darshil929 opened a new pull request, #69175: URL: https://github.com/apache/airflow/pull/69175
The `create_asset_event` handler behind `POST /assets/events` is only guarded by `requires_access_asset(method="POST")` — the asset-level "create on Assets" permission. The event it creates is passed to `asset_manager.register_asset_change`, which enqueues `AssetDagRunQueue` rows for every consuming Dag scheduled on that asset, so the call effectively triggers downstream Dag runs without ever evaluating the Dag-level `access_control` those Dags define. A principal holding only the Assets "create" permission can therefore enqueue runs for Dags it has no run access to. This adds the missing check. Before the event is created, the endpoint now confirms the caller can run at least one producing Dag, or every consuming Dag the event would trigger. The consuming Dags are resolved the same way `register_asset_change` does when it queues runs: a Dag counts if it schedules on the asset directly, or by the asset's name or URI and isn't paused. That keeps the permission check aligned with the Dags the event would actually trigger, so it never blocks more or less than it should. Producers aren't pause-filtered, since re-running a producing Dag would re-emit the event anyway. Tests cover the producer-authorized, all-consumers-authorized, partial-consumer, and name/URI consumer cases. closes: #42846 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
