ashb commented on a change in pull request #11189:
URL: https://github.com/apache/airflow/pull/11189#discussion_r499712995
##########
File path: airflow/www/security.py
##########
@@ -320,33 +317,75 @@ def get_accessible_dags(self, user_actions, user,
session=None):
for permission in role.permissions:
resource = permission.view_menu.name
action = permission.permission.name
- if action in user_actions:
+ if action not in user_actions:
+ continue
+
+ if resource.startswith(DAG_PREFIX):
+ resources.add(resource[len(DAG_PREFIX) :])
+ else:
resources.add(resource)
- if bool({'Dag', 'all_dags'}.intersection(resources)):
+ if 'Dag' in resources:
return session.query(DagModel)
return session.query(DagModel).filter(DagModel.dag_id.in_(resources))
- def has_access(self, permission, view_name, user=None) -> bool:
+ def can_read_dag(self, dag_id, user=None) -> bool:
+ """Determines whether a user has DAG read access."""
+ if not user:
+ user = g.user
+ prefixed_dag_id = self.prefixed_dag_id(dag_id)
+ return self._has_view_access(user, CAN_READ, 'Dag') or
self._has_view_access(
+ user, CAN_READ, prefixed_dag_id
+ )
+
+ def can_edit_dag(self, dag_id, user=None) -> bool:
+ """Determines whether a user has DAG edit access."""
+ if not user:
+ user = g.user
+ prefixed_dag_id = self.prefixed_dag_id(dag_id)
+
+ return self._has_view_access(user, CAN_EDIT, 'Dag') or
self._has_view_access(
+ user, CAN_EDIT, prefixed_dag_id
+ )
+
+ def prefixed_dag_id(self, dag_id):
+ """Returns the permission name for a DAG id."""
+ if dag_id == 'Dag':
Review comment:
WDYT about extracting this to a constant to make it clear the
significance of this "Dag" string?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
