[PR] fix(rls): preserve tables/roles on partial RLS rule updates [superset]

Mon, 22 Jun 2026 17:03:18 -0700 


rusackas opened a new pull request, #41294:
URL: https://github.com/apache/superset/pull/41294

   ### SUMMARY
   
   `UpdateRLSRuleCommand` read `tables`/`roles` from the request body 
defaulting to `[]`, and unconditionally wrote them back during `validate()`. As 
a result, a partial `PUT` that omitted those fields (e.g. `{"name": "new 
name"}`) replaced the rule's table and role bindings with empty lists — 
silently changing which rows the RLS filter constrains.
   
   This makes partial updates behave as expected:
   
   - `validate()` now only resolves and overwrites the relationships that are 
actually present in the request body. Omitted `tables`/`roles` are left 
untouched.
   - `RLSPutSchema.tables` gains `Length(1)`, mirroring `RLSPostSchema`, so 
`tables` cannot be set to an empty list on update either.
   
   `roles` keeps no minimum-length constraint, matching the create schema (base 
filters may legitimately specify zero excluded roles).
   
   ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
   
   N/A — backend command/schema behavior.
   
   ### TESTING INSTRUCTIONS
   
   Unit tests added in `tests/unit_tests/commands/security/rls_test.py`:
   
   - A partial update omitting `tables`/`roles` does not resolve or write those 
keys (existing bindings preserved).
   - An update touching only `roles` does not resolve or overwrite `tables`.
   
   Run: `pytest tests/unit_tests/commands/security/rls_test.py`
   
   ### ADDITIONAL INFORMATION
   - [ ] Has associated issue:
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in 
[SIP-59](https://github.com/apache/superset/issues/13351))
     - [ ] Migration is atomic, supports rollback & is backwards-compatible
     - [ ] Confirm DB migration upgrade and downgrade tested
     - [ ] Runtime estimates and downtime expectations provided
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   
   > Note: `PUT /api/v1/rowlevelsecurity/<pk>` with an explicit empty `tables` 
list is now rejected (must contain at least one table), consistent with create.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to