Skip to content

Updating subscriber with GET response removes list memberships without permission #2737

New issue
New issue
Open
Open
Updating subscriber with GET response removes list memberships without permission#2737
@satoshi-szk

Description

@satoshi-szk
satoshi-szk
opened on Oct 31, 2025

Version:

  • listmonk: v5.1.0
  • OS: Linux (pikopods)

Description of the bug and steps to reproduce:

When using the GET response to update a subscriber, list memberships are removed if the API user lacks list permissions.

Steps to reproduce:

  1. Create a subscriber with membership in List A
  2. Create an API key with subscribers:manage permission but no list permissions
  3. GET /api/subscribers/:id → returns lists: [] (empty due to lack of permission)
  4. PUT /api/subscribers/:id with the response data (including lists: []) to update subscriber attributes
  5. Result: The subscriber is removed from List A

Expected behavior: The subscriber should remain in List A, since the API user doesn't have permission to manage that list.

Is this the intended behavior? If so, how should we update subscriber attributes without affecting list memberships when the API user lacks list permissions?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions