pierrejeambrun commented on code in PR #47062:
URL: https://github.com/apache/airflow/pull/47062#discussion_r1975657161
##########
tests/api_fastapi/conftest.py:
##########
@@ -34,9 +36,52 @@
@pytest.fixture
def test_client():
+ with conf_vars(
+ {
+ (
+ "core",
+ "auth_manager",
+ ):
"airflow.auth.managers.simple.simple_auth_manager.SimpleAuthManager",
+ }
+ ):
+ auth_manager = SimpleAuthManager()
Review Comment:
`app = create_app()` then you can retrieve the auth manager from app.state.
##########
airflow/api_fastapi/core_api/routes/public/dags.py:
##########
@@ -57,14 +57,15 @@
DAGResponse,
)
from airflow.api_fastapi.core_api.openapi.exceptions import
create_openapi_http_exception_doc
+from airflow.api_fastapi.core_api.security import requires_access_dag
from airflow.exceptions import AirflowException, DagNotFound
from airflow.models import DAG, DagModel
from airflow.models.dagrun import DagRun
dags_router = AirflowRouter(tags=["DAG"], prefix="/dags")
-@dags_router.get("")
+@dags_router.get("", dependencies=[Depends(requires_access_dag(method="GET"))])
Review Comment:
`requires_access_dag` I think we need to update.
If I read correctly the `_is_authorized_callback`. If you request all dags
but have access to at least 1, the method will return 'True' for access.
I think we should remove that, this is not what is supposed by the route.
```python
# dag_id is not provided, and the user is not authorized to
access *all* DAGs
# so we check that the user can access at least *one* dag
# but we leave it to the endpoint function to properly restrict
access beyond that
if method not in ("GET", "PUT"):
return False
return any(
get_auth_manager().get_permitted_dag_ids(user=get_auth_manager().get_user(),
methods=[method])
)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
