hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-18 15:33:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Back off removal of read:servers -> read:users:name

Browse Source 
Only remove it when using the !server filter, which doesn't make sense for read:users:name
This commit is contained in:
Min RK
2022-10-07 09:58:33 -07:00
parent f70b11af11
commit a4fd0980a3
3 changed files with 27 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
jupyterhub/scopes.py
View File

@@ -95,7 +95,7 @@ scope_definitions = {
}, },
'read:servers': { 'read:servers': {
'description': 'Read users names and their server models (excluding the server state).', 'description': 'Read users names and their server models (excluding the server state).',
'subscopes': [], 'subscopes': ['read:users:name'],
}, },
'delete:servers': {'description': "Stop and delete users' servers."}, 'delete:servers': {'description': "Stop and delete users' servers."},
'tokens': { 'tokens': {
@@ -461,7 +461,12 @@ def _expand_scope(scope):
# reapply !filter # reapply !filter
if filter_: if filter_:
expanded_scopes = { expanded_scopes = {
f"{scope_name}!{filter_}" for scope_name in expanded_scope_names f"{scope_name}!{filter_}"
for scope_name in expanded_scope_names
# server scopes have some cross-resource subscopes
# where the !server filter doesn't make sense,
# e.g. read:servers -> read:users:name
if not (filter_.startswith("server") and scope_name.startswith("read:user"))
} }
else: else:
expanded_scopes = expanded_scope_names expanded_scopes = expanded_scope_names

3
jupyterhub/tests/test_roles.py
View File

@@ -203,7 +203,7 @@ def test_orm_roles_delete_cascade(db):
'read:users:activity', 'read:users:activity',
}, },
), ),
(['read:servers'], {'read:servers'}), (['read:servers'], {'read:servers', 'read:users:name'}),
( (
['admin:groups'], ['admin:groups'],
{ {
@@ -227,6 +227,7 @@ def test_orm_roles_delete_cascade(db):
'read:roles:groups', 'read:roles:groups',
'read:groups:name', 'read:groups:name',
'read:servers', 'read:servers',
'read:users:name',
}, },
), ),
( (

13
jupyterhub/tests/test_scopes.py
View File

@@ -555,15 +555,17 @@ async def test_server_state_access(
await api_request( await api_request(
app, 'users', user.name, 'servers', server_name, method='post' app, 'users', user.name, 'servers', server_name, method='post'
) )
service = create_service_with_scopes( service = create_service_with_scopes("read:users:name!user=", *scopes)
f"read:users:name!user={user.name}", *scopes
)
api_token = service.new_api_token() api_token = service.new_api_token()
headers = {'Authorization': 'token %s' % api_token} headers = {'Authorization': 'token %s' % api_token}
# can I get the user model?
r = await api_request(app, 'users', user.name, headers=headers) r = await api_request(app, 'users', user.name, headers=headers)
can_read_user_model = num_servers > 1 or 'read:users' in scopes
if can_read_user_model:
r.raise_for_status() r.raise_for_status()
user_model = r.json() user_model = r.json()
if num_servers: if num_servers > 1:
assert 'servers' in user_model assert 'servers' in user_model
server_models = user_model['servers'] server_models = user_model['servers']
assert len(server_models) == num_servers assert len(server_models) == num_servers
@@ -572,6 +574,9 @@ async def test_server_state_access(
assert keys_out.isdisjoint(server_model) assert keys_out.isdisjoint(server_model)
else: else:
assert 'servers' not in user_model assert 'servers' not in user_model
else:
assert r.status_code == 404
r = await api_request( r = await api_request(
app, app,
'users', 'users',