Re: [PR] Update `is_authorized_dag` method in `FabAuthManager` [airflow]

Tue, 26 Aug 2025 06:03:47 -0700 


vincbeck commented on code in PR #54926:
URL: https://github.com/apache/airflow/pull/54926#discussion_r2300926638


##########
providers/fab/src/airflow/providers/fab/auth_manager/fab_auth_manager.py:
##########
@@ -323,40 +325,43 @@ def is_authorized_dag(
 
         There are multiple scenarios:
 
-        1. ``access_entity`` is not provided which means the user wants to 
access the DAG itself and not a sub
-        entity (e.g. DAG runs).
-        2. ``access_entity`` is provided which means the user wants to access 
a sub entity of the DAG
+        1. ``method`` is "GET" and no details is provided means the user wants 
to list Dags (or sub entities of Dags)
+        2. ``access_entity`` is not provided which means the user wants to 
access the DAG itself and not a sub
+        entity (e.g. Task instances).
+        3. ``access_entity`` is provided which means the user wants to access 
a sub entity of the DAG
         (e.g. DAG runs).
 
             a. If ``method`` is GET, then check the user has READ permissions 
on the DAG and the sub entity.
-            b. Else, check the user has EDIT permissions on the DAG and 
``method`` on the sub entity. However,
-                if no specific DAG is targeted, just check the sub entity.
+            b. Else, check the user has EDIT permissions on the DAG and 
``method`` on the sub entity
 
         :param method: The method to authorize.
         :param user: The user performing the action.
         :param access_entity: The dag access entity.
         :param details: The dag details.
         """
-        if not access_entity:
+        if access_entity:
+            # If a sub-Dag entity is specified, check whether the user has 
access to it
+            resource_types = self._get_fab_resource_types(access_entity)
+            access_entity_authorized = all(
+                self._is_authorized(method=method, 
resource_type=resource_type, user=user)
+                for resource_type in resource_types
+            )
+            if not access_entity_authorized:
+                return False

Review Comment:
   It is a sub scenario of scenario 1 and 3. Basically anytime `access_entity` 
is provided, we need to check the user has access to this sub entity



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to