Fixed scope checking in UserTokenListAPIHandler

2025-10-18 07:23:00 +00:00 · 2021-04-20 14:55:36 +02:00
parent b9958e9069
commit 399203e5d3
2 changed files with 10 additions and 8 deletions
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -301,7 +301,6 @@ class UserTokenListAPIHandler(APIHandler):
        self.write(json.dumps({'api_tokens': api_tokens}))
    # @needs_scope('users:tokens') #Todo: needs internal scope checking
    async def post(self, user_name):
        body = self.get_json_body() or {}
        if not isinstance(body, dict):
@@ -330,13 +329,16 @@ class UserTokenListAPIHandler(APIHandler):
        if requester is None:
            # couldn't identify requester
            raise web.HTTPError(403)
        self._jupyterhub_user = requester
        self._resolve_scopes()
        user = self.find_user(user_name)
        if requester is not user and not requester.admin:
            raise web.HTTPError(403, "Only admins can request tokens for other users")
        if not user:
            raise web.HTTPError(404, "No such user: %s" % user_name)
        if requester is not user:
        kind = 'user' if isinstance(requester, User) else 'service'
        scope_filter = self.get_scope_filter('users:tokens')
        if user is None or not scope_filter(user, kind):
            raise web.HTTPError(
                404,
                f"{kind.title()} {user_name} not found or no permissions to generate tokens",
            )
        note = body.get('note')
        if not note:
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -1311,7 +1311,7 @@ async def test_get_new_token(app, headers, status, note, expires_in):
    [
        ('admin', 'other', 200),
        ('admin', 'missing', 404),
-        ('user', 'other', 403),
+        ('user', 'other', 404),
        ('user', 'user', 200),
    ],
 )