In my app, I want to apply access to a given endpoint based on a role, which is an enum. The way it all works is that a logged in (authorized) user, wants to get access to some resources, or create a new user etc…, then his jwt token is decoded, so we can see his roles (enum). I’m going to create 3 functions (permission_user, permission_admin, permission_manager) that read the roles of the user and based on it, give access or not. I know that I could create 6 functions (permutations), such as permission_user_and_manager, but I want to solve this in a more professional way. I would like to do something based on:
@app.get("/users") #example endpointdef fetch_users(is_auth: bool = Depends(permission_admin or permission_manager)..Unfortunately it doesn’t work, do you know any solutions?
Advertisement
Answer
I would supply the value as another dependency which will return a 403 if the enum is not an appropriate value. I would expect a separate dependency that handles the actual auth and returns an enum value for the permissions (e.g. something like AuthRole).
def admin_permissions(auth_role: AuthRole = Depends(get_auth_role)): if auth_role!= AuthRole.ADMIN: raise HTTPException( status_code=403, detail="User must be an admin to perform this action" )In your definition of the endpoint route, you can specify this method as a depends that must be performed before the call happens. You could also apply this to an ApiRouter class to avoid duplication.
@app.get("/users", dependencies=[Depends(admin_permissions)])def fetch_users(): Now you will only enter the body of fetch_users if the admin_permissions dependency does not raise the 403 response code.
If you want to parameterize this further, you can use an advanced dependency that uses a class instances __call__ method to perform the work. Then you can provide multiple roles that are acceptable instead of just one. That would look something like this:
class AuthChecker: def __init__(self, *roles: AuthRole) -> None: self.roles = roles def __call__(self, auth_role: AuthRole = Depends(get_auth_role)): if auth_role not in self.roles: roles_values = " or ".join([role.value for role in self.roles]) raise HTTPException( status_code=403, detail=f"User must be in role {roles_values} to perform this action" )@app.get("/users", dependencies=[Depends(AuthChecker(AuthRole.ADMIN, AuthRole.MANAGER))])def fetch_users(): return "users"Full example to play with:
from enum import Enumimport uvicorn as uvicornfrom fastapi import FastAPI, Header, Depends, HTTPExceptionapp = FastAPI()class AuthRole(Enum): ADMIN = "admin" MANAGER = "manager" NORMAL = "normal"def get_auth_role(auth_role: AuthRole = Header()) -> AuthRole: return auth_roleclass AuthChecker: def __init__(self, *roles: AuthRole) -> None: self.roles = roles def __call__(self, auth_role: AuthRole = Depends(get_auth_role)): if auth_role not in self.roles: roles_values = " or ".join([role.value for role in self.roles]) raise HTTPException( status_code=403, detail=f"User must be in role {roles_values} to perform this action" )@app.get("/admin", dependencies=[Depends(AuthChecker(AuthRole.ADMIN, AuthRole.MANAGER))])def admin(auth_role: AuthRole = Depends(get_auth_role)): return auth_roleif __name__ == "__main__": uvicorn.run(app, host="127.0.0.1", port=8000)