Consider to add roles and permission #454

Master-Y0da · 2021-01-22T15:45:05Z

Master-Y0da
Jan 22, 2021

Woul be great if you can add this feature!!!

frankie567 · 2021-02-06T08:20:53Z

frankie567
Feb 6, 2021
Maintainer

Hi Ivar,

Thank you for the suggestion! However, this is not something I plan to implement for now. I think it would be better if another library implements this kind of logic, possibly by leaning on FastAPI Users.

7 replies

frankie567 Jun 4, 2021
Maintainer

Hi there!

Hmmm... Yes 🙃 I think there is two things here:

1. Add logic to the `current_user` dependency

The beauty of dependency injection is that you can nest them to extend logic and progressively build more complex bricks. For example:

current_active_user = fastapi_users.current_user(active=True)  # This is a dependency giving you the current active user

# This is a dependency that takes the active user and will add a custom check
async def active_user_with_permission(user = Depends(current_active_user)):
    # At this point, you are sure you have an active user at hand. Otherwise, the `current_active_user` would already have thrown an error
    if "my_permission" not in user.permissions:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
    return user

Now you can use it in your own routes:

@app.post("/operation-needing-permission")
async def operation_needing_permission(user = Depends(active_user_with_permission)):
    return {"message": "The user has the permission"}

Be sure to read this part of the documentation to know how to use the FastAPI Users dependencies: https://frankie567.github.io/fastapi-users/usage/dependency-callables/

2. Use it in FastAPI Users routes

Now, if you need this kind of custom dependency in the /users router, I fear that your best bet is to copy/paste the logic in your own app and adapt it to your needs.

Those routes are provided for convenience but I think it's better to implement them yourself if you need to support more advanced cases.

wlievens Jun 4, 2021

It's indeed option 2 that concerned me here. I managed with the funky code above to generate the FastAPI Users routes, and then manipulate their injected dependency for superuser checks. It's a bit dirty but it works and I think it's better than copy pasting several hundred lines to change just a few.

LonelyVikingMichael Oct 4, 2021

I did it like this, which feels ... dirty :-)

...
        for permission in permissions:
            if not permission in user.permissions:
                raise HTTPException(status.HTTP_403_FORBIDDEN, 'You do not have access to this content')
        return user
...

Could you please share what your User model looks like to define user.permissions, and which DB adapter you are using? I'm having trouble creating a many-to-many relationship on the user model with Ormar that is reflected in the Pydantic model

TillerBurr Apr 11, 2022

For anyone that stumbles upon this discussion and is relatively new to FastAPI like me (and didn't catch this part in the tutorial), this can be done with the first proposition.

1. Add logic to the `current_user` dependency

The beauty of dependency injection is that you can nest them to extend logic and progressively build more complex bricks. For example:

current_active_user = fastapi_users.current_user(active=True)  # This is a dependency giving you the current active user

# This is a dependency that takes the active user and will add a custom check
async def active_user_with_permission(user = Depends(current_active_user)):
    # At this point, you are sure you have an active user at hand. Otherwise, the `current_active_user` would already have thrown an error
    if "my_permission" not in user.permissions:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
    return user

Now you can use it in your own routes:

@app.post("/operation-needing-permission")
async def operation_needing_permission(user = Depends(active_user_with_permission)):
    return {"message": "The user has the permission"}

Rather than putting the Depends(...) in the path operation function, it can be added into the include_router call. For example,

app.include_router(
    fastapi_users.get_users_router(),
    prefix="/users",
    tags=["users"],
    dependencies=[Depends(active_user_with_permission)],
)

This applies the dependency to every path in the router generated by fastapi_users.get_users_router(), see this in the docs

Hopefully, this helps you save some time and you don't have to spend as long as I did trying to modify the code here to get it to work with more recent versions of the packages and then figure out that it actually has a crazy simple solution. Doh.

