github-actions[bot] opened a new pull request, #67907: URL: https://github.com/apache/airflow/pull/67907
The UI scheduling-dependencies graph route (`GET /ui/dependencies?dependency_type=scheduling`) was filtering only the top-level DAG keys in `get_scheduling_dependencies()` by the caller's readable-DAG set. For each dependency object under a readable top-level DAG, the route still emitted the dependency node (whose `node_id` embeds both source and target DAG ids — e.g. `trigger:external_trigger_dag_id:downstream:trigger_dag_run_operator`), the inbound edge from `dep.source` to `dep.node_id` when `dep.source` is a DAG id, and the outbound edge from `dep.node_id` to `dep.target` when `dep.target` is a DAG id. A caller with read access to one DAG would therefore see identifiers and edge metadata for other DAGs they cannot read whenever the readable DAG referenced those DAGs via trigger/sensor dependencies. This change extends the readable-DAG filter inside the dependency loop: when either `dep.source` or `dep.target` is a bare DAG id outside the caller's readable set, the dependency node and both its edges are skipped entirely. Asset-prefixed identifiers (`asset:<id>`) are unaffected by the new check. Reference: airflow-s/airflow-s#441 (cherry picked from commit e61c9bac30a7b1a7f68589629f10c4cb247c683e) Co-authored-by: Jarek Potiuk <[email protected]> Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
