Allow PATCH role endpoint to remove permissions not included in PATCH call #29132
Conversation
boring-cyborg
bot
added
area:API
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
|
There was a problem hiding this comment.
Sorry for long no response.
I think this is not the right approach I believe. What currently the PR implements is really "PUT" semantics, not "PATCH". What PATCH should do is to be able to specifically say "ADD" / "DELETE" instead of replacing the whole content. So there should be (ideally backwards compatible) way of applying PATCH.
I think a good way explaining it, and possible approach is here (with explanation why the approach is PUT disguised in PATCH:
https://medium.com/@isuru89/a-better-way-to-implement-http-patch-operation-in-rest-apis-721396ac82bf
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
closes: #25734
Rationale:
PATCH /api/v1/roles/[role]previously would only ever append permissions to a role, never removing permissions that were omitted from thePATCHcall. This makes it impossible to programmatically remove permissions from a role via the API.Change:
This change changes the behavior of the
PATCHapi for roles to allow for both adding and removing permissions based on which permissions are passed via thePATCHcall.Permissions omitted from the API call are removed from the role. Permissions passed via the API call are added to the role.
Notes:
This technically could be considered a breaking change. The way the
PATCHendpoint is currently implemented is not how it should work (based on howPATCHendpoints generally work) but users could have built their systems using this awkward behavior.