Fix: Apply DAG permission filter to dashboard (closes #53938) #54126
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
suhail-zemoso
requested review from
bugraoz93,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
|
pierrejeambrun
approved these changes
Aug 6, 2025
pierrejeambrun
added
the
backport-to-v3-1-test
|
Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions. |
Backport successfully created: v3-0-test
|
github-actions bot
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Aug 7, 2025
…che#53938) (apache#54126) (cherry picked from commit 5964ab5) Co-authored-by: suhail-zemoso <suhail.gour@zemosolabs.com>
pierrejeambrun
pushed a commit
that referenced
this pull request
Aug 7, 2025
github-actions bot
pushed a commit
to astronomer/airflow
that referenced
this pull request
Aug 7, 2025
…che#53938) (apache#54126) (cherry picked from commit 5964ab5) Co-authored-by: suhail-zemoso <suhail.gour@zemosolabs.com>
ferruzzi
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Aug 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
✅ Fix: Apply DAG permission filter to /dag_stats and /historical_metrics_data endpoint
📌 Closes: #53938
🔍 Summary
This PR addresses a security/visibility issue where the /dag_stats and /historical_metrics_data endpoints returned data for all DAGs, even if the requesting user lacked the necessary permissions.
To resolve this, DAG-level permission checks are now enforced using ReadableDagsFilterDep.
🛠️ What was changed
✅ Added readable_dags_filter: ReadableDagsFilterDep as a dependency to:
✅ Ensured that only data from DAGs the current user has access to is included in the response
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.