From 0141d82749f3d71e54b87507bdd3b95a5e240120 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 10 Oct 2017 16:46:40 +0200
Subject: [PATCH] Fix some errors caused by raising 403 in get_current_user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

get_current_user is called in a few places that really shouldn’t raise

move the raising to `get_login_url`, which is called in `@web.authenticated`,
where we want to replace redirect logic with 403.
---
 notebook/base/handlers.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index c2183c1823..d5a7382516 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -104,6 +104,9 @@ def skip_check_origin(self):
         For example: in the default LoginHandler, if a request is token-authenticated,
         origin checking should be skipped.
         """
+        if self.request.method == 'OPTIONS':
+            # no origin-check on options requests, which are used to check origins!
+            return True
         if self.login_handler is None or not hasattr(self.login_handler, 'should_check_origin'):
             return False
         return not self.login_handler.should_check_origin(self)
@@ -476,10 +479,16 @@ def get_current_user(self):
         if hasattr(self, '_user_cache'):
             return self._user_cache
         self._user_cache = user = super(APIHandler, self).get_current_user()
-        if user is None:
-            raise web.HTTPError(403)
         return user
 
+    def get_login_url(self):
+        # if get_login_url is invoked in an API handler,
+        # that means @web.authenticated is trying to trigger a redirect.
+        # instead of redirecting, raise 403 instead.
+        if not self.current_user:
+            raise web.HTTPError(403)
+        return super(APIHandler, self).get_login_url()
+
     @property
     def content_security_policy(self):
         csp = '; '.join([
@@ -494,7 +503,7 @@ def content_security_policy(self):
     def update_api_activity(self):
         """Update last_activity of API requests"""
         # record activity of authenticated requests
-        if self._track_activity and self.get_current_user():
+        if self._track_activity and getattr(self, '_user_cache', None):
             self.settings['api_last_activity'] = utcnow()
 
     def finish(self, *args, **kwargs):
@@ -507,7 +516,6 @@ def options(self, *args, **kwargs):
                         'accept, content-type, authorization, x-xsrftoken')
         self.set_header('Access-Control-Allow-Methods',
                         'GET, PUT, POST, PATCH, DELETE, OPTIONS')
-        self.finish()
 
 
 class Template404(IPythonHandler):