Re: [PR] Introduce `filter_authorized_menu_items` to filter menu items based on permissions [airflow]

Tue, 01 Apr 2025 06:10:22 -0700 


vincbeck commented on code in PR #47681:
URL: https://github.com/apache/airflow/pull/47681#discussion_r2022823841


##########
airflow/api_fastapi/core_api/routes/ui/auth.py:
##########
@@ -31,7 +31,7 @@
 def get_auth_links(
     user: GetUserDep,
 ) -> MenuItemCollectionResponse:
-    menu_items = get_auth_manager().get_menu_items(user=user)
+    menu_items = get_auth_manager().get_extra_menu_items(user=user)

Review Comment:
   The 2 APIs have different purposes:
   - `get_extra_menu_items` allows the auth manager to add extra links in the 
menu. That's what the FAB auth manager does with links under security
   - `get_authorized_menu_items` returns the lists of menu items the user has 
access to.
   
   > We have no endpoint leveraging get_authorized_menu_items at the moment for 
the front-end to use ?
   
   Correct, this is not used yet in the UI (see 
[comment](https://github.com/apache/airflow/issues/47412#issuecomment-2740442710))
 but we should definitely use it
   
   > But if we do maybe get_extra_menu_items shouldlist 'all menu items' 
independently of permissions and get_authorized_menu_items take into acount 
permissions. Therefore we need to update the endpoint to use 
get_authorized_menu_items ?
   
   I wondered the same when I worked on it but I decided to do it that way for 
multiple reasons. First, it feels unnecessary to call 2 APIs 
(`get_extra_menu_items` and `get_authorized_menu_items`) to list menu items 
provided by the auth manager. Second, the auth manager might want to add menus 
items regardless of the authz (e.g. documentation). If so, then you should 
handle it in `get_authorized_menu_items`. To me, having `get_extra_menu_items` 
handle it own authorization of its own menu items makes it simpler. We should 
consider FAB auth manager as an exception or an edge case and not a model, I 
understand that in FAB auth manager use case, it **might** make sense to handle 
authorization of links added by `get_extra_menu_items` in 
`get_authorized_menu_items` but I dont think so in general auth manager use 
case.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to