Vamsi-klu commented on PR #67662: URL: https://github.com/apache/airflow/pull/67662#issuecomment-4584956651
The per-file overlay should check `DagAccessEntity.CODE` for every Dag in the shared source file, not just generic Dag read access. Right now the route guard enforces `DagAccessEntity.CODE` only for the requested `dag_id`, but the new co-located-file check uses `get_authorized_dag_ids(user=user)` and then treats that generic readable-Dag set as sufficient for returning the whole file. That loses the access-entity dimension: `BaseAuthManager.filter_authorized_dag_ids()` calls `is_authorized_dag()` without `access_entity`, while entity-aware auth managers such as AWS and Keycloak pass `DagAccessEntity.CODE` through `is_authorized_dag()` context/attributes. A user who has code access to Dag A, generic read access to co-located Dag B, but no code access to Dag B can therefore receive the full shared source file through `/dagSources/A`. The new tests do not cover that case because they only mock `get_authorized_dag_ids()`. Can this check either call `is_authorized_dag(method="GET", access_entity=DagAccessEntity.CODE, ...)` for every co-located Dag, or use/add an auth-manager helper that filters Dag IDs by both method and access entity? --- Drafted-by: Codex (GPT-5); reviewed by @Vamsi-klu before posting -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
