Jorricks opened a new pull request #18467: URL: https://github.com/apache/airflow/pull/18467
In the `TaskInstanceModelView` and `DagRunModelView` it is not possible that you won't see all DAGs as you don't have edit permission for them. Flask-Appbuilder doesn't natively support this behaviour as it does not verify for your actions whether you are only passing in primary keys of rows you are allowed to edit, by default you can still provide primary-keys of DagRuns and TaskInstance you don't have access to and you will be able to modify them. To prevent this from happening, we created the `@action_has_dag_edit_access` decorator. In the `TaskInstanceModelView` and `DagRunModelView` classes we need to enforce that the `@action_has_dag_edit_access` is used. Therefore, I created a test to verify this one is being used on every `action` function of these classes. This came to light due to #18438. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
