YoannAbriel opened a new pull request, #63359:
URL: https://github.com/apache/airflow/pull/63359
## Problem
FAB's `_MAP_METHOD_NAME_TO_FAB_ACTION_NAME` maps HTTP methods to FAB actions
(`can_read`, `can_edit`, etc.) but doesn't include `PATCH`. When
`is_authorized_custom_view` receives `"PATCH"`, it falls back to using
`"PATCH"` as the raw action name, which doesn't match any FAB permission — so
PATCH requests get 403 even for admins.
The PATCH endpoints for roles and users currently work around this by
passing `"PUT"` to `requires_fab_custom_view` instead of their actual HTTP
method.
## Root Cause
Missing `"PATCH"` entry in `_MAP_METHOD_NAME_TO_FAB_ACTION_NAME` dict in
`providers/fab/www/utils.py`, and missing `PATCH` variant in `ResourceMethod` /
`ExtendedResourceMethod` type definitions.
## Fix
- Add `"PATCH": ACTION_CAN_EDIT` to the method map (same action as PUT)
- Add `PATCH` to `ResourceMethod` and `ExtendedResourceMethod` enums and
type aliases
- Update `patch_role` and `update_user` endpoint dependencies to use
`"PATCH"` instead of the `"PUT"` workaround
- Added unit tests for the new mapping and PATCH method authorization
Closes: #59510
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!--
Thank you for contributing!
Please provide above a brief description of the changes made in this pull
request.
Write a good git commit message following this guide:
http://chris.beams.io/posts/git-commit/
Please make sure that your code changes are covered with tests.
And in case of new features or big changes remember to adjust the
documentation.
Feel free to ping (in general) for the review if you do not see reaction for
a few days
(72 Hours is the minimum reaction time you can expect from volunteers) - we
sometimes miss notifications.
In case of an existing issue, reference it using one of the following:
* closes: #ISSUE
* related: #ISSUE
-->
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4, claude-opus-4-6)
Generated-by: Claude Code (Opus 4, claude-opus-4-6) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
---
* Read the **[Pull Request
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
for more information. Note: commit author/co-author name and email in commits
become permanently public when merged.
* For fundamental code changes, an Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
is needed.
* When adding dependency, check compliance with the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
* For significant user-facing changes create newsfragment:
`{pr_number}.significant.rst`, in
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
You can add this file in a follow-up commit after the PR is created so you
know the PR number.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
