vincbeck commented on code in PR #42473: URL: https://github.com/apache/airflow/pull/42473#discussion_r1775759483
########## airflow/api_connexion/security.py: ########## @@ -126,13 +126,14 @@ def callback(): if dag_id or access or access_entity: return access - # No DAG id is provided, the user is not authorized to access all DAGs and authorization is done + # No DAG id is provided: the user is not authorized to access all DAGs and authorization is done Review Comment: Well there is 2 things I think. The first check checking that the user has access to list these given resources, if not, they get an access denied. Then after, yes the endpoint is responsible of returning only resources that the user has access to. We could remove the first one but as a consequence, the user will get an empty list when trying to lsit something that they do not have access. I am not sure this is a good user experience -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org