Support JupyterHub 2's fine grained RBAC permissions, and test against Py3.10 and JH2

.github/workflows/publish.yaml

@@ -1,5 +1,5 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
-# ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
+# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
 # Publish to PyPI on push of version like tags
 #

.github/workflows/test.yaml

@@ -1,5 +1,5 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
-# ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
+# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
 name: Test
 
@@ -35,20 +35,27 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - python-version: 3.6
-          - python-version: 3.7
-          - python-version: 3.8
-          - python-version: 3.9
+          - python-version: "3.6"
+            jupyterhub-version: "1.3.*"
+          - python-version: "3.7"
+            jupyterhub-version: "1.4.*"
+          - python-version: "3.8"
+            jupyterhub-version: "1.*"
+          - python-version: "3.9"
+            jupyterhub-version: "2.*"
+          - python-version: "3.10"
+            jupyterhub-version: "2.*"
 
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
         with:
-          python-version: "${{ matrix.python-version}}"
+          python-version: "${{ matrix.python-version }}"
 
       - name: Install Python dependencies
         run: |
           pip install --no-cache-dir -r dev-requirements.txt
+          pip install --pre "jupyterhub==${{ matrix.jupyterhub-version }}"
           pip install .
 
       - name: Run tests

nativeauthenticator/handlers.py

@@ -4,7 +4,12 @@
 from jinja2 import ChoiceLoader, FileSystemLoader
 from jupyterhub.handlers import BaseHandler
 from jupyterhub.handlers.login import LoginHandler
-from jupyterhub.utils import admin_only
+try:
+    from jupyterhub.scopes import needs_scope
+    admin_users_scope = needs_scope("admin:users")
+except ImportError:
+    from jupyterhub.utils import admin_only
+    admin_users_scope = admin_only
 
 from tornado import web
 from tornado.escape import url_escape
@@ -145,7 +150,7 @@ async def post(self):
 
 class AuthorizationHandler(LocalBase):
     """Render the sign in page."""
-    @admin_only
+    @admin_users_scope
     async def get(self):
         html = await self.render_template(
             'autorization-area.html',
@@ -156,7 +161,7 @@ async def get(self):
 
 
 class ChangeAuthorizationHandler(LocalBase):
-    @admin_only
+    @admin_users_scope
     async def get(self, slug):
         UserInfo.change_authorization(self.db, slug)
         self.redirect(self.hub.base_url + 'authorize#' + slug)
@@ -256,7 +261,7 @@ async def post(self):
 class ChangePasswordAdminHandler(LocalBase):
     """Render the reset password page."""
 
-    @admin_only
+    @admin_users_scope
     async def get(self, user_name):
         if not self.authenticator.user_exists(user_name):
             raise web.HTTPError(404)
@@ -266,7 +271,7 @@ async def get(self, user_name):
         )
         self.finish(html)
 
-    @admin_only
+    @admin_users_scope
     async def post(self, user_name):
         new_password = self.get_body_argument('password', strip=False)
         self.authenticator.change_password(user_name, new_password)
@@ -334,7 +339,7 @@ async def post(self):
 class DiscardHandler(LocalBase):
     """Discard a user from database"""
 
-    @admin_only
+    @admin_users_scope
     async def get(self, user_name):
         user = self.authenticator.get_user(user_name)
         if user is not None: