fastapi-rtk 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl

fastapi_rtk/__init__.py

@@ -156,7 +156,6 @@ __all__ = [
     "docs",
     # .dependencies
     "set_global_user",
-    "permissions",
     "current_permissions",
     "has_access_dependency",
     # .exceptions

fastapi_rtk/_version.py

@@ -1 +1 @@
-__version__ = "1.0.8"
+__version__ = "1.0.9"

fastapi_rtk/auth/auth.py

@@ -142,15 +142,6 @@ class Authenticator(BaseAuthenticator):
         except HTTPException as e:
             if not default_to_none:
                 raise e
-
-        # Retrieve list of apis, that user has access to
-        if user:
-            user.permissions = []
-            for role in user.roles:
-                for permission_api in role.permissions:
-                    user.permissions.append(permission_api.api.name)
-            user.permissions = list(set(user.permissions))
-
         return user, token
 
 

fastapi_rtk/bases/file_manager.py

@@ -35,6 +35,18 @@ class AbstractFileManager(abc.ABC):
         namegen: typing.Callable[[str], str] | None = None,
         permission: int | None = None,
     ):
+        """
+        Initializes the AbstractFileManager.
+
+        Args:
+            base_path (str | None, optional): Base path for file storage. Defaults to None.
+            allowed_extensions (list[str] | None, optional): Allowed file extensions. Defaults to None.
+            namegen (typing.Callable[[str], str] | None, optional): Callable for generating file names. Defaults to None.
+            permission (int | None, optional): File permission settings. Defaults to None.
+
+        Raises:
+            ValueError: If `base_path` is not set.
+        """
         if base_path is not None:
             self.base_path = base_path
         if allowed_extensions is not None:

fastapi_rtk/dependencies.py

@@ -1,14 +1,16 @@
 import fastapi
+import sqlalchemy
 from fastapi import Depends, HTTPException
 
 from .api.base_api import BaseApi
-from .const import PERMISSION_PREFIX, ErrorCode
+from .const import PERMISSION_PREFIX, ErrorCode, logger
+from .db import db
 from .globals import g
-from .security.sqla.models import PermissionApi, User
+from .security.sqla.models import Api, Permission, PermissionApi, Role, User
+from .utils import smart_run
 
 __all__ = [
     "set_global_user",
-    "permissions",
     "current_permissions",
     "has_access_dependency",
 ]
@@ -62,82 +64,65 @@ def check_g_user():
     return check_g_user_dependency
 
 
-def permissions(as_object=False):
+def current_permissions(api: BaseApi):
     """
-    A dependency for FastAPI that will return all permissions of the current user.
+    A dependency for FastAPI that will return all permissions of the current user for the specified API.
 
-    This will implicitly call the `current_user` dependency from `fastapi_users`. Therefore, it can return `403 Forbidden` if the user is not authenticated.
+    Because it will implicitly check whether the user is authenticated, it can return `401 Unauthorized` or `403 Forbidden`.
 
     Args:
-        as_object (bool): Whether to return the `PermissionApi` objects or return the api names (E.g "AuthApi" or "AuthApi|UserApi").
+        api (BaseApi): The API to be checked.
 
     Usage:
     ```python
     async def get_info(
             *,
-            permissions: List[str] = Depends(permissions()),
+            permissions: List[str] = Depends(current_permissions(self)),
             session: AsyncSession | Session = Depends(get_async_session),
         ):
     ...more code
     ```
     """
 
-    async def permissions_depedency():
-        if not g.user:
-            raise HTTPException(
-                fastapi.status.HTTP_401_UNAUTHORIZED,
-                ErrorCode.GET_USER_MISSING_TOKEN_OR_INACTIVE_USER,
-            )
-
-        if not g.user.roles:
-            raise HTTPException(
-                fastapi.status.HTTP_403_FORBIDDEN, ErrorCode.GET_USER_NO_ROLES
-            )
+    async def current_permissions_depedency(_=Depends(_ensure_roles)):
+        sm = g.current_app.security
+        api_name = api.__class__.__name__
+        permissions = set[str]()
+        db_role_ids = list[int]()
 
