This is an automated email from the ASF dual-hosted git repository. ash pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push: new eb6af07 Add missing permissions to varimport (#17468) eb6af07 is described below commit eb6af07f5bc8958efd06818e84a5273a079304e1 Author: Ash Berlin-Taylor <ash_git...@firemirror.com> AuthorDate: Fri Aug 6 16:22:50 2021 +0100 Add missing permissions to varimport (#17468) --- airflow/www/views.py | 2 +- tests/www/views/test_views_variable.py | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/airflow/www/views.py b/airflow/www/views.py index 9d1d4ad..5508b7f 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -3431,7 +3431,6 @@ class VariableModelView(AirflowModelView): 'delete': 'delete', 'action_muldelete': 'delete', 'action_varexport': 'read', - 'varimport': 'create', } base_permissions = [ permissions.ACTION_CAN_CREATE, @@ -3494,6 +3493,7 @@ class VariableModelView(AirflowModelView): return response @expose('/varimport', methods=["POST"]) + @auth.has_access([(permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE)]) @action_logging def varimport(self): """Import variables""" diff --git a/tests/www/views/test_views_variable.py b/tests/www/views/test_views_variable.py index a1bf5b9..65d6a27 100644 --- a/tests/www/views/test_views_variable.py +++ b/tests/www/views/test_views_variable.py @@ -96,6 +96,19 @@ def test_import_variables_success(session, admin_client): check_content_in_response('4 variable(s) successfully updated.', resp) +def test_import_variables_anon(session, app): + assert session.query(Variable).count() == 0 + + content = '{"str_key": "str_value}' + bytes_content = io.BytesIO(bytes(content, encoding='utf-8')) + + resp = app.test_client().post( + '/variable/varimport', data={'file': (bytes_content, 'test.json')}, follow_redirects=True + ) + check_content_not_in_response('variable(s) successfully updated.', resp) + check_content_in_response('Sign In', resp) + + def test_description_retrieval(session, admin_client): # create valid variable admin_client.post('/variable/add', data=VARIABLE, follow_redirects=True)