From 1e18aae4c62db978d75078087e7c1da3051c1236 Mon Sep 17 00:00:00 2001 From: Jia Junjie <62194633+jiajunjie@users.noreply.github.com> Date: Sat, 19 Nov 2022 03:06:05 +0800 Subject: [PATCH] Add authorization to AuthenticatedFileHandler (#1021) Co-authored-by: Zachary Sailer --- jupyter_server/auth/authorizer.py | 9 +++++++-- jupyter_server/base/handlers.py | 5 +++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/jupyter_server/auth/authorizer.py b/jupyter_server/auth/authorizer.py index cc8876de0e..b1d95eeee4 100644 --- a/jupyter_server/auth/authorizer.py +++ b/jupyter_server/auth/authorizer.py @@ -7,13 +7,18 @@ """ # Copyright (c) Jupyter Development Team. # Distributed under the terms of the Modified BSD License. +from __future__ import annotations + +from typing import TYPE_CHECKING + from traitlets import Instance from traitlets.config import LoggingConfigurable -from jupyter_server.base.handlers import JupyterHandler - from .identity import IdentityProvider, User +if TYPE_CHECKING: + from jupyter_server.base.handlers import JupyterHandler + class Authorizer(LoggingConfigurable): """Base class for authorizing access to resources diff --git a/jupyter_server/base/handlers.py b/jupyter_server/base/handlers.py index 9f0b3efe4f..4bf26df177 100644 --- a/jupyter_server/base/handlers.py +++ b/jupyter_server/base/handlers.py @@ -28,6 +28,7 @@ import jupyter_server from jupyter_server._sysinfo import get_sys_info from jupyter_server._tz import utcnow +from jupyter_server.auth import authorized from jupyter_server.i18n import combine_translations from jupyter_server.services.security import csp_report_uri from jupyter_server.utils import ( @@ -813,6 +814,8 @@ async def prepare(self): class AuthenticatedFileHandler(JupyterHandler, web.StaticFileHandler): """static files should only be accessible when logged in""" + auth_resource = "contents" + @property def content_security_policy(self): # In case we're serving HTML/SVG, confine any Javascript to a unique @@ -820,11 +823,13 @@ def content_security_policy(self): return super().content_security_policy + "; sandbox allow-scripts" @web.authenticated + @authorized def head(self, path): self.check_xsrf_cookie() return super().head(path) @web.authenticated + @authorized def get(self, path): if os.path.splitext(path)[1] == ".ipynb" or self.get_argument("download", None): name = path.rsplit("/", 1)[-1]