szczeles opened a new issue, #25734: URL: https://github.com/apache/airflow/issues/25734
### Apache Airflow version 2.3.3 ### What happened There is an API `PATCH /api/v1/roles/[role]` that is supposed to be able to update existing role. When I call it, providing list of permissions to attach in `actions` field (in JSON body), the new permissions are added to the role, but removed permissions are not removed. It is related to the fact that API implementation calls [security_manager.bulk_sync_roles](https://github.com/apache/airflow/blob/2.3.3/airflow/api_connexion/endpoints/role_and_permission_endpoint.py#L139) and the method never removes any permissions, only adds new ones by calling [self.add_permission_to_role](https://github.com/apache/airflow/blob/2.3.3/airflow/www/security.py#L243). ### What you think should happen instead API call to `PATCH /api/v1/roles/[role]` should remove the dropped permissions. UI form works that way. ### How to reproduce 1. Setup a fresh airflow (webserver is enough) and login as admin to the UI 2. Create new role with permissions: `can read on Website`, `menu access on Browse` 3. Use `PATCH /api/v1/roles/[role]` to update permissions to `can read on Website`, `can read on DAGs` 4. Verify in UI that role has 3 permissions -> `menu access on Browse` is not removed ### Operating System Debian 10 ### Versions of Apache Airflow Providers _No response_ ### Deployment Official Apache Airflow Helm Chart ### Deployment details _No response_ ### Anything else _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
