-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should current_user
and prepare
guards be set in AuthenticatedHandler
rather than JupyterHandler
?
#1398
Comments
I think it probably does make sense to do that, yes. |
Yes, that's what I used to think until I carefully read the code. Maybe we could also rename AuthenticatedHandle to Mixin? Which may require more work though. BTW, I also support:
|
Description
Currently
current_user
is getting set inJupyterHandler
which inherits fromAuthenticatedHandler
. Some other guards against unauthenticated access (e.g.prepare
,check_host
,check_referer
, etc) are also implemented inJupyterHandler
rather than onAuthenticatedHandler
level. PR #1392 adds more guards in the same place as where the existing ones are (i.e.JupyterHandler.prepare
).Some downstreams incorrectly assumed that
AuthenticatedHandler
does in fact all which is needed for authentication and because of that had insufficient access control. It appears not the best practice to call somethingAuthenticated
when in fact it is more of a mixin which requiresJupyterHandler
to get the full protection.Expected behavior
AuthenticatedHandler
is to stay as-is, extension authors should not need to read the code to know which handler to inherit from and this should be documented with big red warning thatAuthenticatedHandler
is not to be used unless by advanced developers who know what they are doingAuthenticatedHandler
rather than be spread between it andJupyterHandler
Context
I had asked this question in #1392 but did not get an answer. It is not necessary to address it in that PR so I am opening a new issue to track the dicsussion.
The text was updated successfully, but these errors were encountered: