Remove the permission to add general admin user by group admin

blinak · July 15, 2024, 8:16am

I have the following scopes for the group admin:
- ‘read:users’
- ‘admin:users!group=test-group’
- ‘admin:groups!group=test-group’
- ‘admin-ui’
needed to add/delete/create/read users to the specific group he manages, in this case test group. However in the add users section(as shown in the picture) this admin can add a general admin. I want the admin of the group to only be able to create and add simple users to the group, not admins.

blinak · July 26, 2024, 2:23pm

help is much appreciated

minrk · August 8, 2024, 7:06am

This can be fixed by upgrading to JupyterHub 4.1.6 or 5.1.0. admin:users is not meant to grant access to the admin property, reported as CVE-2024-41942
.

Topic		Replies	Views
... is not a valid Jupyterhub user Zero to JupyterHub on Kubernetes help-wanted	1	108	May 22, 2024
Admin Scopes Not Given to Users With Admin Role Zero to JupyterHub on Kubernetes jupyterhub , help-wanted	4	537	October 2, 2023
Non-admin users can't log in because of token permission errors Zero to JupyterHub on Kubernetes how-to , help-wanted	17	1950	October 12, 2022
Selective admin access based on groups? JupyterHub	0	344	September 24, 2019
JupyterHub users added to database but users not getting access discuss community , jupyterhub , help-wanted	4	1013	November 12, 2021

Remove the permission to add general admin user by group admin

Related Topics