apache · potiuk · Nov 9, 2023 · Nov 9, 2023
diff --git a/airflow/auth/managers/fab/security_manager/override.py b/airflow/auth/managers/fab/security_manager/override.py
@@ -49,7 +49,7 @@
 from flask_login import LoginManager
 from itsdangerous import want_bytes
 from markupsafe import Markup
-from sqlalchemy import and_, func, inspect, or_, select
+from sqlalchemy import and_, func, inspect, literal, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import Session, joinedload
 from werkzeug.security import check_password_hash, generate_password_hash
@@ -60,6 +60,7 @@
     RegisterUser,
     Resource,
     Role,
+    User,
     assoc_permission_role,
 )
 from airflow.auth.managers.fab.models.anonymous_user import AnonymousUser
@@ -95,7 +96,6 @@
 
 if TYPE_CHECKING:
     from airflow.auth.managers.base_auth_manager import ResourceMethod
-    from airflow.auth.managers.fab.models import User
     from airflow.www.fab_security.manager import BaseSecurityManager
 
 log = logging.getLogger(__name__)
@@ -126,6 +126,7 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """ The obj instance for user view """
 
     """ Models """
+    user_model = User
     role_model = Role
     action_model = Action
     resource_model = Resource
@@ -403,6 +404,10 @@ def register_views(self):
                 category="Security",
             )
 
+    @property
+    def get_session(self):
+        return self.appbuilder.get_session
+
     def create_login_manager(self) -> LoginManager:
         """Create the login manager."""
         lm = LoginManager(self.appbuilder.app)
@@ -1123,6 +1128,41 @@ def clean_perms(self) -> None:
         if deleted_count:
             self.log.info("Deleted %s faulty permissions", deleted_count)
 
+    def permission_exists_in_one_or_more_roles(
+        self, resource_name: str, action_name: str, role_ids: list[int]
+    ) -> bool:
+        """
+        Efficiently check if a certain permission exists on a list of role ids; used by `has_access`.
+
+        :param resource_name: The view's name to check if exists on one of the roles
+        :param action_name: The permission name to check if exists
+        :param role_ids: a list of Role ids
+        :return: Boolean
+        """
+        q = (
+            self.appbuilder.get_session.query(self.permission_model)
+            .join(
+                assoc_permission_role,
+                and_(self.permission_model.id == assoc_permission_role.c.permission_view_id),
+            )
+            .join(self.role_model)
+            .join(self.action_model)
+            .join(self.resource_model)
+            .filter(
+                self.resource_model.name == resource_name,
+                self.action_model.name == action_name,
+                self.role_model.id.in_(role_ids),
+            )
+            .exists()
+        )
+        # Special case for MSSQL/Oracle (works on PG and MySQL > 8)
+        if self.appbuilder.get_session.bind.dialect.name in ("mssql", "oracle"):
+            return self.appbuilder.get_session.query(literal(True)).filter(q).scalar()
+        return self.appbuilder.get_session.query(q).scalar()
+
+    def perms_include_action(self, perms, action_name):
+        return any(perm.action and perm.action.name == action_name for perm in perms)
+
     def init_role(self, role_name, perms) -> None:
         """
         Initialize the role with actions and related resources.

diff --git a/airflow/www/fab_security/sqla/__init__.py b/airflow/www/fab_security/sqla/__init__.py
diff --git a/airflow/www/fab_security/sqla/manager.py b/airflow/www/fab_security/sqla/manager.py
diff --git a/airflow/www/security_manager.py b/airflow/www/security_manager.py
@@ -55,7 +55,7 @@
 )
 from airflow.utils.log.logging_mixin import LoggingMixin
 from airflow.www.extensions.init_auth_manager import get_auth_manager
-from airflow.www.fab_security.sqla.manager import SecurityManager
+from airflow.www.fab_security.manager import BaseSecurityManager
 from airflow.www.utils import CustomSQLAInterface
 
 EXISTING_ROLES = FAB_EXISTING_ROLES
@@ -64,7 +64,7 @@
     from airflow.auth.managers.models.base_user import BaseUser
 
 
-class AirflowSecurityManagerV2(SecurityManager, LoggingMixin):
+class AirflowSecurityManagerV2(BaseSecurityManager, LoggingMixin):
     """Custom security manager, which introduces a permission model adapted to Airflow.
 
     It's named V2 to differentiate it from the obsolete airflow.www.security.AirflowSecurityManager.

diff --git a/airflow/www/utils.py b/airflow/www/utils.py
@@ -49,6 +49,7 @@
 from airflow.utils.json import WebEncoder
 from airflow.utils.sqlalchemy import tuple_in_condition
 from airflow.utils.state import State, TaskInstanceState
+from airflow.www.extensions.init_auth_manager import get_auth_manager
 from airflow.www.forms import DateTimeWithTimezoneField
 from airflow.www.widgets import AirflowDateTimePickerWidget
 
@@ -60,7 +61,8 @@
     from sqlalchemy.sql import Select
     from sqlalchemy.sql.operators import ColumnOperators
 
-    from airflow.www.fab_security.sqla.manager import SecurityManager
+    from airflow.www.extensions.init_appbuilder import AirflowAppBuilder
+
 
 TI = TaskInstance
 
@@ -927,20 +929,23 @@ def __init__(
         self.html = html
         self.message = Markup(message) if html else message
 
-    def should_show(self, securitymanager: SecurityManager) -> bool:
+    def should_show(self, appbuilder: AirflowAppBuilder) -> bool:
         """Determine if the user should see the message.
 
         The decision is based on the user's role. If ``AUTH_ROLE_PUBLIC`` is
         set in ``webserver_config.py``, An anonymous user would have the
         ``AUTH_ROLE_PUBLIC`` role.
         """
         if self.roles:
-            current_user = securitymanager.current_user
+            current_user = get_auth_manager().get_user()
             if current_user is not None:
-                user_roles = {r.name for r in securitymanager.current_user.roles}
-            elif "AUTH_ROLE_PUBLIC" in securitymanager.appbuilder.get_app.config:
+                if not hasattr(current_user, "roles"):
+                    # If the user does not contain "roles" in its model, return False
+                    return False
+                user_roles = {r.name for r in current_user.roles}
+            elif "AUTH_ROLE_PUBLIC" in appbuilder.get_app.config:
                 # If the current_user is anonymous, assign AUTH_ROLE_PUBLIC role (if it exists) to them
-                user_roles = {securitymanager.appbuilder.get_app.config["AUTH_ROLE_PUBLIC"]}
+                user_roles = {appbuilder.get_app.config["AUTH_ROLE_PUBLIC"]}
             else:
                 # Unable to obtain user role - default to not showing
                 return False

diff --git a/airflow/www/views.py b/airflow/www/views.py
@@ -968,7 +968,7 @@ def index(self):
         )
 
         dashboard_alerts = [
-            fm for fm in settings.DASHBOARD_UIALERTS if fm.should_show(get_airflow_app().appbuilder.sm)
+            fm for fm in settings.DASHBOARD_UIALERTS if fm.should_show(get_airflow_app().appbuilder)
         ]
 
         def _iter_parsed_moved_data_table_names():