This is an automated email from the ASF dual-hosted git repository.
jedcunningham pushed a commit to branch v2-9-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 899d4e858735bda153305b268c8c06937adf841d
Author: Jarek Potiuk <ja...@potiuk.com>
AuthorDate: Wed Apr 24 19:09:09 2024 +0200
Fixed side effect of menu filtering causing disappearing menus (#39229)
The default implementation of filter_permitted_menu_items had a
subtle side-effect. The filtering on child items was done in-place
and modified the menu itself, so it was enough to get the same
worker serve requests for multiple users for the same menu to get
the items removed for subsequent user - even if they had permission
to see it.
Deepcopying the menu items before filtering them should fix the problem
Fixes: #39204
Fixes: #39135
(cherry picked from commit 0d2c0c5cf04ef886a8211820d0dc2f4cd8c47251)
---
airflow/auth/managers/base_auth_manager.py | 14 ++++++++--
tests/auth/managers/test_base_auth_manager.py | 40 +++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 3 deletions(-)
diff --git a/airflow/auth/managers/base_auth_manager.py
b/airflow/auth/managers/base_auth_manager.py
index 7bb4e92889..44fc53a66e 100644
--- a/airflow/auth/managers/base_auth_manager.py
+++ b/airflow/auth/managers/base_auth_manager.py
@@ -21,6 +21,7 @@ from abc import abstractmethod
from functools import cached_property
from typing import TYPE_CHECKING, Container, Literal, Sequence
+from flask_appbuilder.menu import MenuItem
from sqlalchemy import select
from airflow.auth.managers.models.resource_details import (
@@ -34,7 +35,6 @@ from airflow.utils.session import NEW_SESSION, provide_session
if TYPE_CHECKING:
from flask import Blueprint
- from flask_appbuilder.menu import MenuItem
from sqlalchemy.orm import Session
from airflow.auth.managers.models.base_user import BaseUser
@@ -397,13 +397,21 @@ class BaseAuthManager(LoggingMixin):
)
accessible_items = []
for menu_item in items:
+ menu_item_copy = MenuItem(
+ name=menu_item.name,
+ icon=menu_item.icon,
+ label=menu_item.label,
+ childs=[],
+ baseview=menu_item.baseview,
+ cond=menu_item.cond,
+ )
if menu_item.childs:
accessible_children = []
for child in menu_item.childs:
if
self.security_manager.has_access(ACTION_CAN_ACCESS_MENU, child.name):
accessible_children.append(child)
- menu_item.childs = accessible_children
- accessible_items.append(menu_item)
+ menu_item_copy.childs = accessible_children
+ accessible_items.append(menu_item_copy)
return accessible_items
@abstractmethod
diff --git a/tests/auth/managers/test_base_auth_manager.py
b/tests/auth/managers/test_base_auth_manager.py
index 64d33f6065..a39b60787c 100644
--- a/tests/auth/managers/test_base_auth_manager.py
+++ b/tests/auth/managers/test_base_auth_manager.py
@@ -313,3 +313,43 @@ class TestBaseAuthManager:
assert result[1].name == "item3"
assert len(result[1].childs) == 1
assert result[1].childs[0].name == "item3.1"
+
+ @patch.object(EmptyAuthManager, "security_manager")
+ def test_filter_permitted_menu_items_twice(self, mock_security_manager,
auth_manager):
+ mock_security_manager.has_access.side_effect = [
+ # 1st call
+ True, # menu 1
+ False, # menu 2
+ True, # menu 3
+ True, # Item 3.1
+ False, # Item 3.2
+ # 2nd call
+ False, # menu 1
+ True, # menu 2
+ True, # menu 3
+ False, # Item 3.1
+ True, # Item 3.2
+ ]
+
+ menu = Menu()
+ menu.add_link("item1")
+ menu.add_link("item2")
+ menu.add_link("item3")
+ menu.add_link("item3.1", category="item3")
+ menu.add_link("item3.2", category="item3")
+
+ result = auth_manager.filter_permitted_menu_items(menu.get_list())
+
+ assert len(result) == 2
+ assert result[0].name == "item1"
+ assert result[1].name == "item3"
+ assert len(result[1].childs) == 1
+ assert result[1].childs[0].name == "item3.1"
+
+ result = auth_manager.filter_permitted_menu_items(menu.get_list())
+
+ assert len(result) == 2
+ assert result[0].name == "item2"
+ assert result[1].name == "item3"
+ assert len(result[1].childs) == 1
+ assert result[1].childs[0].name == "item3.2"
