[AIRFLOW-4020] Remove viewer DAG edit permissions (apache#4845)

fmaritato · Mar 5, 2019 · dda309e · dda309e
1 parent 3bb0493
commit dda309e
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/UPDATING.md b/UPDATING.md
@@ -24,6 +24,8 @@ assists users migrating to a new version.
 
 ## Airflow Master
 
+### Viewer won't have edit permissions on DAG view.
+
 ### RedisPy dependency updated to v3 series
 
 If you are using the Redis Sensor or Hook you may have to update your code. See

diff --git a/airflow/www/security.py b/airflow/www/security.py
@@ -129,19 +129,24 @@
     'all_dags'
 }
 
-DAG_PERMS = {
-    'can_dag_read',
+WRITE_DAG_PERMS = {
     'can_dag_edit',
 }
 
+READ_DAG_PERMS = {
+    'can_dag_read',
+}
+
+DAG_PERMS = WRITE_DAG_PERMS | READ_DAG_PERMS
+
 ###########################################################################
 #                     DEFAULT ROLE CONFIGURATIONS
 ###########################################################################
 
 ROLE_CONFIGS = [
     {
         'role': 'Viewer',
-        'perms': VIEWER_PERMS | DAG_PERMS,
+        'perms': VIEWER_PERMS | READ_DAG_PERMS,
         'vms': VIEWER_VMS | DAG_VMS
     },
     {

diff --git a/tests/www/test_views.py b/tests/www/test_views.py
@@ -1060,7 +1060,7 @@ def login(self, username=None, password=None):
                 role=role_user,
                 password='test_user')
 
-        role_viewer = self.appbuilder.sm.find_role('User')
+        role_viewer = self.appbuilder.sm.find_role('Viewer')
         test_viewer = self.appbuilder.sm.find_user(username='test_viewer')
         if not test_viewer:
             self.appbuilder.sm.add_user(
@@ -1566,6 +1566,14 @@ def test_tree_view_for_viewer(self):
         resp = self.client.get(url, follow_redirects=True)
         self.check_content_in_response('runme_1', resp)
 
+    def test_refresh_failure_for_viewer(self):
+        # viewer role can't refresh
+        self.logout()
+        self.login(username='test_viewer',
+                   password='test_viewer')
+        resp = self.client.get('refresh?dag_id=example_bash_operator')
+        self.check_content_in_response('Redirecting', resp, resp_code=302)
+
 
 class TestTaskInstanceView(TestBase):
     TI_ENDPOINT = '/taskinstance/list/?_flt_0_execution_date={}'