potiuk opened a new pull request, #67627: URL: https://github.com/apache/airflow/pull/67627
The UI scheduling-dependencies graph route (`GET /ui/dependencies?dependency_type=scheduling`) was filtering only the top-level DAG keys in `get_scheduling_dependencies()` by the caller's readable-DAG set. For each dependency object under a readable top-level DAG, the route still emitted: - the dependency node (whose `node_id` embeds both source and target DAG ids — e.g. `trigger:external_trigger_dag_id:downstream:trigger_dag_run_operator`), - the inbound edge from `dep.source` to `dep.node_id` when `dep.source` is a DAG id (e.g. `TriggerDagRunOperator.trigger_dag_id`), - the outbound edge from `dep.node_id` to `dep.target` when `dep.target` is a DAG id (e.g. `ExternalTaskSensor.external_dag_id`). A caller with read access to one DAG would therefore see identifiers and edge metadata for other DAGs they cannot read whenever the readable DAG referenced those DAGs via trigger/sensor dependencies. This change extends the readable-DAG filter inside the dependency loop: when either `dep.source` or `dep.target` is a bare DAG id outside the caller's readable set, the dependency node and both its edges are skipped entirely. Asset-prefixed identifiers (`asset:<id>`) are unaffected by the new check. Reference: airflow-s/airflow-s#441 ## Test plan - [x] New regression test `test_scheduling_dependencies_redacts_trigger_sensor_endpoints_referencing_unreadable_dags` asserts that node ids and edge endpoints referencing unreadable DAGs are gone from the response. - [x] Existing `test_scheduling_dependencies_respects_readable_dags_filter` and the rest of `TestGetDependencies` (23 tests total) still pass. - [x] `prek run --from-ref main --to-ref HEAD --stage pre-commit` clean on touched files. - [x] `prek run --from-ref main --to-ref HEAD --stage manual` clean on touched files. ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Opus 4.7 (1M context) Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
