-
-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization checks in server.py #5386
Authorization checks in server.py #5386
Conversation
This commit adds a single parameter used in the `config.authorize_callback` that allows the user supplied method to check if an app user is authorized to view the requested app at the given path. Resolves holoviz#3179
Codecov Report
@@ Coverage Diff @@
## main #5386 +/- ##
==========================================
- Coverage 72.69% 72.65% -0.05%
==========================================
Files 274 274
Lines 39862 39922 +60
==========================================
+ Hits 28978 29005 +27
- Misses 10884 10917 +33
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 10 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Thanks, this makes sense but it's also not backward compatible. Could we maybe add a try/except or explicitly check the signature of the function to make sure the old signature is still supported? Also we should update the docstring of the config. authorize_callback parameter. |
thanks @philippjfr I'll make those changes and update the docstring. If it makes sense, I'll also add a blurb to the documentation page with an example. |
- `panel/config.py`'s docstring updated to include the ability to check a user is authorized for the requested path. - `doc/how_to/authentication/user_info.md` updated giving an example with the new authentication parameter. - `panel/io/server.py` updated to include a check for the number of parameters needed for `pn.config.authorize_callback`. If only one is given, then it checks specifically for the username authorization. If two is given, then it will check the authorization for both the username and the requested path by the user. The default is to fail authorization.
Moves the check for when `config.authorize_callback` is not `None` before any use of `inspect` is done on the object.
The previous commit did not allow an authorized user to see the requested page, if a `config.authorize_callback` was given due to faulty logic. This commit moves page creation above all authorization checks, and only modifies the page object if a `config.authorize_callback` is given, and if the user (or user and requested path) are authorized.
Hi, I was trying to add oath to a small panel app (to run in "google cloud run"). def authorize(user_info, request_path): i.e. when I tried 2023-09-11 14:07:44,242 Uncaught exception GET /220514_01_awesome_panel (::1) Perhaps the check here: Regards, |
Hi @el-abcd and thanks for reporting that. Indeed it seems there's a bug! I believe your suggestion not to be quite the right one, when if len(auth_params) == 1:
auth_args = (state.user_info,)
elif len(auth_params) == 2:
auth_args == (state.user_info, self.request.path)
else:
raise RuntimeError(
'Authorization callback must accept either one or two arguments.'
) Would you be interested in making that change in a PR? |
Hi Maxime, Yes, I can give that a try. Eric |
@el-abcd I see the problem, and can make a fix tomorrow. thanks for the report |
see #5504 |
This commit adds a single parameter used in the
config.authorize_callback
that allows the user supplied method to check if an app user is authorized to view the requested app at the given path.Resolves #3179