(airflow) branch v3-0-test updated: [v3-0-test] Fix permission check on the ui config endpoint (#50564) (#50619)

Wed, 14 May 2025 18:04:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

pierrejeambrun pushed a commit to branch v3-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v3-0-test by this push:
     new e65417f817a [v3-0-test] Fix permission check on the ui config endpoint 
(#50564) (#50619)
e65417f817a is described below

commit e65417f817aee1b9bca6b0ce498ba7050f05428a
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu May 15 03:04:02 2025 +0200

    [v3-0-test] Fix permission check on the ui config endpoint (#50564) (#50619)
    
    This is just config for the UI, not the whole Airflow instances config,
    which is what the config permission for users controls. If the user
    doesn't have the config permission, without this change, the user cannot
    use the UI at all.
    
    So, instead we just check that the user is authenticated at all.
    (cherry picked from commit 0dad2bb17e3f3e404a6002ed2b08a2f53e0e20b3)
    
    Co-authored-by: Jed Cunningham 
<66968678+jedcunning...@users.noreply.github.com>
    Co-authored-by: LIU ZHE YOU <68415893+jason810...@users.noreply.github.com>
---
 .../src/airflow/api_fastapi/core_api/routes/ui/config.py     |  4 ++--
 airflow-core/src/airflow/api_fastapi/core_api/security.py    | 12 ++++++++++++
 .../tests/unit/api_fastapi/core_api/routes/ui/test_config.py |  6 ++++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/airflow-core/src/airflow/api_fastapi/core_api/routes/ui/config.py 
b/airflow-core/src/airflow/api_fastapi/core_api/routes/ui/config.py
index 11eefab1c85..9a0ee08eca9 100644
--- a/airflow-core/src/airflow/api_fastapi/core_api/routes/ui/config.py
+++ b/airflow-core/src/airflow/api_fastapi/core_api/routes/ui/config.py
@@ -23,7 +23,7 @@ from fastapi import Depends, status
 from airflow.api_fastapi.common.router import AirflowRouter
 from airflow.api_fastapi.core_api.datamodels.ui.config import ConfigResponse
 from airflow.api_fastapi.core_api.openapi.exceptions import 
create_openapi_http_exception_doc
-from airflow.api_fastapi.core_api.security import requires_access_configuration
+from airflow.api_fastapi.core_api.security import requires_authenticated
 from airflow.configuration import conf
 from airflow.settings import DASHBOARD_UIALERTS
 
@@ -48,7 +48,7 @@ WEBSERVER_CONFIG_KEYS = [
 @config_router.get(
     "/config",
     responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
-    dependencies=[Depends(requires_access_configuration("GET"))],
+    dependencies=[Depends(requires_authenticated())],
 )
 def get_configs() -> ConfigResponse:
     """Get configs for UI."""
diff --git a/airflow-core/src/airflow/api_fastapi/core_api/security.py 
b/airflow-core/src/airflow/api_fastapi/core_api/security.py
index adc6cf2e014..4c56793df60 100644
--- a/airflow-core/src/airflow/api_fastapi/core_api/security.py
+++ b/airflow-core/src/airflow/api_fastapi/core_api/security.py
@@ -322,6 +322,18 @@ def requires_access_asset_alias(method: ResourceMethod) -> 
Callable:
     return inner
 
 
+def requires_authenticated() -> Callable:
+    """Just ensure the user is authenticated - no need to check any specific 
permissions."""
+
+    def inner(
+        request: Request,
+        user: GetUserDep,
+    ) -> None:
+        pass
+
+    return inner
+
+
 def _requires_access(
     *,
     is_authorized_callback: Callable[[], bool],
diff --git 
a/airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_config.py 
b/airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_config.py
index 399b8658df6..1deb5f46967 100644
--- a/airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_config.py
+++ b/airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_config.py
@@ -85,6 +85,8 @@ class TestGetConfig:
         response = unauthenticated_test_client.get("/config")
         assert response.status_code == 401
 
-    def test_get_config_should_response_403(self, unauthorized_test_client):
+    def test_get_config_just_authenticated(self, mock_config_data, 
unauthorized_test_client):
+        """Just being authenticated is enough to access the endpoint."""
         response = unauthorized_test_client.get("/config")
-        assert response.status_code == 403
+        assert response.status_code == 200
+        assert response.json() == mock_config_response

Reply via email to