Do not give JUPYTERHUB_API_TOKEN access to other user servers

never intended, but limiting to server wasn't possible before No change, except when one user has multiple servers running simultaneously.
2025-10-07 18:14:10 +00:00 · 2023-03-23 09:43:01 +01:00
parent 73b1922c17
commit 83186e02a2
3 changed files with 14 additions and 5 deletions
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -52,7 +52,7 @@ def get_default_roles():
            'description': 'Post activity only',
            'scopes': [
                'users:activity!user',
-                'access:servers!user',
+                'access:servers!server',
            ],
        },
        {
--- a/jupyterhub/tests/test_roles.py
+++ b/jupyterhub/tests/test_roles.py
@@ -848,8 +848,12 @@ async def test_server_token_role(app):
    orm_server_token = orm.APIToken.find(app.db, server_token)
    assert orm_server_token

-    server_role = orm.Role.find(app.db, 'server')
-    assert set(server_role.scopes) == set(orm_server_token.scopes)
+    # resolve `!server` filter in server role
+    server_role_scopes = {
+        s.replace("!server", f"!server={user.name}/")
+        for s in orm.Role.find(app.db, "server").scopes
+    }
+    assert set(orm_server_token.scopes) == server_role_scopes

    assert orm_server_token.user.name == user.name
    assert user.api_tokens == [orm_server_token]
--- a/jupyterhub/tests/test_spawner.py
+++ b/jupyterhub/tests/test_spawner.py
@@ -336,7 +336,12 @@ async def test_spawner_insert_api_token(app):
    assert found
    assert found.user.name == user.name
    assert user.api_tokens == [found]
-    assert set(found.scopes) == set(orm.Role.find(app.db, "server").scopes)
+    # resolve `!server` filter in server role
+    server_role_scopes = {
+        s.replace("!server", f"!server={user.name}/")
+        for s in orm.Role.find(app.db, "server").scopes
+    }
+    assert set(found.scopes) == server_role_scopes
    await user.stop()


@@ -366,7 +371,7 @@ async def test_spawner_bad_api_token(app):
    "have_scopes, request_scopes, expected_scopes",
    [
        (["self"], ["inherit"], ["inherit"]),
-        (["self"], [], ["access:servers!user", "users:activity!user"]),
+        (["self"], [], ["access:servers!server=USER/", "users:activity!user"]),
        (
            ["self"],
            ["admin:groups", "users:activity!server"],