fastapi-rbac-authz 0.2.0__tar.gz → 0.4.0__tar.gz

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/.github/workflows/pypi-minor-deployment.yaml

@@ -20,8 +20,7 @@ jobs:
     needs: ["checks"]
 
     env:
-      PYPI_USER: ${{ secrets.PYPI_USER }}
-      PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+      PYPI_TOKEN: ${{ secrets.PYPI_PASSWORD }}
 
     steps:
       - uses: actions/checkout@v3
@@ -38,7 +37,7 @@ jobs:
         run: poetry config virtualenvs.create false
 
       - name: Configure PyPi credentials
-        run: poetry config pypi-token.pypi ${{ env.PYPI_PASSWORD }}
+        run: poetry config pypi-token.pypi ${{ env.PYPI_TOKEN }}
 
       - name: Bump Version
         run: poetry version minor

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/CLAUDE.md

@@ -30,6 +30,7 @@ poetry build
 
 **IMPORTANT:** Always run pre-commit after making any code changes:
 ```bash
+source .venv/bin/activate
 pre-commit run --all-files
 ```
 This runs ruff (linting + formatting) and mypy (type checking on fastapi_rbac).
@@ -38,29 +39,29 @@ This runs ruff (linting + formatting) and mypy (type checking on fastapi_rbac).
 
 ### Core Components
 
-**RBACAuthz[UserT]** (`core.py`) - Main configuration class that attaches to FastAPI app. Configures role-to-permission mappings, user dependency injection, and optional visualization UI.
+**RBACAuthz** (`core.py`) - Main configuration class that attaches to FastAPI app. Configures role-to-permission mappings, roles dependency injection, and optional visualization UI. Takes a `roles_dependency` that returns `set[str]`.
 
 **RBACRouter** (`router.py`) - Extended APIRouter with permission decorators (`@router.get(permissions=..., contexts=...)`). Supports default permissions at router level with per-endpoint overrides. Stores endpoint metadata for UI introspection.
 
 **Permission System** (`permissions.py`) - Two scopes: `Global` (bypasses context checks) and `Contextual` (requires context validation). Supports wildcard matching (`resource:*` matches `resource:read`). Wildcards only allowed in role grants, not endpoint requirements.
 
-**ContextualAuthz[UserT]** (`context.py`) - Abstract base class for context-specific authorization. Subclasses are FastAPI dependencies that implement `async has_permissions() -> bool`. Supports full FastAPI DI in `__init__`. Context classes should use `Annotated[User, Depends(RBACUser)]` for the user parameter.
+**ContextualAuthz** (`context.py`) - Abstract base class for context-specific authorization. Subclasses are FastAPI dependencies that implement `async has_permissions() -> bool`. Supports full FastAPI DI in `__init__`. Context classes are responsible for their own authentication via `Annotated[User, Depends(get_current_user)]`.
 
-**Dependencies** (`dependencies.py`) - Creates FastAPI dependencies for auth and authz. Uses `dependency_overrides` pattern for user dependency injection. Manipulates function signatures dynamically via `inspect.Signature`.
+**Dependencies** (`dependencies.py`) - Creates FastAPI dependencies for auth and authz. Uses `dependency_overrides` pattern for roles dependency injection. Manipulates function signatures dynamically via `inspect.Signature`.
 
 **UI System** (`ui/`) - Cytoscape.js visualization mounted at configurable path. Introspects RBAC configuration to display role → permission → endpoint ← context relationships.
 
 ### Key Patterns
 
-- **Request State**: User stored in `request.state.user`, RBAC config in `app.state.rbac`, routers in `app.state._rbac_routers_`
+- **Request State**: RBAC config in `app.state.rbac`, routers in `app.state.rbac.routers`
 - **Metadata Tracking**: Endpoints store `_rbac_metadata_` attribute; routers track `endpoint_metadata[(path, method)]`
-- **Permission Resolution**: Extract roles → resolve grants → check global permissions first → run contextual checks only if needed
-- **Type Safety**: Strict mypy with full generics (`RBACAuthz[UserT]`, `ContextualAuthz[UserT]`)
+- **Permission Resolution**: Roles dependency returns roles → resolve grants → check global permissions first → run contextual checks only if needed
+- **Simplified Auth**: The library only needs roles (`set[str]`), not a user object. Context classes handle their own auth via FastAPI DI.
 