-        permissions = []
+        # Retrieve permissions from built-in roles
         for role in g.user.roles:
-            for permission_api in role.permissions:
-                if as_object:
-                    permissions.append(permission_api)
-                else:
-                    permissions.append(permission_api.api.name)
-        permissions = list(set(permissions))
-
-        return permissions
-
-    return permissions_depedency
-
+            if role.name not in sm.builtin_roles:
+                db_role_ids.append(role.id)
+                continue
 
-def current_permissions(api: BaseApi):
-    """
-    A dependency for FastAPI that will return all permissions of the current user for the specified API.
-
-    Because it will implicitly call the `permissions` dependency, it can return `403 Forbidden` if the user is not authenticated.
+            api_permission_tuples = sm.get_api_permission_tuples_from_builtin_roles(
+                role.name
+            )
+            for multi_apis_str, multi_perms_str in api_permission_tuples:
+                api_names = multi_apis_str.split("|")
+                perm_names = multi_perms_str.split("|")
+                if api_name in api_names:
+                    permissions.update(perm_names)
+
+        if db_role_ids:
+            query = (
+                sqlalchemy.select(Permission)
+                .join(PermissionApi)
+                .join(PermissionApi.roles)
+                .join(Api)
+                .where(Api.name == api_name, Role.id.in_(db_role_ids))
+            )
+            if api.base_permissions:
+                query = query.where(Permission.name.in_(api.base_permissions))
 
-    Args:
-        api (BaseApi): The API to be checked.
+            permissions_in_db = await smart_run(db.current_session.scalars, query)
+            permissions.update(perm.name for perm in permissions_in_db.all())
 
-    Usage:
-    ```python
-    async def get_info(
-            *,
-            permissions: List[str] = Depends(current_permissions(self)),
-            session: AsyncSession | Session = Depends(get_async_session),
-        ):
-    ...more code
-    ```
-    """
-
-    async def current_permissions_depedency(
-        permissions_apis: list[PermissionApi] = Depends(permissions(as_object=True)),
-    ):
-        permissions = []
-        for permission_api in permissions_apis:
-            if api.__class__.__name__ in permission_api.api.name.split("|"):
-                permissions = permissions + permission_api.permission.name.split("|")
         if api.base_permissions:
-            permissions = [x for x in permissions if x in api.base_permissions]
-        return list(set(permissions))
+            permissions = permissions.intersection(set(api.base_permissions))
+
+        return list(permissions)
 
     return current_permissions_depedency
 
@@ -149,7 +134,7 @@ def has_access_dependency(
     """
     A dependency for FastAPI to check whether current user has access to the specified API and permission.
 
-    Because it will implicitly call the `current_permissions` dependency, it can return `403 Forbidden` if the user is not authenticated.
+    Because it will implicitly check whether the user is authenticated, it can return `401 Unauthorized` or `403 Forbidden`.
 
     Usage:
     ```python
@@ -165,15 +150,55 @@ def has_access_dependency(
         api (BaseApi): The API to be checked.
         permission (str): The permission to check.
     """
+    permission = f"{PERMISSION_PREFIX}{permission}"
 
-    async def check_permission(
-        permissions: list[str] = Depends(current_permissions(api)),
-    ):
-        if f"{PERMISSION_PREFIX}{permission}" not in permissions:
+    async def check_permission():
+        _ensure_roles(ErrorCode.PERMISSION_DENIED)
+
+        # First, check built-in roles (avoiding unnecessary DB queries)
+        # This also covers the case for API and permission name with pipes
+        sm = g.current_app.security
+        if any(
+            sm.has_access_in_builtin_roles(
+                role.name, api.__class__.__name__, permission
+            )
+            for role in g.user.roles
+        ):
+            logger.debug(
+                f"User {g.user} has access to {api.__class__.__name__} with permission {permission} via built-in roles."
+            )
+            return
+
+        db_role_ids = [
+            role.id for role in g.user.roles if role.name not in sm.builtin_roles
+        ]
+        if not db_role_ids:
             raise HTTPException(
                 fastapi.status.HTTP_403_FORBIDDEN, ErrorCode.PERMISSION_DENIED
             )
-        return
+
+        api_name = api.__class__.__name__
+        exist_query = (
+            sqlalchemy.select(Permission)
+            .join(PermissionApi)
+            .join(PermissionApi.roles)
+            .join(Api)
+            .where(
+                Api.name == api_name,
+                Permission.name == permission,
+                Role.id.in_(db_role_ids),
+            )
+            .exists()
+        )
+        result: bool = await smart_run(
+            db.current_session.scalar, sqlalchemy.select(exist_query)
+        )
+        if result:
+            return
+
+        raise HTTPException(
+            fastapi.status.HTTP_403_FORBIDDEN, ErrorCode.PERMISSION_DENIED
+        )
 
