[GitHub] [airflow] Jorricks edited a comment on pull request #16634: Change TaskInstances and DagRun modify permissions to require can_edit on DAG resource.

[GitBox <gi...@apache.org>]

Jorricks edited a comment on pull request #16634:
URL: https://github.com/apache/airflow/pull/16634#issuecomment-869061373


   I updated the PR today (26 June) with the following:
   1. Inside the views, we already had the DagEditFilter. However, FlaskAppbuilder doesn't do the extra checks to verify that the items you are modifying/adding/deleting are inside the BaseFilter. Therefore, I created another abstraction for the view which checks for add/update/delete options that the user has `can_edit` access on the DAG the item he is accessing belongs to. If there was someone who still tried to cheat by changing primary keys in the front end with an HTML editor (add/update/delete a DAG he doesn't have edit access on), he will get an error message :)
   2. For the actions, it is the same thing. However, there is no way within Flask Appbuilder to check the items you are working with before entering the function (without using wrapper). Hence, of course I created wrapper. For all items provided/selected, it checks that the user had `can_edit` access on the DAG it is a part of.
   3. I implemented tests. For both DagRun and TaskInstance I created tests for `deleting`. For DagRun also for `adding`. Furthermore I also created the tests for all actions of both views to verify the behaviour of the actions.
   
   PS: Currently waiting for the commits to become visible here... Is there some way we can force this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org