Allow all default roles to view Profile page + allow editing profile/…

…resetting password for DB-ModelView. (apache#12971) This is a change discussed long time back in apache#3889 (comment) Essentially, the 7 permission-resource pairs are added for all users: - can_this_form_post on UserInfoEditView - can_this_form_get on UserInfoEditView - can_userinfo on UserDBModelView - userinfoedit on UserDBModelView - can_this_form_post on ResetMyPasswordView - can_this_form_get on ResetMyPasswordView - resetmypassword on UserDBModelView In addition, can_userinfo is added for all possible User ModelViews, so users can also view profile when the webserver is using different setting-ups. But they are ONLY allowed to edit profile and reset password when it's UserDBModelView
evinism · Dec 10, 2020 · fbd8348 · fbd8348
1 parent e5ce657
commit fbd8348
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/airflow/security/permissions.py b/airflow/security/permissions.py
@@ -39,12 +39,24 @@
 RESOURCE_VARIABLE = "Variables"
 RESOURCE_WEBSITE = "Website"
 RESOURCE_XCOM = "XComs"
+RESOURCE_USERINFO_EDIT_VIEW = "UserInfoEditView"
+RESOURCE_RESET_MY_PASSWORD_VIEW = "ResetMyPasswordView"
+RESOURCE_USER_DB_MODELVIEW = "UserDBModelView"
+RESOURCE_USER_OID_MODELVIEW = "UserOIDModelView"
+RESOURCE_USER_LDAP_MODELVIEW = "UserLDAPModelView"
+RESOURCE_USER_OAUTH_MODELVIEW = "UserOAuthModelView"
+RESOURCE_USER_REMOTEUSER_MODELVIEW = "UserRemoteUserModelView"
 
 # Action Constants
 ACTION_CAN_CREATE = "can_create"
 ACTION_CAN_READ = "can_read"
 ACTION_CAN_EDIT = "can_edit"
 ACTION_CAN_DELETE = "can_delete"
 ACTION_CAN_ACCESS_MENU = "menu_access"
+ACTION_CAN_THIS_FORM_GET = "can_this_form_get"
+ACTION_CAN_THIS_FORM_POST = "can_this_form_post"
+ACTION_RESETMYPASSWORD = "resetmypassword"
+ACTION_CAN_USERINFO = "can_userinfo"
+ACTION_USERINFOEDIT = "userinfoedit"
 DEPRECATED_ACTION_CAN_DAG_READ = "can_dag_read"
 DEPRECATED_ACTION_CAN_DAG_EDIT = "can_dag_edit"
diff --git a/airflow/www/security.py b/airflow/www/security.py
@@ -74,6 +74,17 @@ class AirflowSecurityManager(SecurityManager, LoggingMixin):
         (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_PLUGIN),
         (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_SLA_MISS),
         (permissions.ACTION_CAN_ACCESS_MENU, permissions.RESOURCE_TASK_INSTANCE),
+        (permissions.ACTION_CAN_THIS_FORM_GET, permissions.RESOURCE_RESET_MY_PASSWORD_VIEW),
+        (permissions.ACTION_CAN_THIS_FORM_POST, permissions.RESOURCE_RESET_MY_PASSWORD_VIEW),
+        (permissions.ACTION_RESETMYPASSWORD, permissions.RESOURCE_USER_DB_MODELVIEW),
+        (permissions.ACTION_CAN_THIS_FORM_GET, permissions.RESOURCE_USERINFO_EDIT_VIEW),
+        (permissions.ACTION_CAN_THIS_FORM_POST, permissions.RESOURCE_USERINFO_EDIT_VIEW),
+        (permissions.ACTION_USERINFOEDIT, permissions.RESOURCE_USER_DB_MODELVIEW),
+        (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_DB_MODELVIEW),
+        (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_OID_MODELVIEW),
+        (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_LDAP_MODELVIEW),
+        (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_OAUTH_MODELVIEW),
+        (permissions.ACTION_CAN_USERINFO, permissions.RESOURCE_USER_REMOTEUSER_MODELVIEW),
     ]
     # [END security_viewer_perms]