dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.7k stars 1.36k forks source link

Changed by user column in ab_user table is not updated when user logged in through LDAP #2228

Open aravindan06 opened 7 months ago

aravindan06 commented 7 months ago

If you'd like to report a bug in Flask-Appbuilder, fill out the template below. Provide any extra information that may be useful

Responsible disclosure: We want to keep Flask-AppBuilder safe for everyone. If you've discovered a security vulnerability please report to danielvazgaspar@gmail.com.

Environment

Flask-Appbuilder version: 4.3.1

pip freeze output: No errors

We have the user details present in ab_user table and for example if user 'X' updates any role of user 'Y', User 'X’ id should be captured in changed_by_fk column in ab_user table. But it is not happening and value is always null. But this case is working when we authenticate simply via database instead of LDAP.

Tell us what should happen.

We would need to understand why changed_by_fk column is not getting updated. We can see this column gets updated in flask-appbuilder/security/models.py file but its not working through LDAP auth.

aravindan06 commented 7 months ago

Hello, can someone help with this please?

Yoyasp commented 6 months ago

Are you changing properties of the role (as in changing which permissions are assigned to a role) or changing which roles are assigned to a specific user?

As far as i know the changed_by_fk column is only updated when attributes of user are changed (email, name, password etc...). There is a different table that tracks the roles that are assigned to the users. assoc_user_role in flask_appbuilder/security/sqla/models.py.

Im not sure why this table does not have a column on who changed it last, but reading the code this is not a bug. If you want to be able to track changes in role assignment you should create a new feature request where we can discuss the details on how/why to implement this.