finegrained service model access

2025-10-12 20:43:02 +00:00 · 2021-06-08 14:01:04 +02:00
parent b2b040da6c
commit 2ac1cfe4ac
4 changed files with 23 additions and 10 deletions
--- a/jupyterhub/apihandlers/base.py
+++ b/jupyterhub/apihandlers/base.py
@@ -293,16 +293,24 @@ class APIHandler(BaseHandler):

    def service_model(self, service):
        """Get the JSON model for a Service object"""
-        model = {}
-        scope_filter = self.get_scope_filter('read:services')
-        if scope_filter(service, kind='service'):
        model = {
            'kind': 'service',
            'name': service.name,
            'roles': [r.name for r in service.roles],
            'admin': service.admin,
        }
-            # todo: Remove once we replace admin flag with role check
+        # todo: remove admin key now we have roles?
+        access_map = {
+            'read:services': {'kind', 'name', 'roles', 'admin'},
+            'read:services:name': {'kind', 'name'},
+            'read:services:roles': {'kind', 'name', 'roles'},
+        }
+        allowed_keys = set()
+        for scope in access_map:
+            scope_filter = self.get_scope_filter(scope)
+            if scope_filter(service, kind='service'):
+                allowed_keys |= access_map[scope]
+        model = {key: model[key] for key in allowed_keys}
        return model

    _user_model_types = {
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -62,6 +62,7 @@ class UserListAPIHandler(APIHandler):
        'read:users:servers',
        'read:users:groups',
        'read:users:activity',
+        'read:users:roles',
    )
    def get(self):
        state_filter = self.get_argument("state", None)
@@ -176,6 +177,7 @@ class UserAPIHandler(APIHandler):
        'read:users:servers',
        'read:users:groups',
        'read:users:activity',
+        'read:users:roles',
    )
    async def get(self, user_name):
        user = self.find_user(user_name)
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -67,6 +67,7 @@ def expand_self_scope(name):
        'users:activity',
        'users:servers',
        'users:tokens',
+        'users:roles',
    ]
    read_scope_list = ['read:' + scope for scope in scope_list]
    scope_list.extend(read_scope_list)
--- a/jupyterhub/tests/test_scopes.py
+++ b/jupyterhub/tests/test_scopes.py
@@ -722,6 +722,7 @@ async def test_server_state_access(
                'read:users!user=y',
                'read:users:name!user=y',
                'read:users:groups!user=y',
+                'read:users:roles!user=y',
                'read:users:activity!user=y',
            },
        ),
@@ -733,6 +734,7 @@ async def test_server_state_access(
                'read:users!user=y',
                'read:users:name!user=y',
                'read:users:groups!user=y',
+                'read:users:roles!user=y',
                'read:users:activity!user=y',
            },
        ),