(The current version of FastAPI-Users is v9.3.0 and the current version of FastAPI is 0.75.1.)

felipebustillo May 1, 2022

I found this code really helpful.

N0odlez · 2023-04-13T11:18:01Z

N0odlez
Apr 13, 2023

I've worked on this a little more and made a simple on a RBAC system:

from fastapi_users import models
from pydantic import Field, BaseModel
from typing import List

# Permission model
class Permission(BaseModel):
    resource: str
    action: str

# Group model
class Group(BaseModel):
    name: str
    permissions: List[Permission] = []

# User model with group and permission fields
class User(models.BaseUser):
    groups: List[Group] = []
    permissions: List[Permission] = []
    denied_permissions: List[Permission] = []

# RBAC library
class RBAC:

    @staticmethod
    def has_permission(user: User, permission_str: str) -> bool:
        """
        Check if the user has the given permission, taking into account denied permissions.
        """
        resource, action = permission_str.split(":")
        # Check if the user has the permission denied directly
        if Permission(resource=resource, action=action) in user.denied_permissions:
            return False

        # Check if the user has the permission directly
        if Permission(resource=resource, action=action) in user.permissions:
            return True

        # Check if the user has the permission through any of their groups
        for group in user.groups:
            if Permission(resource=resource, action=action) in group.permissions:
                return True

        return False

    @staticmethod
    def add_permission_to_group(group: Group, permission_str: str):
        """
        Add a permission to a group.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        group.permissions.append(permission)

    @staticmethod
    def add_permission_to_user(user: User, permission_str: str):
        """
        Add a permission to a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        user.permissions.append(permission)
        # Remove the permission from denied permissions, if it was previously denied
        if permission in user.denied_permissions:
            user.denied_permissions.remove(permission)

    @staticmethod
    def remove_permission_from_group(group: Group, permission_str: str):
        """
        Remove a permission from a group.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        if permission in group.permissions:
            group.permissions.remove(permission)

    @staticmethod
    def remove_permission_from_user(user: User, permission_str: str):
        """
        Remove a permission from a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        if permission in user.permissions:
            user.permissions.remove(permission)
        # Remove the permission from denied permissions, if it was previously denied
        if permission in user.denied_permissions:
            user.denied_permissions.remove(permission)

    @staticmethod
    def deny_permission_to_user(user: User, permission_str: str):
        """
        Deny a permission to a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        user.denied_permissions.append(permission)
        # Remove the permission from permissions, if it was previously granted
        if permission in user.permissions:
            user.permissions.remove(permission)

What are your thoughts on this instead?

1 reply

alfonsodipace Dec 3, 2024

Are there any updates on this "feature"?
I want to add it to my application, do you advise using something custom as you did or can we have support from other libraries?
if yes which one and how?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Consider to add roles and permission #454

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 8 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

1. Add logic to the `current_user` dependency

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Consider to add roles and permission #454

Uh oh!

Master-Y0da Jan 22, 2021

Replies: 2 comments · 8 replies

Uh oh!

frankie567 Feb 6, 2021 Maintainer

Uh oh!

frankie567 Jun 4, 2021 Maintainer

1. Add logic to the current_user dependency

2. Use it in FastAPI Users routes

Uh oh!

wlievens Jun 4, 2021

Uh oh!

LonelyVikingMichael Oct 4, 2021

Uh oh!

TillerBurr Apr 11, 2022

1. Add logic to the current_user dependency

Uh oh!

felipebustillo May 1, 2022

Uh oh!

Uh oh!

N0odlez Apr 13, 2023

Uh oh!

alfonsodipace Dec 3, 2024

Master-Y0da
Jan 22, 2021

Replies: 2 comments 8 replies

frankie567
Feb 6, 2021
Maintainer

frankie567 Jun 4, 2021
Maintainer

1. Add logic to the `current_user` dependency

1. Add logic to the `current_user` dependency

N0odlez
Apr 13, 2023