Skip to content

Prevent propagation of scopes on non-security sub-dependencies#9790

Closed
DurandA wants to merge 1 commit intofastapi:masterfrom
DurandA:fix/security-cache-sub
Closed

Prevent propagation of scopes on non-security sub-dependencies#9790
DurandA wants to merge 1 commit intofastapi:masterfrom
DurandA:fix/security-cache-sub

Conversation

@DurandA
Copy link
Contributor

@DurandA DurandA commented Jul 3, 2023

In #2945 the behavior of cache keys was changed. The scopes are passed to every dependencies down the tree, including when these dependencies are not Security.

This results in undesired behaviors when a dependency such as a DB session is created twice, e.g.:

@app.patch("/me")
def update_current_user(
    user: UserUpdate,
    current_user: User = Security(get_current_user, scopes=["user:write"]),
    session: Session = Depends(get_session),
):
    pass

@DurandA DurandA mentioned this pull request Jul 3, 2023
Merged
@qmorek
Copy link

qmorek commented Dec 14, 2023

Hi @tiangolo,
is there any chance for this to be merged?

@tiangolo tiangolo added bug Something isn't working p2 labels Jan 14, 2024
YuriiMotov
YuriiMotov reviewed Feb 21, 2024
View reviewed changes
Copy link
Member

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a problem in this implementation.
I described it in the discussion here
Let's discuss it there

@github-actions github-actions bot added the conflicts Automatically generated when a PR has a merge conflict label Oct 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

This pull request has a merge conflict that needs to be resolved.

@tiangolo tiangolo mentioned this pull request Nov 30, 2025
Merged
@tiangolo
Copy link
Member

tiangolo commented Nov 30, 2025

Thanks for the discussion and effort here! 🍰

This should be solved by #14419, released in FastAPI 0.123.0 🎉

I'll close this one now. ☕

@tiangolo tiangolo closed this Nov 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YuriiMotov YuriiMotov YuriiMotov left review comments

Assignees

No one assigned

Labels

bug Something isn't working conflicts Automatically generated when a PR has a merge conflict p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DurandA @qmorek @tiangolo @YuriiMotov