Fix some errors caused by raising 403 in get_current_user (#2919)

get_current_user is called in a few places that really shouldn’t raise move the raising to `get_login_url`, which is called in `@web.authenticated`, where we want to replace redirect logic with 403.
2025-01-18 11:55:46 +08:00 · 2017-10-10 23:43:39 +02:00 · 2017-10-10 23:43:39 +02:00 · a8c6b8bab6
commit a8c6b8bab6
parent 2ee51ab09f
1 changed files with 12 additions and 4 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -104,6 +104,9 @@ class AuthenticatedHandler(web.RequestHandler):
        For example: in the default LoginHandler, if a request is token-authenticated,
        origin checking should be skipped.
        """
+        if self.request.method == 'OPTIONS':
+            # no origin-check on options requests, which are used to check origins!
+            return True
        if self.login_handler is None or not hasattr(self.login_handler, 'should_check_origin'):
            return False
        return not self.login_handler.should_check_origin(self)
@ -476,10 +479,16 @@ class APIHandler(IPythonHandler):
        if hasattr(self, '_user_cache'):
            return self._user_cache
        self._user_cache = user = super(APIHandler, self).get_current_user()
-        if user is None:
-            raise web.HTTPError(403)
        return user

+    def get_login_url(self):
+        # if get_login_url is invoked in an API handler,
+        # that means @web.authenticated is trying to trigger a redirect.
+        # instead of redirecting, raise 403 instead.
+        if not self.current_user:
+            raise web.HTTPError(403)
+        return super(APIHandler, self).get_login_url()
+
    @property
    def content_security_policy(self):
        csp = '; '.join([
@ -494,7 +503,7 @@ class APIHandler(IPythonHandler):
    def update_api_activity(self):
        """Update last_activity of API requests"""
        # record activity of authenticated requests
-        if self._track_activity and self.get_current_user():
+        if self._track_activity and getattr(self, '_user_cache', None):
            self.settings['api_last_activity'] = utcnow()

    def finish(self, *args, **kwargs):
@ -507,7 +516,6 @@ class APIHandler(IPythonHandler):
                        'accept, content-type, authorization, x-xsrftoken')
        self.set_header('Access-Control-Allow-Methods',
                        'GET, PUT, POST, PATCH, DELETE, OPTIONS')
-        self.finish()


 class Template404(IPythonHandler):