Open gwkline opened 1 year ago
hemu
commented
1 year ago haven't been able to repro this unfortunately. There are some roles that are managed and can't be deleted, like the role that is assigned to users that boost the server. But attempting to remove these is supposed to return a 403 and not 200's like you mentioned. Is there any additional info or maybe a test server with example roles setup that I could look at where I can repro the issue?
gwkline
commented
1 year ago @hemu
I think you can do the following to reproduce:
I'm not sure if this happens every time, but a coworker was able to replicate like this within a few minutes of trying. Good luck!
plunkettscott
commented
8 months ago I'm seeing similar behavior while adding/removing roles. The audit log exists, but sometimes the changes do not actually seem to happen like the audit log suggests. I'm primarily seeing this in a server with a lot of roles and members. I think one of the servers is actually nearing the role limit.
Happy to provide specific details to someone if it is needed.
Jestriker
commented
5 months ago It happened to me as well, my audit log reports that the action was successfully made, but the user still has or does not get the role after it was given/removed. any help? is this a discord problem? code problem? network problem? doesn't seem like a coding problem because the audit log does suggest that the code works fine, I don't know why that's occurring.
Ben754444
commented
4 months ago Noticing this race condition-like behaviour in the wild immediately after an action that modifies the target user, e.g. a timeout or another role modification. Following on from @gwkline's repro steps, this script consistently fails to add 1-4 roles (out of 6), but will always create the audit log entries.
All 204 responses and a user with 3 or so roles is not required.
edit: this looks like a dupe of #6289, though timeouts causing it seems weird
obfuscatedgenerated
commented
2 months ago Facing similar behaviour with both EmailBot and Dyno (as a backup) attempting to add the role. Randomly the user simply won't get the role with audit log claiming they do have it. Onboarding could also be affecting it? This seems like a race condition and is impacting the security of our server.
Description
Hi there, hope you are doing well. I'm reaching out regarding what seems to be a bug with updating/removing user roles through the API.
I have a bot in ~7500 guilds, and we're seeing reports that users roles are not properly being removed, where we have both logs on our end of a successful (2xx) response from your API, and audit logs showing that our application updated or removed roles on that given user.
We have users complaining because Discord support is saying this is an issue with our bot. Could you please either add role-addition audit logs or help us identify how these users are being given roles?
We have logs (both your audit logs and internal logs) showing that on 4/3/2023 we removed 3 roles from a user. Immediately after, the user was shown with 1 of those 3 roles still present. Considering our logs only fire upon a 2xx API response code, I am lost on how this is happening.
Steps to Reproduce
API v10 endpoints
If a user has multiple roles that we are trying to remove, we call https://discord.com/developers/docs/resources/guild#modify-guild-member, with the roles parameter being an empty array
If we are looking to remove a single roll, we call https://discord.com/developers/docs/resources/guild#remove-guild-member-role
This does not occur every time we call the request, but in the past few days has gotten much more common.
Expected Behavior
If our backend receives a 2xx request from these endpoints, and audit logs show roles as being removed, we would expect the roles to be removed.
We have no way to see how these roles are being added back - whether this is us, another application, or Discord. Please add this to audit logs at the very least!
Current Behavior
Our backend is being returned a 2xx response, with audit logs confirming the role is removed, but somehow the user keeps at least one of the removed roles.
Screenshots/Videos
Client and System Information
API v10, calling through Typhoeus HTTP client in Ruby on Rails