From c3474b879362e6570b1e4973cad7fd3236cb4448 Mon Sep 17 00:00:00 2001
From: Tao Feng <tfeng@lyft.com>
Date: Tue, 5 Mar 2019 15:21:26 -0800
Subject: [PATCH] [AIRFLOW-4020] Remove viewer DAG edit permissions (#4845)

(cherry picked from commit dda309e66224346014ca42a0bcce4f53365f1118)
---
 airflow/www_rbac/security.py | 11 ++++++++---
 tests/www_rbac/test_views.py | 10 +++++++++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/airflow/www_rbac/security.py b/airflow/www_rbac/security.py
index 09df1fe9493309..325d2e6f1a2948 100644
--- a/airflow/www_rbac/security.py
+++ b/airflow/www_rbac/security.py
@@ -129,11 +129,16 @@
     'all_dags'
 }
 
-DAG_PERMS = {
-    'can_dag_read',
+WRITE_DAG_PERMS = {
     'can_dag_edit',
 }
 
+READ_DAG_PERMS = {
+    'can_dag_read',
+}
+
+DAG_PERMS = WRITE_DAG_PERMS | READ_DAG_PERMS
+
 ###########################################################################
 #                     DEFAULT ROLE CONFIGURATIONS
 ###########################################################################
@@ -141,7 +146,7 @@
 ROLE_CONFIGS = [
     {
         'role': 'Viewer',
-        'perms': VIEWER_PERMS,
+        'perms': VIEWER_PERMS | READ_DAG_PERMS,
         'vms': VIEWER_VMS | DAG_VMS,
     },
     {
diff --git a/tests/www_rbac/test_views.py b/tests/www_rbac/test_views.py
index cadbeca2c93d26..451630a0b243eb 100644
--- a/tests/www_rbac/test_views.py
+++ b/tests/www_rbac/test_views.py
@@ -1255,7 +1255,7 @@ def login(self, username=None, password=None):
                 role=role_user,
                 password='test_user')
 
-        role_viewer = self.appbuilder.sm.find_role('User')
+        role_viewer = self.appbuilder.sm.find_role('Viewer')
         test_viewer = self.appbuilder.sm.find_user(username='test_viewer')
         if not test_viewer:
             self.appbuilder.sm.add_user(
@@ -1803,6 +1803,14 @@ def test_tree_view_for_viewer(self):
         resp = self.client.get(url, follow_redirects=True)
         self.check_content_in_response('runme_1', resp)
 
+    def test_refresh_failure_for_viewer(self):
+        # viewer role can't refresh
+        self.logout()
+        self.login(username='test_viewer',
+                   password='test_viewer')
+        resp = self.client.get('refresh?dag_id=example_bash_operator')
+        self.check_content_in_response('Redirecting', resp, resp_code=302)
+
 
 class TestTaskInstanceView(TestBase):
     TI_ENDPOINT = '/taskinstance/list/?_flt_0_execution_date={}'