apache · eladkal · Aug 3, 2023 · Aug 2, 2023 · Aug 2, 2023 · Aug 2, 2023
diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
@@ -1349,6 +1349,13 @@ operators:
 webserver:
   description: ~
   options:
+    access_denied_message:
+      description: |
+        The message displayed when a user attempts to execute actions beyond their authorised privileges.
+      version_added: 2.7.0
+      type: string
+      example: ~
+      default: "Access is Denied"
-      default: "Access is Denied"
+      default: "Unauthorized Access: Denied"
-      default: "Access is Denied"
+      default: "Unauthorized Access: Denied"
     config_file:
       description: |
         Path of webserver config file used for configuring the webserver parameters

@@ -28,6 +28,10 @@
 T = TypeVar("T", bound=Callable)
 
 
+def get_access_denied_message():
+    return conf.get("webserver", "access_denied_message")
+
+
 def has_access(permissions: Sequence[tuple[str, str]] | None = None) -> Callable[[T], T]:
     """Factory for decorator that checks current user's permissions against required permissions."""
 
@@ -59,7 +63,7 @@ def decorated(*args, **kwargs):
                     403,
                 )
             else:
-                access_denied = "Access is Denied"
+                access_denied = get_access_denied_message()
                 flash(access_denied, "danger")
             return redirect(get_auth_manager().get_url_login(next=request.url))
 

diff --git a/tests/www/test_security.py b/tests/www/test_security.py
@@ -20,6 +20,7 @@
 import contextlib
 import datetime
 import logging
+import os
 from unittest import mock
 from unittest.mock import patch
 
@@ -32,12 +33,14 @@
 from airflow.auth.managers.fab.auth.anonymous_user import AnonymousUser
 from airflow.auth.managers.fab.fab_auth_manager import FabAuthManager
 from airflow.auth.managers.fab.models import User, assoc_permission_role
+from airflow.configuration import initialize_config
 from airflow.exceptions import AirflowException
 from airflow.models import DagModel
 from airflow.models.base import Base
 from airflow.models.dag import DAG
 from airflow.security import permissions
 from airflow.www import app as application
+from airflow.www.auth import get_access_denied_message
 from airflow.www.utils import CustomSQLAInterface
 from tests.test_utils.api_connexion_utils import (
     create_user,
@@ -969,3 +972,18 @@ def test_users_can_be_found(app, security_manager, session, caplog):
     assert len(users) == 1
     delete_user(app, "Test")
     assert "Error adding new user to database" in caplog.text
+
+
+def test_default_access_denied_message():
+    initialize_config()
+    assert get_access_denied_message() == "Access is Denied"
+
+
+def test_custom_access_denied_message():
+    with mock.patch.dict(
+        os.environ,
+        {"AIRFLOW__WEBSERVER__ACCESS_DENIED_MESSAGE": "My custom access denied message"},
+        clear=True,
+    ):
+        initialize_config()
+        assert get_access_denied_message() == "My custom access denied message"