pierrejeambrun opened a new pull request, #69471:
URL: https://github.com/apache/airflow/pull/69471
`PUT /api/v2/parseDagFile/{file_token}` authorized the caller only through a
route dependency that, with no `dag_id` path parameter, resolves the per-Dag
target from the query string — which is decoupled from the Dag file the signed
`file_token` actually resolves to. The handler already computed the correct
per-Dag authorization requests from the file's Dags but only used them for an
emptiness check.
This enforces those requests via `batch_is_authorized_dag`, so authorization
matches the Dag actually reparsed. The coarse route dependency is kept as
defense-in-depth, mirroring the import-errors endpoint (coarse dependency +
in-handler `batch_is_authorized_dag`).
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4.8)
Generated-by: Claude Code (Opus 4.8) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]