Fix: add RUN, HITL_DETAIL, TASK_INSTANCE entities to /dags endpoint as it returns nested entities in response

[sjyangkevin]

The /dags endpoint returns nested entities include RUN, and HITLDetail includes TaskInstanceResponse. Add related access entity to govern the endpoint.

class DAGWithLatestDagRunsResponse(DAGResponse):
    """DAG with latest dag runs response serializer."""

    asset_expression: dict | None
    latest_dag_runs: list[DAGRunLightResponse]
    pending_actions: list[HITLDetail]
    is_favorite: bool

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

Generated-by: [Claude Code - Sonnet 4.6] following the guidelines

---

• Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
• For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
• When adding dependency, check compliance with the ASF 3rd Party License Policy.
• For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

[pierrejeambrun]

Looking good. We might need a significant newsfragment just to mention this. Just a disclaimer for people to double check their users permissions check or they might have unintended forbidden errors.

[sjyangkevin]

Looking good. We might need a significant newsfragment just to mention this. Just a disclaimer for people to double check their users permissions check or they might have unintended forbidden errors.

Thanks! I will look into how to add a newsfragment for this change.

[pierrejeambrun]

Nit I think we need to make the newsfragment clearer.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds missing authorization requirements for nested entities returned by the UI /dags endpoint, ensuring access control covers DAG Runs, HITL Details, and Task Instances included in the response.

Changes:

• Require DagAccessEntity.RUN, DagAccessEntity.HITL_DETAIL, and DagAccessEntity.TASK_INSTANCE permissions on GET /dags.
• Add a unit test asserting 403 when any required sub-entity permission is missing.
• Add a significant newsfragment documenting the permission change and migration guidance.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
airflow-core/src/airflow/api_fastapi/core_api/routes/ui/dags.py	Adds additional requires_access_dag dependencies for nested entities returned by /dags.
airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_dags.py	Adds a parametrized test to verify missing entity permissions cause a 403.
airflow-core/newsfragments/64822.significant.rst	Documents the breaking permission change for consumers/custom roles.

[pierrejeambrun]

LGTM ty

[sjyangkevin]

Thanks, I will check and resolve the copilot comments by this week.

[github-actions]

Backport successfully created: v3-2-test

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status	Branch	Result
✅	v3-2-test