hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-12 12:33:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix permission check when handing out auth state

Browse Source
This commit is contained in:
Tim Head
2018-03-26 10:38:13 +02:00
parent 7a91f89474
commit 5b9f51417f
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
jupyterhub/apihandlers/users.py
View File

@@ -112,7 +112,8 @@ class UserAPIHandler(APIHandler):
# this means users can't see their own auth state unless they # this means users can't see their own auth state unless they
# are admins, Hub admins often are also marked as admins so they # are admins, Hub admins often are also marked as admins so they
# will see their auth state but normal users won't # will see their auth state but normal users won't
if user.admin: requestor = self.get_current_user()
if requestor.admin:
user_['auth_state'] = await user.get_auth_state() user_['auth_state'] = await user.get_auth_state()
self.write(json.dumps(user_)) self.write(json.dumps(user_))

5
jupyterhub/tests/test_api.py
View File

@@ -284,6 +284,8 @@ def test_get_user(app):
'admin': False, 'admin': False,
'server': None, 'server': None,
'pending': None, 'pending': None,
# auth state is present because requestor is an admin
'auth_state': None
} }
@@ -495,7 +497,8 @@ def test_user_get_auth_state(app, auth_state_enabled):
assert user.name == name assert user.name == name
yield user.save_auth_state(auth_state) yield user.save_auth_state(auth_state)
r = yield api_request(app, 'users', name) r = yield api_request(app, 'users', name,
headers=auth_header(app.db, name))
assert r.status_code == 200 assert r.status_code == 200
assert 'auth_state' not in r.json() assert 'auth_state' not in r.json()