v0.3.1 - Handle permission overrides that are iterators

jacobsvante · Mar 29, 2021 · f99d9b7 · f99d9b7
1 parent fb81b34
commit f99d9b7
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Nothing
 
+## [0.3.1](https://github.com/jmagnusson/fastapi-security/compare/v0.3.0...v0.3.1) - 2021-03-29
+
+### Fixed
+
+- Handle permission overrides iterators that are exhaustable
+- Ensure that a string permission override is always equal to `*`
+
 ## [0.3.0](https://github.com/jmagnusson/fastapi-security/compare/v0.2.0...v0.3.0) - 2021-03-26
 
 ### Added

diff --git a/fastapi_security/api.py b/fastapi_security/api.py
@@ -76,7 +76,18 @@ def add_permission_overrides(self, overrides: PermissionOverrides):
             })
 
         """
-        self._permission_overrides.update(overrides)
+        for user, val in overrides.items():
+            lst = self._permission_overrides.setdefault(user, [])
+            if isinstance(val, str):
+                assert (
+                    val == "*"
+                ), "Only `*` is accepted as permission override when specified as a string"
+                logger.debug(f"Adding wildcard `*` permission to user {user}")
+                lst.append("*")
+            else:
+                for p in val:
+                    logger.debug(f"Adding permission {p} to user {user}")
+                    lst.append(p)
 
     @property
     def user(self) -> Callable:

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-security"
-version = "0.3.0"
+version = "0.3.1"
 description = "Add authentication and authorization to your FastAPI app via dependencies."
 authors = ["Jacob Magnusson <m@jacobian.se>"]
 license = "MIT"

diff --git a/tests/integration/test_permission_overrides.py b/tests/integration/test_permission_overrides.py
@@ -45,3 +45,29 @@ def create_product(
 
     assert resp.status_code == 200
     assert resp.json() == {"ok": True}
+
+
+def test_that_permission_overrides_can_be_an_exhaustable_iterator(app, client):
+    cred = HTTPBasicCredentials(username="johndoe", password="123")
+
+    security = FastAPISecurity()
+
+    create_product_perm = security.user_permission("products:create")
+
+    security.init_basic_auth([cred])
+
+    overrides = iter(["products:create"])
+    security.add_permission_overrides({"johndoe": overrides})
+
+    @app.post("/products")
+    def create_product(
+        user: User = Depends(security.user_holding(create_product_perm)),
+    ):
+        return {"ok": True}
+
+    # NOTE: Before v0.3.1, the second iteration would give a HTTP403, as the overrides
+    #       iterator had been exhausted on the first try.
+    for _ in range(2):
+        resp = client.post("/products", auth=("johndoe", "123"))
+        assert resp.status_code == 200
+        assert resp.json() == {"ok": True}