(airflow) branch main updated: Clarify logic in callback func in is authorized callback (#42475)

Thu, 26 Sep 2024 09:37:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

dstandish pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new bbf2a8ad7b Clarify logic in callback func in is authorized callback 
(#42475)
bbf2a8ad7b is described below

commit bbf2a8ad7b8d3c2a2e3ec49d1cf0dcdb9ab88adc
Author: Daniel Standish <[email protected]>
AuthorDate: Thu Sep 26 08:53:40 2024 -0700

    Clarify logic in callback func in is authorized callback (#42475)
    
    I think this makes it a little clearer what the logic is doing.
---
 airflow/api_connexion/security.py | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/airflow/api_connexion/security.py 
b/airflow/api_connexion/security.py
index 7da83a7616..445ded913e 100644
--- a/airflow/api_connexion/security.py
+++ b/airflow/api_connexion/security.py
@@ -113,18 +113,25 @@ def requires_access_dag(
     method: ResourceMethod, access_entity: DagAccessEntity | None = None
 ) -> Callable[[T], T]:
     def _is_authorized_callback(dag_id: str):
-        def callback():
-            access = get_auth_manager().is_authorized_dag(
-                method=method,
-                access_entity=access_entity,
-                details=DagDetails(id=dag_id),
-            )
-
-            # ``access`` means here:
-            # - if a DAG id is provided (``dag_id`` not None): is the user 
authorized to access this DAG
-            # - if no DAG id is provided: is the user authorized to access all 
DAGs
-            if dag_id or access or access_entity:
-                return access
+        def callback() -> bool | DagAccessEntity:
+            if dag_id:
+                # a DAG id is provided; is the user authorized to access this 
DAG?
+                return get_auth_manager().is_authorized_dag(
+                    method=method,
+                    access_entity=access_entity,
+                    details=DagDetails(id=dag_id),
+                )
+            else:
+                # here we know dag_id is not provided.
+                # check is the user authorized to access all DAGs?
+                if get_auth_manager().is_authorized_dag(
+                    method=method,
+                    access_entity=access_entity,
+                ):
+                    return True
+                elif access_entity:
+                    # no dag_id provided, and user does not have access to all 
dags
+                    return False
 
             # dag_id is not provided, and the user is not authorized to access 
*all* DAGs
             # so we check that the user can access at least *one* dag

Reply via email to