You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2021/08/06 15:23:10 UTC

[airflow] branch main updated: Add missing permissions to varimport (#17468)

This is an automated email from the ASF dual-hosted git repository.

ash pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new eb6af07  Add missing permissions to varimport (#17468)
eb6af07 is described below

commit eb6af07f5bc8958efd06818e84a5273a079304e1
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Fri Aug 6 16:22:50 2021 +0100

    Add missing permissions to varimport (#17468)
---
 airflow/www/views.py                   |  2 +-
 tests/www/views/test_views_variable.py | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/airflow/www/views.py b/airflow/www/views.py
index 9d1d4ad..5508b7f 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -3431,7 +3431,6 @@ class VariableModelView(AirflowModelView):
         'delete': 'delete',
         'action_muldelete': 'delete',
         'action_varexport': 'read',
-        'varimport': 'create',
     }
     base_permissions = [
         permissions.ACTION_CAN_CREATE,
@@ -3494,6 +3493,7 @@ class VariableModelView(AirflowModelView):
         return response
 
     @expose('/varimport', methods=["POST"])
+    @auth.has_access([(permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE)])
     @action_logging
     def varimport(self):
         """Import variables"""
diff --git a/tests/www/views/test_views_variable.py b/tests/www/views/test_views_variable.py
index a1bf5b9..65d6a27 100644
--- a/tests/www/views/test_views_variable.py
+++ b/tests/www/views/test_views_variable.py
@@ -96,6 +96,19 @@ def test_import_variables_success(session, admin_client):
     check_content_in_response('4 variable(s) successfully updated.', resp)
 
 
+def test_import_variables_anon(session, app):
+    assert session.query(Variable).count() == 0
+
+    content = '{"str_key": "str_value}'
+    bytes_content = io.BytesIO(bytes(content, encoding='utf-8'))
+
+    resp = app.test_client().post(
+        '/variable/varimport', data={'file': (bytes_content, 'test.json')}, follow_redirects=True
+    )
+    check_content_not_in_response('variable(s) successfully updated.', resp)
+    check_content_in_response('Sign In', resp)
+
+
 def test_description_retrieval(session, admin_client):
     # create valid variable
     admin_client.post('/variable/add', data=VARIABLE, follow_redirects=True)