Changed by user column in ab_user table is not updated when user logged in through LDAP

[aravindan06]

If you'd like to report a bug in Flask-Appbuilder, fill out the template below. Provide
any extra information that may be useful

Responsible disclosure:
We want to keep Flask-AppBuilder safe for everyone. If you've discovered a security vulnerability
please report to [email protected].

Environment

Flask-Appbuilder version: 4.3.1

pip freeze output: No errors

We have the user details present in ab_user table and for example if user 'X' updates any role of user 'Y', User 'X’ id should be captured in changed_by_fk column in ab_user table. But it is not happening and value is always null. But this case is working when we authenticate simply via database instead of LDAP.

Tell us what should happen.

We would need to understand why changed_by_fk column is not getting updated. We can see this column gets updated in flask-appbuilder/security/models.py file but its not working through LDAP auth.

[aravindan06]

Hello, can someone help with this please?

[Yoyasp]

Are you changing properties of the role (as in changing which permissions are assigned to a role) or changing which roles are assigned to a specific user?

As far as i know the changed_by_fk column is only updated when attributes of user are changed (email, name, password etc...).
There is a different table that tracks the roles that are assigned to the users. assoc_user_role in flask_appbuilder/security/sqla/models.py.

Im not sure why this table does not have a column on who changed it last, but reading the code this is not a bug.
If you want to be able to track changes in role assignment you should create a new feature request where we can discuss the details on how/why to implement this.