Fix dag_id extraction for dag level access checks in web ui #23015
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dag level permissions are not checked properly if a post request is sent from within the web ui (i.e. clear a task or dag run). If a user has can_read on any dag any operation that involves a post request is allowed even though the user does not have the can_write permission for this dag as far as the appropriate other permissions like edit_task_instance or edit_dag_run were granted. This is caused by the dag_id being extracted from
request.args
which only exists for get requests (i.e. change the status of a task). OtherwiseNone
is used as dag_id inappbuilder.sm.check_authorization
which essentially leads to ignoring the dag level access permissions.I added two new tests for this specific issue.
While writing the tests I fixed a small issue in another test (
test_success_fail_for_read_only_task_instance_access
) that resulted in the test succeeding although not for the reason that is under test here.This PR is a follow up to #21797 as discussed there and addresses the first issue.
At last let me thank you all again for your great work!