 ### Public API (from `__init__.py`)
 
 ```python
-RBACAuthz, RBACRouter, RBACUser, ContextualAuthz
+RBACAuthz, RBACRouter, ContextualAuthz
 Global, Contextual, PermissionGrant, PermissionScope
-Forbidden, create_auth_dependency, create_authz_dependency, evaluate_permissions
+Forbidden, create_authz_dependency
 ```

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fastapi-rbac-authz
-Version: 0.2.0
+Version: 0.4.0
 Summary: Role-based access control with contextual authorization for FastAPI
 Project-URL: Homepage, https://github.com/parikls/fastapi-rbac
 Author-email: Dmytro Smyk <porovozls@gmail.com>
@@ -36,7 +36,7 @@ pip install fastapi-rbac-authz
 from typing import Annotated
 from fastapi import Depends, FastAPI
 from fastapi_rbac import (
-    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz, RBACUser
+    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz
 )
 
 # 1. Define your user model
@@ -45,7 +45,17 @@ class User:
         self.user_id = user_id
         self.roles = roles
 
-# 2. Define role permissions
+# 2. Define your authentication dependencies
+# The library only needs roles - you can authenticate however you like
+async def get_current_user() -> User:
+    # Your authentication logic here
+    return User(user_id="user-1", roles={"viewer"})
+
+async def get_current_user_roles() -> set[str]:
+    user = await get_current_user()
+    return user.roles
+
+# 3. Define role permissions
 PERMISSIONS = {
     "admin": {
         Global("report:*"),         # Admin can do anything with reports
@@ -55,13 +65,13 @@ PERMISSIONS = {
     },
 }
 
-# 3. Create a context check (for contextual permissions)
-# All __init__ params are injected by FastAPI's DI system
-class ReportAccessContext(ContextualAuthz[User]):
+# 4. Create a context check (for contextual permissions)
+# Context classes are responsible for their own authentication via FastAPI DI
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # <-- Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
     ):
         self.user = user
         self.report_id = report_id
@@ -71,22 +81,17 @@ class ReportAccessContext(ContextualAuthz[User]):
         allowed_reports = {1, 2, 3}  # e.g., query from database
         return self.report_id in allowed_reports
 
-# 4. Create your app and configure RBAC
+# 5. Create your app and configure RBAC
 app = FastAPI()
 
-async def get_current_user() -> User:
-    # Your authentication logic here
-    return User(user_id="user-1", roles={"viewer"})
-
 RBACAuthz(
     app,
-    get_roles=lambda u: u.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,  # Returns set[str]
     ui_path="/_rbac",  # Optional: mount visualization UI
 )
 
-# 5. Create protected routes
+# 6. Create protected routes
 router = RBACRouter(permissions={"report:read"}, contexts=[ReportAccessContext])
 
 @router.get("/reports/{report_id}")
@@ -100,6 +105,8 @@ async def create_report():
 app.include_router(router, prefix="/api")
 ```
 
+> **Note:** The library doesn't care how you authenticate - whether via dependency, middleware, JWT decode, or any other method. You just need to provide a dependency that returns the user's roles as `set[str]`. Context classes are responsible for their own authentication and can use any FastAPI dependency pattern.
+
 ## Permission Scopes
 
 Permissions can be granted with two scopes:
@@ -136,14 +143,14 @@ PERMISSIONS = {
 
 ## Context Checks
 
-Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.).
+Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.). Each context class is responsible for its own authentication via FastAPI's dependency injection.
 
