Add missing permissions to varimport (#17468)

(cherry picked from commit eb6af07)
apache · Aug 17, 2021 · bcec1df · bcec1df
1 parent d07cd5d
commit bcec1df
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/airflow/www/views.py b/airflow/www/views.py
@@ -3276,7 +3276,6 @@ class VariableModelView(AirflowModelView):
         'delete': 'delete',
         'action_muldelete': 'delete',
         'action_varexport': 'read',
-        'varimport': 'create',
     }
     base_permissions = [
         permissions.ACTION_CAN_CREATE,
@@ -3339,6 +3338,7 @@ def action_varexport(self, items):
         return response
 
     @expose('/varimport', methods=["POST"])
+    @auth.has_access([(permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE)])
     @action_logging
     def varimport(self):
         """Import variables"""

diff --git a/tests/www/views/test_views_variable.py b/tests/www/views/test_views_variable.py
@@ -96,6 +96,19 @@ def test_import_variables_success(session, admin_client):
     check_content_in_response('4 variable(s) successfully updated.', resp)
 
 
+def test_import_variables_anon(session, app):
+    assert session.query(Variable).count() == 0
+
+    content = '{"str_key": "str_value}'
+    bytes_content = io.BytesIO(bytes(content, encoding='utf-8'))
+
+    resp = app.test_client().post(
+        '/variable/varimport', data={'file': (bytes_content, 'test.json')}, follow_redirects=True
+    )
+    check_content_not_in_response('variable(s) successfully updated.', resp)
+    check_content_in_response('Sign In', resp)
+
+
 def test_description_retrieval(session, admin_client):
     # create valid variable
     admin_client.post('/variable/add', data=VARIABLE, follow_redirects=True)