mirror of
https://github.com/jupyterhub/jupyterhub.git
synced 2025-10-15 14:03:02 +00:00
add delete scopes for users, groups, servers
e.g. cull-idle services do not need permission to start servers in order to be able to stop them
This commit is contained in:
@@ -129,7 +129,7 @@ class GroupAPIHandler(_GroupAPIHandler):
|
|||||||
self.write(json.dumps(self.group_model(group)))
|
self.write(json.dumps(self.group_model(group)))
|
||||||
self.set_status(201)
|
self.set_status(201)
|
||||||
|
|
||||||
@needs_scope('admin:groups')
|
@needs_scope('delete:groups')
|
||||||
def delete(self, group_name):
|
def delete(self, group_name):
|
||||||
"""Delete a group by name"""
|
"""Delete a group by name"""
|
||||||
group = self.find_group(group_name)
|
group = self.find_group(group_name)
|
||||||
|
@@ -266,7 +266,7 @@ class UserAPIHandler(APIHandler):
|
|||||||
self.write(json.dumps(self.user_model(user)))
|
self.write(json.dumps(self.user_model(user)))
|
||||||
self.set_status(201)
|
self.set_status(201)
|
||||||
|
|
||||||
@needs_scope('admin:users')
|
@needs_scope('delete:users')
|
||||||
async def delete(self, user_name):
|
async def delete(self, user_name):
|
||||||
user = self.find_user(user_name)
|
user = self.find_user(user_name)
|
||||||
if user is None:
|
if user is None:
|
||||||
@@ -525,7 +525,7 @@ class UserServerAPIHandler(APIHandler):
|
|||||||
self.set_header('Content-Type', 'text/plain')
|
self.set_header('Content-Type', 'text/plain')
|
||||||
self.set_status(status)
|
self.set_status(status)
|
||||||
|
|
||||||
@needs_scope('servers')
|
@needs_scope('delete:servers')
|
||||||
async def delete(self, user_name, server_name=''):
|
async def delete(self, user_name, server_name=''):
|
||||||
user = self.find_user(user_name)
|
user = self.find_user(user_name)
|
||||||
options = self.get_json_body()
|
options = self.get_json_body()
|
||||||
|
@@ -89,6 +89,7 @@ def expand_self_scope(name):
|
|||||||
'users:activity',
|
'users:activity',
|
||||||
'read:users:activity',
|
'read:users:activity',
|
||||||
'servers',
|
'servers',
|
||||||
|
'delete:servers',
|
||||||
'read:servers',
|
'read:servers',
|
||||||
'tokens',
|
'tokens',
|
||||||
'read:tokens',
|
'read:tokens',
|
||||||
|
@@ -36,13 +36,16 @@ scope_definitions = {
|
|||||||
},
|
},
|
||||||
'admin:users': {
|
'admin:users': {
|
||||||
'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.',
|
'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.',
|
||||||
'subscopes': ['admin:auth_state', 'users', 'read:roles:users'],
|
'subscopes': ['admin:auth_state', 'users', 'read:roles:users', 'delete:users'],
|
||||||
},
|
},
|
||||||
'admin:auth_state': {'description': 'Read a user’s authentication state.'},
|
'admin:auth_state': {'description': 'Read a user’s authentication state.'},
|
||||||
'users': {
|
'users': {
|
||||||
'description': 'Read and write permissions to user models (excluding servers, tokens and authentication state).',
|
'description': 'Read and write permissions to user models (excluding servers, tokens and authentication state).',
|
||||||
'subscopes': ['read:users', 'list:users', 'users:activity'],
|
'subscopes': ['read:users', 'list:users', 'users:activity'],
|
||||||
},
|
},
|
||||||
|
'delete:users': {
|
||||||
|
'description': "Delete users.",
|
||||||
|
},
|
||||||
'list:users': {
|
'list:users': {
|
||||||
'description': 'List users, including at least their names.',
|
'description': 'List users, including at least their names.',
|
||||||
'subscopes': ['read:users:name'],
|
'subscopes': ['read:users:name'],
|
||||||
