[PR #21577] [MERGED] fix: clamp SCIM pagination args instead of rejecting them #41776

New Issue

GiteaMirror · 2026-04-25T13:55:08-05:00

GiteaMirror commented

2026-04-25 13:55:08 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21577
Author: @monteithpj
Created: 2/18/2026
Status: ✅ Merged
Merged: 2/19/2026
Merged by: @tjbck

Base: dev ← Head: fix/scim-pagination-clamping

📝 Commits (1)

2d612ca fix: clamp SCIM pagination args instead of rejecting them

📊 Changes

1 file changed (+13 additions, -4 deletions)

View changed files

📝 backend/open_webui/routers/scim.py (+13 -4)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

Target branch: dev
Description: Provided below
Changelog: Provided below
Documentation: No user-facing behaviour or env var changes
Dependencies: None
Testing: Manually verified before/after behaviour — see below
Agentic AI Code: Reviewed and manually tested by human author
Code review: Self-reviewed
Design & Architecture: Minimal targeted fix, no new settings
Git Hygiene: Single atomic commit, rebased on dev
Title Prefix: fix:

Changelog Entry

Description

The /Users and /Groups SCIM endpoints used FastAPI Query constraints (ge=1, le=100) to validate startIndex and count, causing a 422 Unprocessable Entity for out-of-range values. RFC 7644 §3.4.2.4 is explicit that these values must be clamped, not rejected:

A startIndex value less than 1 SHALL be interpreted as 1.
A negative count value SHALL be interpreted as 0.
A count greater than the server maximum may return fewer results than requested.

Fixed

GET /api/v1/scim/v2/Users and GET /api/v1/scim/v2/Groups now clamp startIndex and count to valid ranges rather than returning 422 for out-of-range values, in compliance with RFC 7644 §3.4.2.4

Additional Information

Before — these all returned 422:

GET /api/v1/scim/v2/Users?startIndex=0
GET /api/v1/scim/v2/Users?count=0
GET /api/v1/scim/v2/Users?count=9999
GET /api/v1/scim/v2/Groups?startIndex=-1

After — all return 200 with clamped values:

startIndex=0 → treated as 1
count=-1 → treated as 0 (returns metadata only, per spec)
count=9999 → clamped to server maximum of 100

Screenshots or Videos

N/A — backend-only fix, no UI changes.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21577 **Author:** [@monteithpj](https://github.com/monteithpj) **Created:** 2/18/2026 **Status:** ✅ Merged **Merged:** 2/19/2026 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/scim-pagination-clamping` --- ### 📝 Commits (1) - [`2d612ca`](https://github.com/open-webui/open-webui/commit/2d612caa5d26c652837f7191645259ed567f0dd1) fix: clamp SCIM pagination args instead of rejecting them ### 📊 Changes **1 file changed** (+13 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/scim.py` (+13 -4) </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** `dev` - [x] **Description:** Provided below - [x] **Changelog:** Provided below - [x] **Documentation:** No user-facing behaviour or env var changes - [x] **Dependencies:** None - [x] **Testing:** Manually verified before/after behaviour — see below - [x] **Agentic AI Code:** Reviewed and manually tested by human author - [x] **Code review:** Self-reviewed - [x] **Design & Architecture:** Minimal targeted fix, no new settings - [x] **Git Hygiene:** Single atomic commit, rebased on `dev` - [x] **Title Prefix:** `fix:` # Changelog Entry ### Description The `/Users` and `/Groups` SCIM endpoints used FastAPI `Query` constraints (`ge=1`, `le=100`) to validate `startIndex` and `count`, causing a `422 Unprocessable Entity` for out-of-range values. RFC 7644 §3.4.2.4 is explicit that these values must be **clamped**, not rejected: > A `startIndex` value less than 1 **SHALL be interpreted as 1.** > A negative `count` value **SHALL be interpreted as 0.** > A `count` greater than the server maximum may return fewer results than requested. ### Fixed - `GET /api/v1/scim/v2/Users` and `GET /api/v1/scim/v2/Groups` now clamp `startIndex` and `count` to valid ranges rather than returning `422` for out-of-range values, in compliance with RFC 7644 §3.4.2.4 --- ### Additional Information **Before** — these all returned `422`: ``` GET /api/v1/scim/v2/Users?startIndex=0 GET /api/v1/scim/v2/Users?count=0 GET /api/v1/scim/v2/Users?count=9999 GET /api/v1/scim/v2/Groups?startIndex=-1 ``` **After** — all return `200` with clamped values: - `startIndex=0` → treated as `1` - `count=-1` → treated as `0` (returns metadata only, per spec) - `count=9999` → clamped to server maximum of `100` ### Screenshots or Videos N/A — backend-only fix, no UI changes. ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-25 13:55:08 -05:00

GiteaMirror closed this issue

2026-04-25 13:55:09 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#41776