auth for jupyterhub needs to be checked manually, we need a specific …

…api_perm for it because visitor is a SIM_TYPELESS_PERMS
radiasoft · Jun 13, 2022 · ccaa8f6 · ccaa8f6
1 parent ca2fffe
commit ccaa8f6
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 6 deletions.
diff --git a/sirepo/api_auth.py b/sirepo/api_auth.py
@@ -44,7 +44,7 @@ def check_api_call(func):
             auth.require_email_user()
         elif expect == a.REQUIRE_ADM:
             auth.require_adm()
-    elif expect == a.ALLOW_VISITOR:
+    elif expect in (a.ALLOW_VISITOR, a.MANUAL_PERMISSION_CHECK):
         pass
     elif expect == a.INTERNAL_TEST:
         if not pkconfig.channel_in_internal_test():

diff --git a/sirepo/api_perm.py b/sirepo/api_perm.py
@@ -22,6 +22,8 @@ class APIPerm(aenum.Flag):
     ALLOW_VISITOR = aenum.auto()
     #: a logged in email user is required but they don't have to have a role for the sim type
     ALLOW_SIM_TYPELESS_REQUIRE_EMAIL_USER = aenum.auto()
+    #: Visitor and permissions will be checked manually by API
+    MANUAL_PERMISSION_CHECK = aenum.auto()
     #: only users with role adm
     REQUIRE_ADM = aenum.auto()
     #: use basic auth authentication (only)

diff --git a/sirepo/auth/__init__.py b/sirepo/auth/__init__.py
@@ -142,7 +142,6 @@ def control_sim_type_role(sim_type):
     t = sirepo.template.assert_sim_type(sim_type)
     if t not in sirepo.feature_config.auth_controlled_sim_types():
         return
-#QUESTION(robnagler) I think this is sufficient, that is, the tests can be reversed
     if not uri_router.maybe_sim_type_required_for_api():
         return
     u = logged_in_user()

diff --git a/sirepo/sim_api/jupyterhublogin.py b/sirepo/sim_api/jupyterhublogin.py
@@ -34,15 +34,15 @@
 
 
 class API(sirepo.api.Base):
-    @sirepo.api_perm.allow_visitor
+    @sirepo.api_perm.manual_permission_check
     def api_checkAuthJupyterhub(self):
         def _res_for_uri(uri):
             return self.reply_ok(PKDict(uri=uri))
 
         u = None
         try:
             sirepo.auth.require_user()
-            sirepo.auth.require_sim_type('jupyterhublogin')
+            sirepo.auth.control_sim_type_role('jupyterhublogin')
             u = _unchecked_jupyterhub_user_name(
                 have_simulation_db=False,
             )
@@ -67,7 +67,7 @@ def _res_for_uri(uri):
 
     @sirepo.api_perm.require_user
     def api_migrateJupyterhub(self):
-        sirepo.auth.require_sim_type('jupyterhublogin')
+        sirepo.auth.control_sim_type_role('jupyterhublogin')
         if not cfg.rs_jupyter_migrate:
             sirepo.util.raise_forbidden('migrate not enabled')
         d = self.parse_json()
@@ -78,7 +78,7 @@ def api_migrateJupyterhub(self):
 
     @sirepo.api_perm.require_user
     def api_redirectJupyterHub(self):
-        sirepo.auth.require_sim_type('jupyterhublogin')
+        sirepo.auth.control_sim_type_role('jupyterhublogin')
         u = _unchecked_jupyterhub_user_name()
         if u:
             return self.reply_redirect('jupyterHub')