 ```python
-class ReportAccessContext(ContextualAuthz[User]):
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
         db: Annotated[AsyncSession, Depends(get_db)],  # Database session
     ):
         self.user = user
@@ -161,8 +168,8 @@ class ReportAccessContext(ContextualAuthz[User]):
 When a request hits an RBAC-protected endpoint:
 
 ```
-1. Authentication
-   └── user_dependency runs → User object available
+1. Role Resolution
+   └── roles_dependency runs → User's roles (set[str]) available
 
 2. Permission Check
    └── Does user have ANY grant (global or contextual) for required permission?
@@ -175,7 +182,7 @@ When a request hits an RBAC-protected endpoint:
        └── No  → Continue to context checks
 
 4. Context Checks (only for Contextual grants)
-   └── Run all context classes via FastAPI DI
+   └── Run all context classes via FastAPI DI (each gets its own user via Depends)
        └── Do ALL contexts return True?
            ├── No  → 403 Forbidden
            └── Yes → Access granted

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/README.md

@@ -14,7 +14,7 @@ pip install fastapi-rbac-authz
 from typing import Annotated
 from fastapi import Depends, FastAPI
 from fastapi_rbac import (
-    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz, RBACUser
+    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz
 )
 
 # 1. Define your user model
@@ -23,7 +23,17 @@ class User:
         self.user_id = user_id
         self.roles = roles
 
-# 2. Define role permissions
+# 2. Define your authentication dependencies
+# The library only needs roles - you can authenticate however you like
+async def get_current_user() -> User:
+    # Your authentication logic here
+    return User(user_id="user-1", roles={"viewer"})
+
+async def get_current_user_roles() -> set[str]:
+    user = await get_current_user()
+    return user.roles
+
+# 3. Define role permissions
 PERMISSIONS = {
     "admin": {
         Global("report:*"),         # Admin can do anything with reports
@@ -33,13 +43,13 @@ PERMISSIONS = {
     },
 }
 
-# 3. Create a context check (for contextual permissions)
-# All __init__ params are injected by FastAPI's DI system
-class ReportAccessContext(ContextualAuthz[User]):
+# 4. Create a context check (for contextual permissions)
+# Context classes are responsible for their own authentication via FastAPI DI
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # <-- Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
     ):
         self.user = user
         self.report_id = report_id
@@ -49,22 +59,17 @@ class ReportAccessContext(ContextualAuthz[User]):
         allowed_reports = {1, 2, 3}  # e.g., query from database
         return self.report_id in allowed_reports
 
-# 4. Create your app and configure RBAC
+# 5. Create your app and configure RBAC
 app = FastAPI()
 
-async def get_current_user() -> User:
-    # Your authentication logic here
-    return User(user_id="user-1", roles={"viewer"})
-
 RBACAuthz(
     app,
-    get_roles=lambda u: u.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,  # Returns set[str]
     ui_path="/_rbac",  # Optional: mount visualization UI
 )
 
-# 5. Create protected routes
+# 6. Create protected routes
 router = RBACRouter(permissions={"report:read"}, contexts=[ReportAccessContext])
 
 @router.get("/reports/{report_id}")
@@ -78,6 +83,8 @@ async def create_report():
 app.include_router(router, prefix="/api")
 ```
 
+> **Note:** The library doesn't care how you authenticate - whether via dependency, middleware, JWT decode, or any other method. You just need to provide a dependency that returns the user's roles as `set[str]`. Context classes are responsible for their own authentication and can use any FastAPI dependency pattern.
+
 ## Permission Scopes
 
 Permissions can be granted with two scopes:
@@ -114,14 +121,14 @@ PERMISSIONS = {
 
 ## Context Checks
 
-Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.).
+Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.). Each context class is responsible for its own authentication via FastAPI's dependency injection.
 
 ```python
-class ReportAccessContext(ContextualAuthz[User]):
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
         db: Annotated[AsyncSession, Depends(get_db)],  # Database session
     ):
         self.user = user
@@ -139,8 +146,8 @@ class ReportAccessContext(ContextualAuthz[User]):
 When a request hits an RBAC-protected endpoint:
 
 ```
-1. Authentication
-   └── user_dependency runs → User object available
+1. Role Resolution
+   └── roles_dependency runs → User's roles (set[str]) available
 
 2. Permission Check
    └── Does user have ANY grant (global or contextual) for required permission?
@@ -153,7 +160,7 @@ When a request hits an RBAC-protected endpoint:
        └── No  → Continue to context checks
 
 4. Context Checks (only for Contextual grants)
-   └── Run all context classes via FastAPI DI
+   └── Run all context classes via FastAPI DI (each gets its own user via Depends)
        └── Do ALL contexts return True?
            ├── No  → 403 Forbidden
            └── Yes → Access granted

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/examples/basic_app.py

@@ -20,7 +20,6 @@ from fastapi_rbac import (
     Global,
     RBACAuthz,
     RBACRouter,
-    RBACUser,
 )
 
