From b1d28ec86301e48d8862f0b17c4b7e241acda191 Mon Sep 17 00:00:00 2001 From: Ash Berlin-Taylor Date: Fri, 6 Aug 2021 16:22:50 +0100 Subject: [PATCH] Add missing permissions to varimport (#17468) (cherry picked from commit eb6af07f5bc8958efd06818e84a5273a079304e1) (cherry picked from commit 2bbaec8b76194ab95d569b066ae855167a4f18db) --- airflow/www/views.py | 2 +- tests/www/test_views.py | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/airflow/www/views.py b/airflow/www/views.py index 71a7fc3c23581..88f2e1f5c0ff8 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -3104,7 +3104,6 @@ class VariableModelView(AirflowModelView): 'delete': 'delete', 'action_muldelete': 'delete', 'action_varexport': 'read', - 'varimport': 'create', } base_permissions = [ permissions.ACTION_CAN_CREATE, @@ -3167,6 +3166,7 @@ def action_varexport(self, items): return response @expose('/varimport', methods=["POST"]) + @auth.has_access([(permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE)]) @action_logging def varimport(self): """Import variables""" diff --git a/tests/www/test_views.py b/tests/www/test_views.py index f4e249fa8a68f..47d73245120b3 100644 --- a/tests/www/test_views.py +++ b/tests/www/test_views.py @@ -333,6 +333,19 @@ def test_import_variables_success(self): ) self.check_content_in_response('4 variable(s) successfully updated.', resp) + def test_import_variables_anon(self): + assert self.session.query(models.Variable).count() == 0 + + content = '{"str_key": "str_value}' + bytes_content = io.BytesIO(bytes(content, encoding='utf-8')) + + self.logout() + resp = self.client.post( + '/variable/varimport', data={'file': (bytes_content, 'test.json')}, follow_redirects=True + ) + self.check_content_not_in_response('variable(s) successfully updated.', resp) + self.check_content_in_response('Sign In', resp) + class PluginOperator(BaseOperator): pass