[GitHub] [airflow] AmarEL commented on issue #13340: Anonymous users aren't able to view DAGs even with Admin Role

[GitBox <gi...@apache.org>]

AmarEL commented on issue #13340:
URL: https://github.com/apache/airflow/issues/13340#issuecomment-753518166


   The actual behavior without changes is problematic too because if someone sets the `AUTH_ROLE_PUBLIC = "Admin`, the DAGs will not be displayed, but the anonymous user still able to view and access some Menus like the "Admin". So, an Anonymous user with the role Admin can view/edit some sensitive data, but can't view/edit dags.
   
   Or another example could be if I create a new role "Anonymous" and attach just the View Dags Permission to this role, the user will still not able to view the dags without changing the code.
   
   So, I think that some change is necessary.
   
   
   And I appreciated the @potiuk suggestion and I still looking for it in another branch, but for 
   > to only allow READ access for unauthenticated users and fail configuration if any WRITE access is configured
   
   more changes are necessary for methods related to Menu Views and other stuff.
   
   I'm not sure if is better **to fix the behavior that I wrote in this issue and document all these details very well** to let the developer configure this correctly if he wants to give READ permission for an anonymous user or **deny any READ permission for an anonymous user** (it needs to be very well documented too).
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org