Re: [PR] fix(roles): prevent 413/404 errors when saving roles with many users [superset]

Fri, 15 May 2026 17:57:52 -0700 


bito-code-review[bot] commented on PR #40178:
URL: https://github.com/apache/superset/pull/40178#issuecomment-4464881495

   <!-- Bito Reply -->
   The PR diff shows that the `update_role_users` endpoint in 
`superset/security/manager.py` is modifying the incoming `user_ids` by 
deduplicating them (`user_ids = list(set(item["user_ids"]))`) but still 
returning a payload serialized from the original `item`, which includes the 
pre-deduplicated and potentially invalid user IDs. This results in a mismatch 
between the response and the actual persisted data. The suggestion is to return 
the saved user IDs or the updated role state instead of echoing the original 
request to avoid this inconsistency. The fix would involve modifying the 
response to use the `users` that were actually persisted rather than the 
original `item`. This would ensure that the response accurately reflects the 
state of the data in the database.
   
   **superset/security/manager.py**
   ```
   def update_role_users(self, role_id: int) -> Any:
       """Override to deduplicate user IDs and handle missing users 
gracefully."""
       try:
           item = self.update_role_user_schema.load(request.json)
           role = self.datamodel.get(role_id)
           if not role:
               return self.response_404()
   
           user_ids = list(set(item["user_ids"]))
           users = (
               current_app.appbuilder.session.query(User)
               .filter(User.id.in_(user_ids))
               .all()
           )
           role.user = users
           self.datamodel.edit(role)
           return self.response(
               200,
               **{
                   API_RESULT_RES_KEY: self.update_role_user_schema.dump(
                       item, many=False
                   )
               },
           )
       except ValidationError as error:
           return self.response_400(message=error.messages)
       except IntegrityError as ex:
           return self.response_422(message=str(ex.orig))
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to