 
@@ -67,8 +66,10 @@ PERMISSIONS = {
 
 
 # =============================================================================
-# Authentication Dependency
+# Authentication Dependencies
 # =============================================================================
+
+
 async def get_current_user(x_token: Annotated[str, Header()]) -> User:
     """Simulate authentication via X-Token header."""
     user = USERS.get(x_token)
@@ -77,16 +78,29 @@ async def get_current_user(x_token: Annotated[str, Header()]) -> User:
     return user
 
 
+async def get_current_user_roles(user: User = Depends(get_current_user)) -> set[str]:
+    """Get the roles for the current user.
+
+    This dependency returns only the roles - the library doesn't need
+    the full user object for authorization checks.
+    """
+    return user.roles
+
+
 # =============================================================================
 # Context Check
 # =============================================================================
-class ReportOwnerContext(ContextualAuthz[User]):
-    """Check if user owns the report or is allowed to access it."""
+class ReportOwnerContext(ContextualAuthz):
+    """Check if user owns the report or is allowed to access it.
+
+    Context classes are responsible for their own authentication.
+    They use FastAPI's Depends() to get the user via your auth dependency.
+    """
 
     def __init__(
         self,
         report_id: int,
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],
     ):
         self.user = user
         self.report_id = report_id
@@ -109,9 +123,8 @@ app = FastAPI(
 
 RBACAuthz(
     app,
-    get_roles=lambda user: user.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,
     ui_path="/_rbac",
 )
 
@@ -147,7 +160,7 @@ async def update_report(report_id: int, title: str):
 
 
 @router.post("", permissions={"report:create"}, contexts=[])
-async def create_report(title: str, user: Annotated[User, Depends(RBACUser)]):
+async def create_report(title: str, user: Annotated[User, Depends(get_current_user)]):
     """Create a new report. Requires report:create permission (no context check)."""
     new_id = max(REPORTS.keys()) + 1
     REPORTS[new_id] = {"title": title, "owner_id": user.user_id}

{fastapi_rbac_authz-0.2.0 → fastapi_rbac_authz-0.4.0}/fastapi_rbac/__init__.py

@@ -4,13 +4,8 @@ __version__ = "0.1.0"
 
 from fastapi_rbac.context import ContextualAuthz
 from fastapi_rbac.core import RBACAuthz
-from fastapi_rbac.dependencies import (
-    RBACUser,
-    create_auth_dependency,
-    create_authz_dependency,
-    evaluate_permissions,
-)
-from fastapi_rbac.exceptions import Forbidden
+from fastapi_rbac.dependencies import create_authz_dependency
+from fastapi_rbac.errors import Forbidden
 from fastapi_rbac.permissions import (
     Contextual,
     Global,
@@ -22,14 +17,11 @@ from fastapi_rbac.router import RBACRouter
 __all__ = [
     "RBACAuthz",
     "RBACRouter",
-    "RBACUser",
     "ContextualAuthz",
     "Global",
     "Contextual",
     "PermissionGrant",
     "PermissionScope",
     "Forbidden",
-    "create_auth_dependency",
     "create_authz_dependency",
-    "evaluate_permissions",
 ]

fastapi_rbac_authz-0.4.0/fastapi_rbac/context.py

@@ -0,0 +1,34 @@
+from abc import ABC, abstractmethod
+
+
+class ContextualAuthz(ABC):
+    """Base class for contextual authorization checks.
+
+    Subclasses can use FastAPI dependencies in the __init__ method.
+
+    Example:
+
+    >>> class MyContext(ContextualAuthz):
+    >>>     def __init__(
+    >>>         self,
+    >>>         user: Annotated[User, Depends(get_current_user)],  # your auth dep
+    >>>         request: Request,  # fastapi dep
+    >>>         db: AsyncSession = Depends(get_db),  # your database dep
+    >>>     ):
+    >>>         self.user = user
+    >>>         self.request = request
+    >>>         self.db = db
+    >>>
+    >>>     async def has_permissions(self) -> bool:
+    >>>         # Check access using self.user, self.request, self.db
+    >>>         return True
+    """
+
+    @abstractmethod
+    async def has_permissions(self) -> bool:
+        """Check if the user has permission in this context.
+
+        Returns:
+            True if access should be granted, False otherwise.
+        """
+        raise NotImplementedError()

