hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-13 21:13:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4682 from yuvipanda/fixxxxxxxxxxxx

Browse Source 
Note that you can throw a 403 from check_allowed
This commit is contained in:
Min RK
2024-03-05 09:46:58 +01:00
committed by GitHub
parent 557e200dcf be1848fba0
commit 8a8ccd068c
1 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
jupyterhub/auth.py
View File

@@ -458,6 +458,7 @@ class Authenticator(LoggingConfigurable):
"""Check if a username is allowed to authenticate based on configuration """Check if a username is allowed to authenticate based on configuration
Return True if username is allowed, False otherwise. Return True if username is allowed, False otherwise.
No allowed_users set means any username is allowed. No allowed_users set means any username is allowed.
Names are normalized *before* being checked against the allowed set. Names are normalized *before* being checked against the allowed set.
@@ -467,6 +468,18 @@ class Authenticator(LoggingConfigurable):
.. versionchanged:: 1.2 .. versionchanged:: 1.2
Renamed check_whitelist to check_allowed Renamed check_whitelist to check_allowed
Args:
username (str):
The normalized username
authentication (dict):
The authentication model, as returned by `.authenticate()`.
Returns:
allowed (bool):
Whether the user is allowed
Raises:
web.HTTPError(403):
Raising HTTPErrors directly allows customizing the message shown to the user.
""" """
if not self.allowed_users: if not self.allowed_users:
# No allowed set means any name is allowed # No allowed set means any name is allowed
@@ -488,6 +501,18 @@ class Authenticator(LoggingConfigurable):
.. versionchanged:: 1.2 .. versionchanged:: 1.2
Renamed check_blacklist to check_blocked_users Renamed check_blacklist to check_blocked_users
Args:
username (str):
The normalized username
authentication (dict):
The authentication model, as returned by `.authenticate()`.
Returns:
allowed (bool):
Whether the user is allowed
Raises:
web.HTTPError(403, message):
Raising HTTPErrors directly allows customizing the message shown to the user.
""" """
if not self.blocked_users: if not self.blocked_users:
# No block list means any name is allowed # No block list means any name is allowed
@@ -612,6 +637,12 @@ class Authenticator(LoggingConfigurable):
It must return the username on successful authentication, It must return the username on successful authentication,
and return None on failed authentication. and return None on failed authentication.
Subclasses can also raise a `web.HTTPError(403, message)`
in order to halt the authentication process
and customize the error message that will be shown to the user.
This error may be raised anywhere in the authentication process
(`authenticate`, `check_allowed`, `check_blocked_users`).
Checking allowed_users/blocked_users is handled separately by the caller. Checking allowed_users/blocked_users is handled separately by the caller.
.. versionchanged:: 0.8 .. versionchanged:: 0.8
@@ -634,6 +665,9 @@ class Authenticator(LoggingConfigurable):
- `groups`, the list of group names the user should be a member of, - `groups`, the list of group names the user should be a member of,
if Authenticator.manage_groups is True. if Authenticator.manage_groups is True.
`groups` MUST always be present if manage_groups is enabled. `groups` MUST always be present if manage_groups is enabled.
Raises:
web.HTTPError(403):
Raising errors directly allows customizing the message shown to the user.
""" """
def pre_spawn_start(self, user, spawner): def pre_spawn_start(self, user, spawner):