finegrained service model access

jupyterhub/apihandlers/base.py

@@ -293,16 +293,24 @@ class APIHandler(BaseHandler):
 
     def service_model(self, service):
         """Get the JSON model for a Service object"""
-        model = {}
+        model = {
-        scope_filter = self.get_scope_filter('read:services')
+            'kind': 'service',
-        if scope_filter(service, kind='service'):
+            'name': service.name,
-            model = {
+            'roles': [r.name for r in service.roles],
-                'kind': 'service',
+            'admin': service.admin,
-                'name': service.name,
+        }
-                'roles': [r.name for r in service.roles],
+        # todo: remove admin key now we have roles?
-                'admin': service.admin,
+        access_map = {
-            }
+            'read:services': {'kind', 'name', 'roles', 'admin'},
-            # todo: Remove once we replace admin flag with role check
+            'read:services:name': {'kind', 'name'},
+            'read:services:roles': {'kind', 'name', 'roles'},
+        }
+        allowed_keys = set()
+        for scope in access_map:
+            scope_filter = self.get_scope_filter(scope)
+            if scope_filter(service, kind='service'):
+                allowed_keys |= access_map[scope]
+        model = {key: model[key] for key in allowed_keys}
         return model
 
     _user_model_types = {

jupyterhub/apihandlers/users.py

@@ -62,6 +62,7 @@ class UserListAPIHandler(APIHandler):
         'read:users:servers',
         'read:users:groups',
         'read:users:activity',
+        'read:users:roles',
     )
     def get(self):
         state_filter = self.get_argument("state", None)
@@ -176,6 +177,7 @@ class UserAPIHandler(APIHandler):
         'read:users:servers',
         'read:users:groups',
         'read:users:activity',
+        'read:users:roles',
     )
     async def get(self, user_name):
         user = self.find_user(user_name)

jupyterhub/roles.py

@@ -67,6 +67,7 @@ def expand_self_scope(name):
         'users:activity',
         'users:servers',
         'users:tokens',
+        'users:roles',
     ]
     read_scope_list = ['read:' + scope for scope in scope_list]
     scope_list.extend(read_scope_list)

jupyterhub/tests/test_scopes.py

@@ -722,6 +722,7 @@ async def test_server_state_access(
                 'read:users!user=y',
                 'read:users:name!user=y',
                 'read:users:groups!user=y',
+                'read:users:roles!user=y',
                 'read:users:activity!user=y',
             },
         ),
@@ -733,6 +734,7 @@ async def test_server_state_access(
                 'read:users!user=y',
                 'read:users:name!user=y',
                 'read:users:groups!user=y',
+                'read:users:roles!user=y',
                 'read:users:activity!user=y',
             },
         ),