vincbeck commented on code in PR #54197:
URL: https://github.com/apache/airflow/pull/54197#discussion_r2258240820
##########
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py:
##########
@@ -452,15 +463,13 @@ def get_authorized_dag_ids(
action = permission.action.name
if (
action in map_fab_action_name_to_method_name
- and map_fab_action_name_to_method_name[action] == method
+ and map_fab_action_name_to_method_name[action] ==
dag_method
):
resource = permission.resource.name
if resource == permissions.RESOURCE_DAG:
return {dag.dag_id for dag in
session.execute(select(DagModel.dag_id))}
if resource.startswith(permissions.RESOURCE_DAG_PREFIX):
resources.add(resource[len(permissions.RESOURCE_DAG_PREFIX) :])
- else:
Review Comment:
When working on this issue I could not believe we have this code in our
current logic. This adds any resource the user has access to (e.g.
`Connections`) to `resources` which contains dag ids. So hypothetically, a user
with permissions to access the Dag `test` only and with permissions to access
connections could access the dag (if existing) `Connections`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
