Enforce visibility filter on dag_runs/latest endpoint#1646
Open
elijahbenizzy wants to merge 1 commit into
Open
Enforce visibility filter on dag_runs/latest endpoint#1646elijahbenizzy wants to merge 1 commit into
elijahbenizzy wants to merge 1 commit into
Conversation
When neither project_id nor dag_template_id is supplied, scope the result to projects the caller is a member of (directly or via a team, including the "Public" team), matching the visibility contract already followed by the other "get" endpoints in trackingserver_base/permissions. Adds a shared visible_project_ids_for_user helper and regression tests covering the no-arg case, the cross-project rejection, and the legitimate project_id/dag_template_id paths.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tightens the scoping of the
GET /api/v1/dag_runs/latest/endpoint in the tracking UI backend to honor the visibility contract that the rest of thegetendpoints in this module already follow (documented at the top oftrackingserver_base/permissions/permissions.py: "Inside any 'get' endpoints, we only access the items to which the user has visibility").Previously, when neither
project_idnordag_template_idwas supplied, the permission callback short-circuited to "allow" and the endpoint body produced an unfiltered query — returning runs from across the instance instead of the caller's accessible scope. This change makes the no-args case behave the same as every other get endpoint in the module.Changes
trackingserver_base/permissions/permissions.pyvisible_project_ids_for_userhelper that returns the set of project IDs the caller can see (mirrors_get_visible_projectsbut returns IDs only, so it composes with__in=filters).user_can_get_latest_dag_runspermission callback so it always evaluates visibility, including the no-args case.trackingserver_run_tracking/api.pyproject_idnordag_template_idis supplied, the endpoint now injects adag_template__project_id__in=<visible_ids>filter.project_idordag_template_idis supplied is unchanged.Tests
visible_project_ids_for_userhelper (tests/test_db_methods/test_permissions.py).tests/test_lifecycle/test_run_tracking.py:project_idrequest from a non-member returns 404 (matches existing behavior elsewhere).Adjacent
trackingserver_template/api.py:230(get_dag_template_catalog) acceptsproject_id: int = Noneand has the sameproject_id is Noneshort-circuit shape in its permission callback (user_can_get_dag_templates). Worth a follow-up to apply the same pattern there. Out of scope for this PR.