fastapi_rbac_authz-0.4.0/fastapi_rbac/core.py

@@ -0,0 +1,85 @@
+from collections.abc import Awaitable, Callable
+from typing import Any
+
+from fastapi import APIRouter, FastAPI
+
+from fastapi_rbac.dependencies import _rbac_roles_dependency_placeholder
+from fastapi_rbac.permissions import PermissionGrant
+from fastapi_rbac.router import RBACRouter
+from fastapi_rbac.ui.routes import create_ui_router
+
+
+class RBACAuthz:
+    """Main RBAC authorization configuration.
+
+    Attaches to a FastAPI application and provides authorization
+    configuration for RBACRouter endpoints.
+
+    Args:
+        app: The FastAPI application instance.
+        permissions: Mapping of role names to sets of permission grants.
+        roles_dependency: FastAPI dependency that returns the user's roles as set[str].
+            This dependency is injected into all RBAC-protected endpoints via
+            FastAPI's dependency_overrides mechanism, and will be evaluated before RBAC checks
+        ui_path: Optional path to mount the authorization UI (e.g., "/_rbac").
+    """
+
+    def __init__(
+        self,
+        app: FastAPI,
+        permissions: dict[str, set[PermissionGrant]],
+        roles_dependency: Callable[..., set[str]] | Callable[..., Awaitable[set[str]]],
+        ui_path: str | None = None,
+    ) -> None:
+        self.app = app
+        self.permissions = permissions
+        self.roles_dependency = roles_dependency
+        self.ui_path = ui_path
+
+        # Instance attributes for state management
+        self.routers: list[tuple[str, RBACRouter]] = []
+        self._include_router_wrapped: bool = False
+
+        # Attach to app state for access from routers
+        app.state.rbac = self
+
+        # Override the placeholder dependency with user's roles dependency
+        # This allows the roles dependency to be injected into all
+        # RBAC-protected endpoints with proper FastAPI dependency resolution
+        app.dependency_overrides[_rbac_roles_dependency_placeholder] = roles_dependency
+        self._wrap_app_include_router()
+
+        if ui_path:
+            self._mount_ui()
+
+    def _wrap_app_include_router(self) -> None:
+        """Wrap the app's include_router method to track RBACRouters."""
+        if self._include_router_wrapped:
+            return
+
+        original_include_router = self.app.include_router
+        self.app.include_router = self._create_wrapped_include_router(original_include_router)  # type: ignore[method-assign]
+        self._include_router_wrapped = True
+
+    def _create_wrapped_include_router(self, original_include_router: Callable[..., None]) -> Callable[..., None]:
+        """Create a wrapped include_router that tracks RBACRouters."""
+
+        def wrapped_include_router(
+            router: APIRouter,
+            *,
+            prefix: str = "",
+            **kwargs: Any,
+        ) -> None:
+            if isinstance(router, RBACRouter):
+                self.routers.append((prefix, router))
+            return original_include_router(router, prefix=prefix, **kwargs)
+
+        return wrapped_include_router
+
+    def _mount_ui(self) -> None:
+        """Mount the authorization visualization UI."""
+        if not self.ui_path:
+            return
+
+        ui_router = create_ui_router(self.ui_path)
+        self.app.include_router(ui_router, prefix=self.ui_path)

