[
https://issues.apache.org/jira/browse/AIRFLOW-3949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16778482#comment-16778482
]
Tao Feng commented on AIRFLOW-3949:
-----------------------------------
[~XD-DENG] I guess the issue is that User initially has can_dag_read on
all_dags. And since you remove the permission on all_dags, we don't resync the
permissions for user
role([https://github.com/apache/airflow/blob/master/airflow/www/security.py#L186)]
which the User still has all_dag access.
> Users should only see the DAGs to which he/she has
> "can_dag_view"/"can_dag_edit" permission in the landing page
> ---------------------------------------------------------------------------------------------------------------
>
> Key: AIRFLOW-3949
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3949
> Project: Apache Airflow
> Issue Type: Bug
> Components: ui
> Reporter: Xiaodong DENG
> Assignee: Tao Feng
> Priority: Major
>
> In the current master branch
> ([https://github.com/apache/airflow/commit/bfa81b53597907ed58b2e01a69ba9fd52ce4a7b9)]
> and 1.10.2, the DAG-level access control feature is already there.
> According to Feng Tao, in his initial implementation, users aren't able to
> see the DAGs to which he/she doesn't have access. But in the testing I have
> done, seems I can still see all the DAGs as a role "User" after I have
> removed the "can_dag_view on all_dags" and "can_dag_edit on all_dags" from
> role "User".
>
> (The testing was done using the "built-in" sample DAGs only)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
