Consider to add roles and permission

[Master-Y0da]

Woul be great if you can add this feature!!!

[frankie567]

Hi Ivar,

Thank you for the suggestion! However, this is not something I plan to implement for now. I think it would be better if another library implements this kind of logic, possibly by leaning on FastAPI Users.

[frankie567]

Hi there!

Hmmm... Yes 🙃 I think there is two things here:

1. Add logic to the current_user dependency

The beauty of dependency injection is that you can nest them to extend logic and progressively build more complex bricks. For example:

current_active_user = fastapi_users.current_user(active=True)  # This is a dependency giving you the current active user

# This is a dependency that takes the active user and will add a custom check
async def active_user_with_permission(user = Depends(current_active_user)):
    # At this point, you are sure you have an active user at hand. Otherwise, the `current_active_user` would already have thrown an error
    if "my_permission" not in user.permissions:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
    return user

Now you can use it in your own routes:

@app.post("/operation-needing-permission")
async def operation_needing_permission(user = Depends(active_user_with_permission)):
    return {"message": "The user has the permission"}

Be sure to read this part of the documentation to know how to use the FastAPI Users dependencies: https://frankie567.github.io/fastapi-users/usage/dependency-callables/

2. Use it in FastAPI Users routes

Now, if you need this kind of custom dependency in the /users router, I fear that your best bet is to copy/paste the logic in your own app and adapt it to your needs.

Those routes are provided for convenience but I think it's better to implement them yourself if you need to support more advanced cases.

[wlievens]

It's indeed option 2 that concerned me here. I managed with the funky code above to generate the FastAPI Users routes, and then manipulate their injected dependency for superuser checks. It's a bit dirty but it works and I think it's better than copy pasting several hundred lines to change just a few.

[LonelyVikingMichael]

I did it like this, which feels ... dirty :-)

...
        for permission in permissions:
            if not permission in user.permissions:
                raise HTTPException(status.HTTP_403_FORBIDDEN, 'You do not have access to this content')
        return user
...

Could you please share what your User model looks like to define user.permissions, and which DB adapter you are using? I'm having trouble creating a many-to-many relationship on the user model with Ormar that is reflected in the Pydantic model

[TillerBurr]

For anyone that stumbles upon this discussion and is relatively new to FastAPI like me (and didn't catch this part in the tutorial), this can be done with the first proposition.

1. Add logic to the current_user dependency

The beauty of dependency injection is that you can nest them to extend logic and progressively build more complex bricks. For example:

current_active_user = fastapi_users.current_user(active=True)  # This is a dependency giving you the current active user

# This is a dependency that takes the active user and will add a custom check
async def active_user_with_permission(user = Depends(current_active_user)):
    # At this point, you are sure you have an active user at hand. Otherwise, the `current_active_user` would already have thrown an error
    if "my_permission" not in user.permissions:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
    return user

Now you can use it in your own routes:

@app.post("/operation-needing-permission")
async def operation_needing_permission(user = Depends(active_user_with_permission)):
    return {"message": "The user has the permission"}

Rather than putting the Depends(...) in the path operation function, it can be added into the include_router call. For example,

app.include_router(
    fastapi_users.get_users_router(),
    prefix="/users",
    tags=["users"],
    dependencies=[Depends(active_user_with_permission)],
)

This applies the dependency to every path in the router generated by fastapi_users.get_users_router(), see this in the docs

Hopefully, this helps you save some time and you don't have to spend as long as I did trying to modify the code here to get it to work with more recent versions of the packages and then figure out that it actually has a crazy simple solution. Doh.

(The current version of FastAPI-Users is v9.3.0 and the current version of FastAPI is 0.75.1.)

[felipebustillo]

I found this code really helpful.

[N0odlez]

I've worked on this a little more and made a simple on a RBAC system:

from fastapi_users import models
from pydantic import Field, BaseModel
from typing import List

# Permission model
class Permission(BaseModel):
    resource: str
    action: str

# Group model
class Group(BaseModel):
    name: str
    permissions: List[Permission] = []

# User model with group and permission fields
class User(models.BaseUser):
    groups: List[Group] = []
    permissions: List[Permission] = []
    denied_permissions: List[Permission] = []

# RBAC library
class RBAC:

    @staticmethod
    def has_permission(user: User, permission_str: str) -> bool:
        """
        Check if the user has the given permission, taking into account denied permissions.
        """
        resource, action = permission_str.split(":")
        # Check if the user has the permission denied directly
        if Permission(resource=resource, action=action) in user.denied_permissions:
            return False

        # Check if the user has the permission directly
        if Permission(resource=resource, action=action) in user.permissions:
            return True

        # Check if the user has the permission through any of their groups
        for group in user.groups:
            if Permission(resource=resource, action=action) in group.permissions:
                return True

        return False

    @staticmethod
    def add_permission_to_group(group: Group, permission_str: str):
        """
        Add a permission to a group.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        group.permissions.append(permission)

    @staticmethod
    def add_permission_to_user(user: User, permission_str: str):
        """
        Add a permission to a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        user.permissions.append(permission)
        # Remove the permission from denied permissions, if it was previously denied
        if permission in user.denied_permissions:
            user.denied_permissions.remove(permission)

    @staticmethod
    def remove_permission_from_group(group: Group, permission_str: str):
        """
        Remove a permission from a group.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        if permission in group.permissions:
            group.permissions.remove(permission)

    @staticmethod
    def remove_permission_from_user(user: User, permission_str: str):
        """
        Remove a permission from a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        if permission in user.permissions:
            user.permissions.remove(permission)
        # Remove the permission from denied permissions, if it was previously denied
        if permission in user.denied_permissions:
            user.denied_permissions.remove(permission)

    @staticmethod
    def deny_permission_to_user(user: User, permission_str: str):
        """
        Deny a permission to a user, overriding group permissions.
        """
        resource, action = permission_str.split(":")
        permission = Permission(resource=resource, action=action)
        user.denied_permissions.append(permission)
        # Remove the permission from permissions, if it was previously granted
        if permission in user.permissions:
            user.permissions.remove(permission)

What are your thoughts on this instead?