From 5559920175feb6592c32dfa851bc0b215639378a Mon Sep 17 00:00:00 2001 From: XD-DENG Date: Wed, 9 Dec 2020 21:27:40 +0100 Subject: [PATCH] Allow all default roles to view Profile page + allow editing profile/resetting password if it's DB-ModelView. This is a change discussed long time back in https://github.com/apache/airflow/pull/3889#issuecomment-507635839 Essentially, the 7 permission-resource pairs are added for all users: - can_this_form_post on UserInfoEditView - can_this_form_get on UserInfoEditView - can_userinfo on UserDBModelView - userinfoedit on UserDBModelView - can_this_form_post on ResetMyPasswordView - can_this_form_get on ResetMyPasswordView - resetmypassword on UserDBModelView In addition, can_userinfo is added for all possible User ModelViews, so users can also view profile when the webserver is using different setting-ups. But they are ONLY allowed to edit profile and reset password when it's UserDBModelView --- airflow/security/permissions.py | 12 ++++++++++++ airflow/www/security.py | 11 +++++++++++ 2 files changed, 23 insertions(+) diff --git a/airflow/security/permissions.py b/airflow/security/permissions.py index b83342341c600..983ebbd7f48ef 100644 --- a/airflow/security/permissions.py +++ b/airflow/security/permissions.py @@ -39,6 +39,13 @@ RESOURCE_VARIABLE = "Variables" RESOURCE_WEBSITE = "Website" RESOURCE_XCOM = "XComs" +RESOURCE_USERINFO_EDIT_VIEW = "UserInfoEditView" +RESOURCE_RESET_MY_PASSWORD_VIEW = "ResetMyPasswordView" +RESOURCE_USER_DB_MODELVIEW = "UserDBModelView" +RESOURCE_USER_OID_MODELVIEW = "UserOIDModelView" +RESOURCE_USER_LDAP_MODELVIEW = "UserLDAPModelView" +RESOURCE_USER_OAUTH_MODELVIEW = "UserOAuthModelView" +RESOURCE_USER_REMOTEUSER_MODELVIEW = "UserRemoteUserModelView" # Action Constants ACTION_CAN_CREATE = "can_create" @@ -46,5 +53,10 @@ ACTION_CAN_EDIT = "can_edit" ACTION_CAN_DELETE = "can_delete" ACTION_CAN_ACCESS_MENU = "menu_access" +ACTION_CAN_THIS_FORM_GET = "can_this_form_get" +ACTION_CAN_THIS_FORM_POST = "can_this_form_post" +ACTION_RESETMYPASSWORD = "resetmypassword" +ACTION_CAN_USERINFO = "can_userinfo" +ACTION_USERINFOEDIT = "userinfoedit" DEPRECATED_ACTION_CAN_DAG_READ = "can_dag_read" DEPRECATED_ACTION_CAN_DAG_EDIT = "can_dag_edit" diff --git a/airflow/www/security.py b/airflow/www/security.py index 601423e82ea2a..8f574506d00f0 100644 --- a/airflow/www/security.py +++ b/airflow/www/security.py @@ -74,6 +74,17 @@ class AirflowSecurityManager(SecurityManager, LoggingMixin): (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS), (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE), + (permissions.ACTION_CAN_THIS_FORM_GET, permissions.RESOURCE_RESET_MY_PASSWORD_VIEW), + (permissions.ACTION_CAN_THIS_FORM_POST, permissions.RESOURCE_RESET_MY_PASSWORD_VIEW), + (permissions.ACTION_RESETMYPASSWORD, permissions.RESOURCE_USER_DB_MODELVIEW), + (permissions.ACTION_CAN_THIS_FORM_GET, permissions.RESOURCE_USERINFO_EDIT_VIEW), + (permissions.ACTION_CAN_THIS_FORM_POST, permissions.RESOURCE_USERINFO_EDIT_VIEW), + (permissions.ACTION_USERINFOEDIT, permissions.RESOURCE_USER_DB_MODELVIEW), + (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_DB_MODELVIEW), + (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_OID_MODELVIEW), + (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_LDAP_MODELVIEW), + (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_OAUTH_MODELVIEW), + (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_REMOTEUSER_MODELVIEW), ] # [END security_viewer_perms]