Apache Superset password changed unexpected while using api PUT /api/v1/security/users/{pk}

Bug description

my password changed unexpected while i using this api and without param "password" : PUT /api/v1/security/users/{pk}

How to reproduce the bug

login to /swagger/v1
using API: PUT /api/v1/security/users/{pk}
my request body: {"roles": [1,3]}
but my password changed unexpected，and i cant login with my old password before：pbkdf2:sha256:600000$dwUuXbhBFZl0RjM5$614e0b7d24cbadf0fe67885c7b0a4646391cb014b82f074914ed952dad12de27 after：pbkdf2:sha256:600000$ztVn83UZKx0VtPT5$823617b8adfb61732f4fac0c4480f93a6e5c54e828680a347d1929de72a8c2d0

Screenshots/recordings

No response

Superset version

3.1.1

Python version

3.10

Node version

Browser

Chrome

Additional context

No response

Checklist

[ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
[x] I have searched the GitHub issue tracker and didn't find a similar bug report.
[ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hey @q446570448! 👋 I'm here to assist you with any bugs, questions, or contributions while you wait for a human maintainer. I can help you solve issues, provide guidance, and more. Let me know how I can assist you!

The unexpected password change when using the PUT /api/v1/security/users/{pk} endpoint without including the password parameter could be due to how the Superset backend handles partial updates to user objects. Specifically, there might be default behaviors or configurations that affect the password field.

In Superset, when updating user information, the backend might reset or change the password if it is not explicitly included in the request body. This behavior ensures that the password is handled securely, but it can lead to unintended changes if not managed properly.

To avoid this issue, ensure that the password field is explicitly included in the request body when making updates to user information. This will prevent the backend from altering the password unexpectedly.

For further investigation, you might want to check the relevant logs or error messages in the Superset backend, as they could provide more context on why the password was changed unexpectedly ^[1]^[2].

To continue talking to Dosu, mention @dosu.

Comment From: Frankliu2Dream

@dpgaspar Hi there, could you help take a look? Many thanks!

Comment From: 18191518054

@dpgaspar你好，能帮忙看一下吗？非常感谢！

https://github.com/dpgaspar/Flask-AppBuilder/pull/2179 FAB Issues

Comment From: Keveen-ghori

Have you got any solution? I am facing same issue.

Comment From: prashant-ux23

facing the same issue everytime using this endpoint, the password changes and no longer able to authorise

Comment From: rusackas

It looks like the linked PR hasn't made its way into FAB yet. I'll ping @dpgaspar to see if there's anything that can be done here.