szczeles opened a new issue, #25734:
URL: https://github.com/apache/airflow/issues/25734

   ### Apache Airflow version
   
   2.3.3
   
   ### What happened
   
   There is an API `PATCH /api/v1/roles/[role]` that is supposed to be able to 
update existing role. When I call it, providing list of permissions to attach 
in `actions` field (in JSON body), the new permissions are added to the role, 
but removed permissions are not removed. It is related to the fact that API 
implementation calls 
[security_manager.bulk_sync_roles](https://github.com/apache/airflow/blob/2.3.3/airflow/api_connexion/endpoints/role_and_permission_endpoint.py#L139)
 and the method never removes any permissions, only adds new ones by calling 
[self.add_permission_to_role](https://github.com/apache/airflow/blob/2.3.3/airflow/www/security.py#L243).
   
   ### What you think should happen instead
   
   API call to `PATCH /api/v1/roles/[role]` should remove the dropped 
permissions. UI form works that way.
   
   ### How to reproduce
   
   1. Setup a fresh airflow (webserver is enough) and login as admin to the UI
   2. Create new role with permissions: `can read on Website`, `menu access on 
Browse`
   3. Use `PATCH /api/v1/roles/[role]` to update permissions to `can read on 
Website`, `can read on DAGs`
   4. Verify in UI that role has 3 permissions ->  `menu access on Browse` is 
not removed
   
   ### Operating System
   
   Debian 10
   
   ### Versions of Apache Airflow Providers
   
   _No response_
   
   ### Deployment
   
   Official Apache Airflow Helm Chart
   
   ### Deployment details
   
   _No response_
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to