited June 2023
    Options

    In the account management website, click the "Vaults" link in the sidebar at the right. Not on the Vault icon in the top left corner.
    You will get a list of every vault on the account, then you can click on the vault, then on the "Share Vault" button in the vault details page, and add yourself back.

    It's a common design that someone with admin access is able to override and get himself back into access, even if he isn't included in some access control list. It's a feature, not a bug. Systems would become unmanageable very soon, if there is no such functionality.

  • ag_josephine
    ag_josephine
    Options

    @tom5280,

    To manage access to vaults, the above user is correct; you'll need to access the account via 1Password.com within your browser - for more information on managing access, you can follow along with our manage access support section within this article.

This discussion has been closed.