pierrejeambrun opened a new pull request, #69471:
URL: https://github.com/apache/airflow/pull/69471

   `PUT /api/v2/parseDagFile/{file_token}` authorized the caller only through a 
route dependency that, with no `dag_id` path parameter, resolves the per-Dag 
target from the query string — which is decoupled from the Dag file the signed 
`file_token` actually resolves to. The handler already computed the correct 
per-Dag authorization requests from the file's Dags but only used them for an 
emptiness check.
   
   This enforces those requests via `batch_is_authorized_dag`, so authorization 
matches the Dag actually reparsed. The coarse route dependency is kept as 
defense-in-depth, mirroring the import-errors endpoint (coarse dependency + 
in-handler `batch_is_authorized_dag`).
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Code (Opus 4.8)
   
   Generated-by: Claude Code (Opus 4.8) following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to