vincbeck commented on code in PR #33213: URL: https://github.com/apache/airflow/pull/33213#discussion_r1295078542
########## airflow/auth/managers/fab/fab_auth_manager.py: ########## @@ -17,13 +17,37 @@ # under the License. from __future__ import annotations +import itertools + from flask import url_for from flask_login import current_user from airflow import AirflowException from airflow.auth.managers.base_auth_manager import BaseAuthManager from airflow.auth.managers.fab.models import User from airflow.auth.managers.fab.security_manager.override import FabAirflowSecurityManagerOverride +from airflow.auth.managers.models.base_user import BaseUser +from airflow.auth.managers.models.resource_action import ResourceAction +from airflow.auth.managers.models.resource_details import ResourceDetails +from airflow.security.permissions import ( + ACTION_CAN_ACCESS_MENU, + ACTION_CAN_CREATE, + ACTION_CAN_DELETE, + ACTION_CAN_EDIT, + ACTION_CAN_READ, + RESOURCE_DAG, + RESOURCE_DAG_PREFIX, +) + +_MAP_ACTION_NAME_TO_FAB_ACTION_NAME = { + ResourceAction.POST: [ACTION_CAN_CREATE], + # ACTION_CAN_READ and ACTION_CAN_ACCESS_MENU are merged into because they are very similar. + # We can assume that if a user has permissions to read variables, they also have permissions to access + # the menu "Variables". + ResourceAction.GET: [ACTION_CAN_READ, ACTION_CAN_ACCESS_MENU], Review Comment: The only concern is, if user X has `ACCESS_MENU` to given resource but not `READ` permissions, it will be breaking experience for him. We have to give `READ` permissions to user who have `ACCESS_MENU`. But I agree, we might too much complexity here to handle this. As you say, we might want to remove `ACTION_CAN_ACCESS_MENU`, one way to do it it to basically convert `ACTION_CAN_ACCESS_MENU` to `ACTION_CAN_READ` when loading permissions for a given user -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org