mismatch query is now the same, don't do it twice

2025-10-17 15:03:02 +00:00 · 2023-06-28 09:18:02 +02:00
parent 55e4ed6c07
commit e50ad5f039
1 changed files with 16 additions and 17 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -2281,23 +2281,22 @@ class JupyterHub(Application):
                self.log.info(f"Setting admin=True on {is_admin}")
                is_admin.admin = True

-            if has_admin_role_spec[kind]:
-                # role membership specified exactly in config,
-                # already populated above
-                # make sure user.admin matches admin role
-                # setting .admin=False for anyone no longer in admin role
-                for no_longer_admin in db.query(Class).filter(
-                    (Class.admin == True) & ~Class.roles.any(id=admin_role.id)
-                ):
-                    self.log.warning(f"Removing admin=True from {no_longer_admin}")
-                    no_longer_admin.admin = False
-            else:
-                # no admin role membership declared,
-                # populate admin role from admin attribute (the old way, only additive)
-                for admin_obj in db.query(Class).filter(
-                    (Class.admin == True) & ~Class.roles.any(id=admin_role.id)
-                ):
-                    roles.grant_role(db, admin_obj, admin_role)
+            # iterate over users with admin=True
+            # who are not in the admin role.
+            for not_admin_obj in db.query(Class).filter(
+                (Class.admin == True) & ~Class.roles.any(id=admin_role.id)
+            ):
+                if has_admin_role_spec[kind]:
+                    # role membership specified exactly in config,
+                    # already populated above.
+                    # make sure user.admin matches admin role
+                    # setting .admin=False for anyone no longer in admin role
+                    self.log.warning(f"Removing admin=True from {not_admin_obj}")
+                    not_admin_obj.admin = False
+                else:
+                    # no admin role membership declared,
+                    # populate admin role from admin attribute (the old way, only additive)
+                    roles.grant_role(db, not_admin_obj, admin_role)
        db.commit()
        # make sure that on hub upgrade, all users, services and tokens have at least one role (update with default)
        if getattr(self, '_rbac_upgrade', False):