     return check_permission
 
@@ -208,3 +233,24 @@ async def set_global_request(request: fastapi.Request):
     ...more code
     """
     g.request = request
+
+
+def _ensure_roles(err_forbidden_message=ErrorCode.GET_USER_NO_ROLES):
+    """
+    A dependency for FastAPI that will ensure the current user has roles assigned.
+
+    Args:
+        err_forbidden_message (str): The error message to be used when raising `403 Forbidden`. Defaults to `ErrorCode.GET_USER_NO_ROLES`.
+
+    Raises:
+        HTTPException: Raised when the user is not authenticated.
+        HTTPException: Raised when the user has no roles assigned.
+    """
+    if not g.user:
+        raise HTTPException(
+            fastapi.status.HTTP_401_UNAUTHORIZED,
+            ErrorCode.GET_USER_MISSING_TOKEN_OR_INACTIVE_USER,
+        )
+
+    if not g.user.roles:
+        raise HTTPException(fastapi.status.HTTP_403_FORBIDDEN, err_forbidden_message)

fastapi_rtk/fastapi_react_toolkit.py

@@ -16,13 +16,11 @@ from fastapi.templating import Jinja2Templates
 from fastapi_babel import BabelMiddleware
 from jinja2 import Environment, TemplateNotFound, select_autoescape
 from prometheus_fastapi_instrumentator import Instrumentator
-from sqlalchemy import and_, select
-from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy.orm import Session
 from starlette.routing import _DefaultLifespan
 
 from .api.model_rest_api import ModelRestApi
 from .auth import Auth
+from .backends.sqla.session import SQLASession
 from .cli.commands.db import upgrade
 from .cli.commands.translate import init_babel_cli
 from .const import (
@@ -418,175 +416,121 @@ class FastAPIReactToolkit:
 
         async with db.session() as session:
             logger.info("INITIALIZING DATABASE")
-            await self._insert_permissions(session)
-            await self._insert_apis(session)
-            await self._insert_roles(session)
-            await self._associate_permission_with_api(session)
-            await self._associate_permission_api_with_role(session)
+            permissions = await self._insert_permissions(session)
+            apis = await self._insert_apis(session)
+            roles = await self._insert_roles(session)
+            assert permissions is not None, "Permissions should not be None"
+            assert apis is not None, "APIs should not be None"
+            permission_apis = await self._associate_permission_with_api(
+                session, permissions, apis
+            )
+            assert roles is not None, "Roles should not be None"
+            assert permission_apis is not None, "PermissionApis should not be None"
+            await self._associate_role_with_permission_api(
+                session, roles, permission_apis
+            )
             if self.cleanup:
                 await self.security.cleanup()
             logger.info("DATABASE INITIALIZED")
 
