[airflow] 04/07: Restrict changing XCom values from the Webserver (#9614)

Wed, 01 Jul 2020 16:28:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit ccf47ae7548740a5f65443cbca85b22884548cc7
Author: Kaxil Naik <kaxiln...@gmail.com>
AuthorDate: Wed Jul 1 22:13:10 2020 +0100

    Restrict changing XCom values from the Webserver (#9614)
    
    (cherry-picked from 1655fa9253ba8f61ccda77780a9e94766c15f565)
---
 UPDATING.md               | 6 ++++++
 airflow/www/views.py      | 2 ++
 airflow/www_rbac/views.py | 4 +---
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index ec193f9..61734bb 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -89,6 +89,12 @@ the previous behaviour on a new install by setting this in 
your airflow.cfg:
 auth_backend = airflow.api.auth.backend.default
 ```
 
+### XCom Values can no longer be added or changed from the Webserver
+
+Since XCom values can contain pickled data, we would no longer allow adding or
+changing XCom values from the UI.
+
+
 ## Airflow 1.10.10
 
 ### Setting Empty string to a Airflow Variable will return an empty string
diff --git a/airflow/www/views.py b/airflow/www/views.py
index a3293c8..abd1b9e 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -2754,6 +2754,8 @@ class VariableView(wwwutils.DataProfilingMixin, 
AirflowModelView):
 
 
 class XComView(wwwutils.SuperUserMixin, AirflowModelView):
+    can_create = False
+    can_edit = False
     verbose_name = "XCom"
     verbose_name_plural = "XComs"
 
diff --git a/airflow/www_rbac/views.py b/airflow/www_rbac/views.py
index 67a7493..96d4079 100644
--- a/airflow/www_rbac/views.py
+++ b/airflow/www_rbac/views.py
@@ -2233,12 +2233,10 @@ class XComModelView(AirflowModelView):
 
     datamodel = AirflowModelView.CustomSQLAInterface(XCom)
 
-    base_permissions = ['can_add', 'can_list', 'can_edit', 'can_delete']
+    base_permissions = ['can_list', 'can_delete']
 
     search_columns = ['key', 'value', 'timestamp', 'execution_date', 
'task_id', 'dag_id']
     list_columns = ['key', 'value', 'timestamp', 'execution_date', 'task_id', 
'dag_id']
-    add_columns = ['key', 'value', 'execution_date', 'task_id', 'dag_id']
-    edit_columns = ['key', 'value', 'execution_date', 'task_id', 'dag_id']
     base_order = ('execution_date', 'desc')
 
     base_filters = [['dag_id', DagFilter, lambda: []]]

Reply via email to