tanujdargan commented on code in PR #52408:
URL: https://github.com/apache/airflow/pull/52408#discussion_r2175171443
##########
airflow-core/src/airflow/api_fastapi/core_api/routes/ui/config.py:
##########
@@ -46,17 +48,29 @@
responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
dependencies=[Depends(requires_authenticated())],
)
-def get_configs() -> ConfigResponse:
+async def get_configs(user: GetUserDep) -> ConfigResponse:
Review Comment:
get_config depends on GetUserDep which is async and as per FastAPI rule: any
route function that calls an async dependency must also be async.
and, the previous implementation allowed any authenticated user to see all
UI plugins, which was a security issue. My PR fixes this by correctly checking
the user's permissions for each plugin before displaying it. While the default
Viewer role in the documentation is shown to have plugin access, my change
ensures the system properly enforces whatever permissions are actually
configured. So, if a Viewer has no plugin permissions, they will no longer see
any plugin menu items."
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