fastapi_rbac_authz-0.4.0/fastapi_rbac/dependencies.py

@@ -0,0 +1,128 @@
+import inspect
+from collections.abc import Callable, Coroutine
+from typing import Annotated, Any
+
+from fastapi import Depends, Request
+
+from fastapi_rbac.context import ContextualAuthz
+from fastapi_rbac.errors import Forbidden
+from fastapi_rbac.permissions import (
+    has_global_permission,
+    has_permission,
+    resolve_grants,
+)
+
+# Type alias for context classes
+ContextClass = type[ContextualAuthz]
+
+
+async def _rbac_roles_dependency_placeholder(request: Request) -> set[str]:  # noqa: ARG001
+    """Placeholder dependency for user roles.
+
+    This placeholder is replaced at runtime via FastAPI's dependency_overrides
+    mechanism when RBACAuthz is initialized. The roles_dependency provided to
+    RBACAuthz will be used instead of this placeholder.
+    """
+    raise RuntimeError("RBACAuthz not configured with roles_dependency")
+
+
+def create_authz_dependency(
+    required_permissions: set[str],
+    context_classes: list[ContextClass],
+) -> Callable[..., Coroutine[Any, Any, None]]:
+    """Create an authorization dependency that uses FastAPI's full DI for contexts.
+
+    This function creates a FastAPI dependency that:
+    1. Resolves a list of user roles via the injected roles_dependency
+    2. Gets RBAC config from app.state.rbac
+    3. Uses FastAPI's Depends(context_class) to instantiate each context
+       - Context classes can use ANY FastAPI dependency patterns in __init__:
+         - user: AuthUser (resolved via Depends)
+         - request: Request (built-in)
+         - org_id: str (from path parameter)
+         - body: SomeModel (from request body)
+         - db: Db (via Depends)
+    4. Calls has_permissions() on each resolved context
+
+    The roles_dependency is injected via FastAPI's dependency_overrides mechanism.
+    When RBACAuthz is initialized with a roles_dependency, it overrides the
+    _rbac_roles_dependency_placeholder with the provided dependency.
+
+    Args:
+        required_permissions: Set of permission strings required for access.
+        context_classes: List of ContextualAuthz subclasses to check.
+
+    Returns:
+        An async dependency function for use with FastAPI's Depends().
+    """
+    # Build context parameters - each context class becomes a Depends(context_class)
+    # FastAPI will resolve all __init__ parameters automatically
+    if not required_permissions and not context_classes:
+        raise RuntimeError("Endpoint must be protected with either permissions or contexts")
+
+    context_params: list[inspect.Parameter] = []
+    for i, ctx_class in enumerate(context_classes):
+        param = inspect.Parameter(
+            f"_fastapi_rbac_authz_ctx_{i}_",
+            inspect.Parameter.KEYWORD_ONLY,
+            default=None,
+            annotation=Annotated[ctx_class, Depends(ctx_class)],
+        )
+        context_params.append(param)
+
+    async def authz_dependency(
+        request: Request,
+        _rbac_roles_: Annotated[set[str], Depends(_rbac_roles_dependency_placeholder)],
+        **kwargs: Any,
+    ) -> None:
+        """Authorization dependency that checks permissions and contexts."""
+        rbac = getattr(request.app.state, "rbac", None)
+        if rbac is None:
+            raise RuntimeError("RBACAuthz not configured. Make sure to create an RBACAuthz instance with your app.")
+
+        roles = _rbac_roles_
+        if not roles:
+            raise Forbidden("User has no roles")
+
+        grants = resolve_grants(roles, rbac.permissions)
+
+        if not grants:
+            raise Forbidden()
+
+        need_contextual_check = not required_permissions
+
+        for required in required_permissions:
+            if has_global_permission(grants, required):
+                # Global permission - no need for contextual check for this permission
+                continue
+
+            need_contextual_check = True
+            if not has_permission(grants, required):
+                raise Forbidden()
+
+        # Run contextual checks if needed
+        # Context instances are already resolved by FastAPI via Depends(context_class)
+        if need_contextual_check:
+            for i in range(len(context_classes)):
+                context = kwargs.get(f"_fastapi_rbac_authz_ctx_{i}_")
+                if context is not None and not await context.has_permissions():
+                    raise Forbidden()
+
+    # Build the final signature with context params
+    base_params = [
+        inspect.Parameter(
+            "request",
+            inspect.Parameter.POSITIONAL_OR_KEYWORD,
+            annotation=Request,
+        ),
+        inspect.Parameter(
+            "_rbac_roles_",
+            inspect.Parameter.KEYWORD_ONLY,
+            default=None,
+            annotation=Annotated[set[str], Depends(_rbac_roles_dependency_placeholder)],
+        ),
+    ]
+
+    new_sig = inspect.Signature(parameters=base_params + context_params)
+    authz_dependency.__signature__ = new_sig  # type: ignore[attr-defined]
+    return authz_dependency

fastapi_rbac_authz-0.2.0/fastapi_rbac/exceptions.py → fastapi_rbac_authz-0.4.0/fastapi_rbac/errors.py

@@ -1,8 +1,7 @@
 from fastapi import HTTPException
+from starlette.status import HTTP_403_FORBIDDEN
 
 
 class Forbidden(HTTPException):
-    """403 Forbidden - user lacks required permissions."""
-
     def __init__(self, detail: str = "Forbidden") -> None:
-        super().__init__(status_code=403, detail=detail)
+        super().__init__(status_code=HTTP_403_FORBIDDEN, detail=detail)