adding roles to tokens

2025-10-17 06:52:59 +00:00 · 2020-11-19 08:22:52 +01:00
parent 087c763d41
commit c0cadc384d
13 changed files with 382 additions and 131 deletions
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -14,6 +14,7 @@ from tornado.iostream import StreamClosedError

 from .. import orm
 from .. import roles
+from ..roles import update_roles
 from ..user import User
 from ..utils import admin_only
 from ..utils import isoformat
@@ -88,7 +89,7 @@ class UserListAPIHandler(APIHandler):
            user = self.user_from_username(name)
            if admin:
                user.admin = True
-            roles.update_roles(self.db, user)
+            update_roles(self.db, obj=user, kind='users')
            self.db.commit()
            try:
                await maybe_future(self.authenticator.add_user(user))
@@ -151,7 +152,7 @@ class UserAPIHandler(APIHandler):
            self._check_user_model(data)
            if 'admin' in data:
                user.admin = data['admin']
-        roles.update_roles(self.db, user)
+                update_roles(self.db, obj=user, kind='users')
        self.db.commit()

        try:
@@ -210,7 +211,7 @@ class UserAPIHandler(APIHandler):
            else:
                setattr(user, key, value)
                if key == 'admin':
-                    roles.update_roles(self.db, user=user)
+                    update_roles(self.db, obj=user, kind='users')
        self.db.commit()
        user_ = self.user_model(user)
        user_['auth_state'] = await user.get_auth_state()
@@ -296,9 +297,13 @@ class UserTokenListAPIHandler(APIHandler):
            if requester is not user:
                note += " by %s %s" % (kind, requester.name)

-        api_token = user.new_api_token(
-            note=note, expires_in=body.get('expires_in', None)
-        )
+        token_roles = body.get('roles')
+        try:
+            api_token = user.new_api_token(
+                note=note, expires_in=body.get('expires_in', None), roles=token_roles
+            )
+        except ValueError:
+            raise web.HTTPError(404, "Requested roles %r not found" % token_roles)
        if requester is not user:
            self.log.info(
                "%s %s requested API token for %s",