Testing confirmed that even when a Manager has manage=false for a given collection, they can still perform the following management operations as long as they have access to the collection:
PUT /api/organizations/<org_id>/collections/<col_id> succeeds (HTTP 200)PUT /api/organizations/<org_id>/collections/<col_id>/users succeeds (HTTP 200)DELETE /api/organizations/<org_id>/collections/<col_id> succeeds (HTTP 200)The Manager guard checks only whether the user can access the collection, not whether they have manage privileges. This check is directly applied to management endpoints.
src/auth.rs:816
if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await {
err_handler!("The current user isn't a manager for this collection")
}
The can_access_collection function does not evaluate the manage flag.
src/db/models/collection.rs:140
pub async fn can_access_collection(member: &Membership, col_id: &CollectionId, conn: &DbConn) -> bool {
member.has_status(MembershipStatus::Confirmed)
&& (member.has_full_access()
|| CollectionUser::has_access_to_collection_by_user(col_id, &member.user_uuid, conn).await
|| ...
A separate management-permission check exists and includes manage validation, but it is not used during authorization for the affected endpoints.
src/db/models/collection.rs:516
pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool {
let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await else {
return false;
};
if member.has_full_access() {
return true;
}
...
The actual update and deletion endpoints only accept ManagerHeaders and do not perform additional manage checks.
src/api/core/organizations.rs:608
async fn...
1.35.4Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:L8.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L