[PR] Apply per-file authorization to dag-source endpoint [airflow]

Thu, 28 May 2026 14:50:06 -0700 


potiuk opened a new pull request, #67662:
URL: https://github.com/apache/airflow/pull/67662

   This PR applies per-file authorization to the `/api/v2/dagSources/{dag_id}` 
endpoint, matching the pattern already in place for the import-errors endpoint 
in apache/airflow#65329.
   
   The dag-source endpoint currently returns the full source code of the file 
containing the requested Dag, even when the file co-locates multiple Dags and 
the caller has read access to only some of them. After this change, the 
endpoint:
   
   - enumerates every Dag in the same `(relative_fileloc, bundle_name)` as the 
requested `dag_id`,
   - intersects that set with the caller's readable Dag set,
   - redacts the response content if any co-located Dag is not readable by the 
caller (using the same `"REDACTED - you do not have read permission on all Dags 
in the file"` placeholder as `import_error.py`),
   - returns the source unchanged when the caller can read every Dag in the 
file.
   
   The endpoint's existing `DagAccessEntity.CODE` dependency check on the 
requested `dag_id` is preserved — this change adds a per-file overlay on top.
   
   ## Test plan
   
   - [x] New unit test: caller with CODE access to `dag_a` but no GET access to 
co-located `dag_b` receives the redacted placeholder in response.
   - [x] New unit test: caller with GET access to every Dag in the file 
receives the source unchanged.
   - [x] Existing tests pass (single-Dag-file case unchanged).
   - [x] `prek run` on touched files green.
   - [x] `mypy` clean on the touched file.
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [x] Yes — Claude Opus 4.7 (1M context)
   
   Generated-by: Claude Opus 4.7 (1M context) following the guidelines at 
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to