Fixes loading UI if user does not have read permissions on plugins

[tanujdargan]

Fix: Display plugin menu items for all authenticated users

Changes:

• Added plugins_extra_menu_items to the ui/config endpoint, which aggregates plugin menu items.
• Updated the UI to fetch these items from the new config, instead of the public/providers endpoint.

Benefits:

• Ensures all authenticated users can see extra plugin menu items.
• Simplifies integration by directly using the ui/config endpoint.

closes: #51299

---

[jason810496]

Thanks for the PR! It would be nice to add the corresponding tests for the ui/config route.

The existed test also need fix as well, thanks.

airflow-core/tests/unit/api_fastapi/core_api/routes/ui/test_config.py::TestGetConfig

[pierrejeambrun]

As mentioned here #52408 (review)

The simplest way to handle this is to not bring any change in the backend and simply catch the 403 error in the fetch plugins hook in the front-end and return an empty list there.

So the UI can silently proceed as if the user have 0 plugins without crashing.

[vincbeck]

As mentioned here #52408 (review)

The simplest way to handle this is to not bring any change in the backend and simply catch the 403 error in the fetch plugins hook in the front-end and return an empty list there.

So the UI can silently proceed as if the user have 0 plugins without crashing.

This means that only users with GET permissions on plugins will be able to see the menu items from plugins? I do not think that's right. Or at least a misunderstanding on what plugins permissions mean. Having GET permissions on plugins allow a user to see the list of plugins installed in the environment. This is often only granted to admins.

[pierrejeambrun]

This means that only users with GET permissions on plugins will be able to see the menu items from plugins? I do not think that's right. Or at least a misunderstanding on what plugins permissions mean. Having GET permissions on plugins allow a user to see the list of plugins installed in the environment. This is often only granted to admins.

Plugins can register UI menu item, extra views, extra links, etc... To know what the UI should display (extra buttons, link etc...) we need to read plugins information. Indeed only people with READ permissions on plugin will be able to see what are the extra menu items/views registered by them and have the UI display the appropriate information to navigate to them.

The other alternative would be to expose via another endpoint, or the ui config endpoint additional information on extra views/menu items to tell the UI what are the extra UI stuff without needed READ on plugins. But since they can now come from legacy AF2 (appbuilder_views,appbuilder_menu_items) or AF3 (react_apps, external_views), that's basically dumping most of the plugins information at this point so virtually it would be like making read plugins public...

Not sure what would be the correct path forward as I don't see how we can have access to all that plugin information, without having READ access on plugin.

Do you have any suggestions?

[bbovenzi]

Unless there is information in the current plugins endpoint that is sensitive and not needed for rendering the plugin then I don't see the need to separate them out.

[pierrejeambrun]

I don't think this is how we should do things. Closing for now, feel free to re-open if needed. (A frontend fix will be cleaner)