Merge pull request #3563 from minrk/404-user

ensure admin requests for missing users 404

jupyterhub/apihandlers/users.py

@@ -202,6 +202,8 @@ class UserAPIHandler(APIHandler):
     )
     async def get(self, user_name):
         user = self.find_user(user_name)
+        if user is None:
+            raise web.HTTPError(404)
         model = self.user_model(user)
         # auth state will only be shown if the requester is an admin
         # this means users can't see their own auth state unless they

jupyterhub/tests/test_api.py

@@ -361,17 +361,46 @@ async def test_add_user(app):
 @mark.role
 async def test_get_user(app):
     name = 'user'
-    _ = await api_request(app, 'users', name, headers=auth_header(app.db, name))
+    # get own model
+    r = await api_request(app, 'users', name, headers=auth_header(app.db, name))
+    r.raise_for_status()
+    # admin request
     r = await api_request(
         app,
         'users',
         name,
     )
-    assert r.status_code == 200
+    r.raise_for_status()
 
     user = normalize_user(r.json())
     assert user == fill_user({'name': name, 'roles': ['user'], 'auth_state': None})
 
+    # admin request, no such user
+    r = await api_request(
+        app,
+        'users',
+        'nosuchuser',
+    )
+    assert r.status_code == 404
+
+    # unauthorized request, no such user
+    r = await api_request(
+        app,
+        'users',
+        'nosuchuser',
+        headers=auth_header(app.db, name),
+    )
+    assert r.status_code == 404
+
+    # unauthorized request for existing user
+    r = await api_request(
+        app,
+        'users',
+        'admin',
+        headers=auth_header(app.db, name),
+    )
+    assert r.status_code == 404
+
 
 @mark.user
 async def test_add_multi_user_bad(app):