Add authorization to AuthenticatedFileHandler (#1021)

Co-authored-by: Zachary Sailer <zsailer@apple.com>

jupyter_server/auth/authorizer.py

@@ -7,13 +7,18 @@
 """
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
 from traitlets import Instance
 from traitlets.config import LoggingConfigurable
 
-from jupyter_server.base.handlers import JupyterHandler
-
 from .identity import IdentityProvider, User
 
+if TYPE_CHECKING:
+    from jupyter_server.base.handlers import JupyterHandler
+
 
 class Authorizer(LoggingConfigurable):
     """Base class for authorizing access to resources

jupyter_server/base/handlers.py

@@ -28,6 +28,7 @@
 import jupyter_server
 from jupyter_server._sysinfo import get_sys_info
 from jupyter_server._tz import utcnow
+from jupyter_server.auth import authorized
 from jupyter_server.i18n import combine_translations
 from jupyter_server.services.security import csp_report_uri
 from jupyter_server.utils import (
@@ -813,18 +814,22 @@ async def prepare(self):
 class AuthenticatedFileHandler(JupyterHandler, web.StaticFileHandler):
     """static files should only be accessible when logged in"""
 
+    auth_resource = "contents"
+
     @property
     def content_security_policy(self):
         # In case we're serving HTML/SVG, confine any Javascript to a unique
         # origin so it can't interact with the Jupyter server.
         return super().content_security_policy + "; sandbox allow-scripts"
 
     @web.authenticated
+    @authorized
     def head(self, path):
         self.check_xsrf_cookie()
         return super().head(path)
 
     @web.authenticated
+    @authorized
     def get(self, path):
         if os.path.splitext(path)[1] == ".ipynb" or self.get_argument("download", None):
             name = path.rsplit("/", 1)[-1]