From bfe57d3fcdd6dde925a5207a3ba04a1b1cde7a4d Mon Sep 17 00:00:00 2001
From: Kaxil Naik <kaxilnaik@gmail.com>
Date: Tue, 2 Mar 2021 23:48:10 +0000
Subject: [PATCH] Bugfix: Plugins endpoint was unauthenticated (#14570)

The plugins endpoint missed auth check

(cherry picked from commit 0a969db2b025709505f8043721c83218a73bb84d)
---
 airflow/www/views.py    | 5 +++++
 tests/www/test_views.py | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/airflow/www/views.py b/airflow/www/views.py
index 78dbbea21ed1b0..fbee413a686c52 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -2969,6 +2969,11 @@ class PluginView(AirflowBaseView):
     ]
 
     @expose('/plugin')
+    @auth.has_access(
+        [
+            (permissions.ACTION_CAN_READ, permissions.RESOURCE_PLUGIN),
+        ]
+    )
     def list(self):
         """List loaded plugins."""
         plugins_manager.ensure_plugins_loaded()
diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index efcb46efb38b88..b391e56c64da19 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -361,6 +361,12 @@ def test_should_list_entrypoint_plugins_on_page_with_details(self):
         self.check_content_in_response("source", resp)
         self.check_content_in_response("<em>test-entrypoint-testpluginview==1.0.0:</em> <Mock id=", resp)
 
+    def test_endpoint_should_not_be_unauthenticated(self):
+        self.logout()
+        resp = self.client.get('/plugin', follow_redirects=True)
+        self.check_content_not_in_response("test_plugin", resp)
+        self.check_content_in_response("Sign In - Airflow", resp)
+
 
 class TestPoolModelView(TestBase):
     def setUp(self):