@@ -76,12 +79,13 @@ scope_definitions = {
|
|||||||
'admin:server_state': {'description': 'Read and write users’ server state.'},
|
'admin:server_state': {'description': 'Read and write users’ server state.'},
|
||||||
'servers': {
|
'servers': {
|
||||||
'description': 'Start and stop user servers.',
|
'description': 'Start and stop user servers.',
|
||||||
'subscopes': ['read:servers'],
|
'subscopes': ['read:servers', 'delete:servers'],
|
||||||
},
|
},
|
||||||
'read:servers': {
|
'read:servers': {
|
||||||
'description': 'Read users’ names and their server models (excluding the server state).',
|
'description': 'Read users’ names and their server models (excluding the server state).',
|
||||||
'subscopes': ['read:users:name'],
|
'subscopes': ['read:users:name'],
|
||||||
},
|
},
|
||||||
|
'delete:servers': {'description': "Stop and delete users' servers."},
|
||||||
'tokens': {
|
'tokens': {
|
||||||
'description': 'Read, write, create and delete user tokens.',
|
'description': 'Read, write, create and delete user tokens.',
|
||||||
'subscopes': ['read:tokens'],
|
'subscopes': ['read:tokens'],
|
||||||
@@ -89,7 +93,7 @@ scope_definitions = {
|
|||||||
'read:tokens': {'description': 'Read user tokens.'},
|
'read:tokens': {'description': 'Read user tokens.'},
|
||||||
'admin:groups': {
|
'admin:groups': {
|
||||||
'description': 'Read and write group information, create and delete groups.',
|
'description': 'Read and write group information, create and delete groups.',
|
||||||
'subscopes': ['groups', 'read:roles:groups'],
|
'subscopes': ['groups', 'read:roles:groups', 'delete:groups'],
|
||||||
},
|
},
|
||||||
'groups': {
|
'groups': {
|
||||||
'description': 'Read and write group information, including adding/removing users to/from groups.',
|
'description': 'Read and write group information, including adding/removing users to/from groups.',
|
||||||
@@ -104,6 +108,9 @@ scope_definitions = {
|
|||||||
'subscopes': ['read:groups:name'],
|
'subscopes': ['read:groups:name'],
|
||||||
},
|
},
|
||||||
'read:groups:name': {'description': 'Read group names.'},
|
'read:groups:name': {'description': 'Read group names.'},
|
||||||
|
'delete:groups': {
|
||||||
|
'description': "Delete groups.",
|
||||||
|
},
|
||||||
'list:services': {
|
'list:services': {
|
||||||
'description': 'List services, including at least their names.',
|
'description': 'List services, including at least their names.',
|
||||||
'subscopes': ['read:services:name'],
|
'subscopes': ['read:services:name'],
|
||||||
|
@@ -182,6 +182,7 @@ def test_orm_roles_delete_cascade(db):
|
|||||||
'admin:users',
|
'admin:users',
|
||||||
'admin:auth_state',
|
'admin:auth_state',
|
||||||
'users',
|
'users',
|
||||||
|
'delete:users',
|
||||||
'list:users',
|
'list:users',
|
||||||
'read:users',
|
'read:users',
|
||||||
'users:activity',
|
'users:activity',
|
||||||
@@ -218,6 +219,7 @@ def test_orm_roles_delete_cascade(db):
|
|||||||
{
|
{
|
||||||
'admin:groups',
|
'admin:groups',
|
||||||
'groups',
|
'groups',
|
||||||
|
'delete:groups',
|
||||||
'list:groups',
|
'list:groups',
|
||||||
'read:groups',
|
'read:groups',
|
||||||
'read:roles:groups',
|
'read:roles:groups',
|
||||||
@@ -229,6 +231,7 @@ def test_orm_roles_delete_cascade(db):
|
|||||||
{
|
{
|
||||||
'admin:groups',
|
'admin:groups',
|
||||||
'groups',
|
'groups',
|
||||||
|
'delete:groups',
|
||||||
'list:groups',
|
'list:groups',
|
||||||
'read:groups',
|
'read:groups',
|
||||||
'read:roles:groups',
|
'read:roles:groups',
|
||||||
|
Reference in New Issue
Block a user