anti
741e6bb0d3
- Rename project to stealergram throughout - Add pyproject.toml (replaces requirements.txt split, folds pytest.ini) - Replace all em-dashes with hyphens across all source files Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
53 lines
1.5 KiB
Python
53 lines
1.5 KiB
Python
"""
|
|
web/dependencies.py - FastAPI dependency functions.
|
|
|
|
get_current_user: reads the access_token cookie, decodes + validates it,
|
|
loads the user row from web.db. Raises 401 if anything fails.
|
|
|
|
require_role(min_role): returns a dependency that enforces a minimum RBAC level.
|
|
"""
|
|
|
|
from fastapi import Cookie, Depends, HTTPException, status
|
|
|
|
from web import auth, db
|
|
|
|
_ROLE_ORDER = ["reader", "admin", "superadmin"]
|
|
|
|
|
|
def _role_rank(role: str) -> int:
|
|
try:
|
|
return _ROLE_ORDER.index(role)
|
|
except ValueError:
|
|
return -1
|
|
|
|
|
|
async def get_current_user(
|
|
access_token: str | None = Cookie(default=None),
|
|
) -> db.sqlite3.Row:
|
|
exc = HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Not authenticated",
|
|
headers={"WWW-Authenticate": "Bearer"},
|
|
)
|
|
if not access_token:
|
|
raise exc
|
|
payload = auth.decode_access_token(access_token)
|
|
if payload is None:
|
|
raise exc
|
|
user = db.get_user_by_id(payload["sub"])
|
|
if user is None or not user["is_active"]:
|
|
raise exc
|
|
return user
|
|
|
|
|
|
def require_role(min_role: str):
|
|
"""FastAPI dependency factory: ensures user role >= min_role."""
|
|
async def _dep(user=Depends(get_current_user)):
|
|
if _role_rank(user["role"]) < _role_rank(min_role):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"Requires role: {min_role}",
|
|
)
|
|
return user
|
|
return _dep
|