darshil929 opened a new pull request, #69175:
URL: https://github.com/apache/airflow/pull/69175

   The `create_asset_event` handler behind `POST /assets/events` is only 
guarded by `requires_access_asset(method="POST")` — the asset-level "create on 
Assets" permission. The event it creates is passed to 
`asset_manager.register_asset_change`, which enqueues `AssetDagRunQueue` rows 
for every consuming Dag scheduled on that asset, so the call effectively 
triggers downstream Dag runs without ever evaluating the Dag-level 
`access_control` those Dags define. A principal holding only the Assets 
"create" permission can therefore enqueue runs for Dags it has no run access to.
   
   This adds the missing check. Before the event is created, the endpoint now 
confirms the caller can run at least one producing Dag, or every consuming Dag 
the event would trigger. The consuming Dags are resolved the same way 
`register_asset_change` does when it queues runs: a Dag counts if it schedules 
on the asset directly, or by the asset's name or URI and isn't paused. That 
keeps the permission check aligned with the Dags the event would actually 
trigger, so it never blocks more or less than it should. Producers aren't 
pause-filtered, since re-running a producing Dag would re-emit the event anyway.
   
   Tests cover the producer-authorized, all-consumers-authorized, 
partial-consumer, and name/URI consumer cases.
   
   closes: #42846


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to