Single Orginization policy erroneously removed all members from org

[Spunkie]

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.1
• Web-vault version: v2023.10.0
• OS/Arch: linux/aarch64
• Running within Docker: true (Base: Alpine)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Polished Geek",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "****************",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": "73981",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Steps to reproduce

I was trying to turn on the Account recovery administration org policy but it required the Single Organization policy to be turned on first. When turning on the Single Organization policy it does warn that:

Organization members who are not owners or admins and are already a member of another organization will be removed from your organization. 

But I didn't expect this to apply to anyone on our vaultwarden instance because our instance only has a single org on it.

Expected behaviour

I would have expected the policy to turn on and that no one would be removed from my org.

Actual behaviour

All non-admin/owners were removed from my org.

[BlackDex]

What happened is the expected behavior as described at Bitwarden.
https://bitwarden.com/help/policies/#single-organization

[Spunkie]

@BlackDex I've read the passage you linked multiple times and it's still unexpected to me.

Users in the organization who are members of multiple organizations will be removed from your organization when you turn on this policy.

None of the ejected memebers were part of multiple orgs. Sorry I'm being dense here, can you point out the exact wording that I'm missing that would make this expected behavior?

---

This policy is enforced even for users who have only accepted invitation to your organization.

There is that passage, but I'm pretty sure this is refering to members that have accepted an invite to an org but not yet been confirmed by an admin.

[BlackDex]

Are you sure the users were not part of any other org?
Because the code tells me they should have.

https://github.com/dani-garcia/vaultwarden/blob/cbdcf8ef9f1ba0f4ad63f14d366ee778979a91ee/src/api/core/organizations.rs#L1741..L1764

It checks if the count of organisations is greater then 1 and if there user isn't an admin or owner or not in an invited state, if then the count is more then 1, those users will be deleted.

So that tells me the users should be in a different organization too.
Double check the admin interface and see too which orgs they are a member.

[Spunkie]

@BlackDex Unless they are talking about orgs outside my instance then yes, there is only one org on my instance:

[BlackDex]

And the user count there doesn't match the amount of users you are expecting? Those 18 are all admin or owner level users?

[BlackDex]

Looks like the query which does the count is wrong.
Thanks for reporting.

[tessus]

@BlackDex sorry for asking in this PR, but it is related. Isn't every user in the pseudo org vaultwarden when they are invited to no specific org?
I never saw anything in the code that would exclude users that are in this pseudo group.

[BlackDex]

That is only a group used for invites, nothing used for anything else.