Skip to content

Commit

Permalink
Add authorization to AuthenticatedFileHandler (#1021)
Browse files Browse the repository at this point in the history
Co-authored-by: Zachary Sailer <[email protected]>
  • Loading branch information
jiajunjie and Zsailer authored Nov 18, 2022
1 parent e66306d commit 1e18aae
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
9 changes: 7 additions & 2 deletions jupyter_server/auth/authorizer.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,18 @@
"""
# Copyright (c) Jupyter Development Team.
# Distributed under the terms of the Modified BSD License.
from __future__ import annotations

from typing import TYPE_CHECKING

from traitlets import Instance
from traitlets.config import LoggingConfigurable

from jupyter_server.base.handlers import JupyterHandler

from .identity import IdentityProvider, User

if TYPE_CHECKING:
from jupyter_server.base.handlers import JupyterHandler


class Authorizer(LoggingConfigurable):
"""Base class for authorizing access to resources
Expand Down
5 changes: 5 additions & 0 deletions jupyter_server/base/handlers.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import jupyter_server
from jupyter_server._sysinfo import get_sys_info
from jupyter_server._tz import utcnow
from jupyter_server.auth import authorized
from jupyter_server.i18n import combine_translations
from jupyter_server.services.security import csp_report_uri
from jupyter_server.utils import (
Expand Down Expand Up @@ -813,18 +814,22 @@ async def prepare(self):
class AuthenticatedFileHandler(JupyterHandler, web.StaticFileHandler):
"""static files should only be accessible when logged in"""

auth_resource = "contents"

@property
def content_security_policy(self):
# In case we're serving HTML/SVG, confine any Javascript to a unique
# origin so it can't interact with the Jupyter server.
return super().content_security_policy + "; sandbox allow-scripts"

@web.authenticated
@authorized
def head(self, path):
self.check_xsrf_cookie()
return super().head(path)

@web.authenticated
@authorized
def get(self, path):
if os.path.splitext(path)[1] == ".ipynb" or self.get_argument("download", None):
name = path.rsplit("/", 1)[-1]
Expand Down

0 comments on commit 1e18aae

Please sign in to comment.