-    async def _insert_permissions(self, session: AsyncSession | Session):
-        new_permissions = self.total_permissions()
-        stmt = select(Permission).where(Permission.name.in_(new_permissions))
-        result = await safe_call(session.scalars(stmt))
-        existing_permissions = [permission.name for permission in result.all()]
-        if len(new_permissions) == len(existing_permissions):
-            return
-
-        permission_objs = [
-            Permission(name=permission)
-            for permission in new_permissions
-            if permission not in existing_permissions
+    async def _insert_permissions(self, session: SQLASession):
+        permissions = self.total_permissions() + [
+            x[1] for x in self.security.get_api_permission_tuples_from_builtin_roles()
         ]
-        for permission in permission_objs:
-            logger.info(f"ADDING PERMISSION {permission}")
-            session.add(permission)
-        await safe_call(session.commit())
-
-    async def _insert_apis(self, session: AsyncSession | Session):
-        new_apis = [api.__class__.__name__ for api in self.apis]
-        stmt = select(Api).where(Api.name.in_(new_apis))
-        result = await safe_call(session.scalars(stmt))
-        existing_apis = [api.name for api in result.all()]
-        if len(new_apis) == len(existing_apis):
-            return
-
-        api_objs = [Api(name=api) for api in new_apis if api not in existing_apis]
-        for api in api_objs:
-            logger.info(f"ADDING API {api}")
-            session.add(api)
-        await safe_call(session.commit())
-
-    async def _insert_roles(self, session: AsyncSession | Session):
-        new_roles = [x for x in [g.admin_role, g.public_role] if x is not None]
-        stmt = select(Role).where(Role.name.in_(new_roles))
-        result = await safe_call(session.scalars(stmt))
-        existing_roles = [role.name for role in result.all()]
-        if len(new_roles) == len(existing_roles):
-            return
+        permissions = list(dict.fromkeys(permissions))
+        return await self.security.create_permissions(permissions, session=session)
 
-        role_objs = [
-            Role(name=role) for role in new_roles if role not in existing_roles
+    async def _insert_apis(self, session: SQLASession):
+        apis = [api.__class__.__name__ for api in self.apis] + [
+            x[0] for x in self.security.get_api_permission_tuples_from_builtin_roles()
         ]
-        for role in role_objs:
-            logger.info(f"ADDING ROLE {role}")
-            session.add(role)
-        await safe_call(session.commit())
+        apis = list(dict.fromkeys(apis))
+        return await self.security.create_apis(apis, session=session)
+
+    async def _insert_roles(self, session: SQLASession):
+        roles = self.security.get_roles_from_builtin_roles()
+        if g.admin_role and g.admin_role not in roles:
+            roles.append(g.admin_role)
+        if g.public_role and g.public_role not in roles:
+            roles.append(g.public_role)
+        return await self.security.create_roles(roles, session=session)
+
+    async def _associate_permission_with_api(
+        self,
+        session: SQLASession,
+        permissions: list[Permission],
+        apis: list[Api],
+    ):
+        permission_map = {permission.name: permission for permission in permissions}
+        api_map = {api.name: api for api in apis}
+        permission_api_tuples = list[tuple[Permission, Api]]()
+        added_permission_api = set[tuple[str, str]]()
 
-    async def _associate_permission_with_api(self, session: AsyncSession | Session):
         for api in self.apis:
-            new_permissions = getattr(api, "permissions", [])
-            if not new_permissions:
+            api_permissions = api.permissions
+            if not api_permissions:
                 continue
 
-            # Get the api object
-            api_stmt = select(Api).where(Api.name == api.__class__.__name__)
-            api_obj = await safe_call(session.scalar(api_stmt))
-
-            if not api_obj:
-                raise ValueError(f"API {api.__class__.__name__} not found")
-
-            permission_stmt = select(Permission).where(
-                and_(
-                    Permission.name.in_(new_permissions),
-                    ~Permission.id.in_([p.permission_id for p in api_obj.permissions]),
-                )
-            )
-            permission_result = await safe_call(session.scalars(permission_stmt))
-            new_permissions = permission_result.all()
-
-            if not new_permissions:
+            for permission_name in api_permissions:
+                if (permission_name, api.__class__.__name__) in added_permission_api:
+                    continue
+                permission = permission_map[permission_name]
+                api_obj = api_map[api.__class__.__name__]
+                permission_api_tuples.append((permission, api_obj))
+                added_permission_api.add((permission.name, api_obj.name))
+
+        for (
+            api_name,
+            perm_name,
+        ) in self.security.get_api_permission_tuples_from_builtin_roles():
+            if (perm_name, api_name) in added_permission_api:
                 continue
+            permission = permission_map[perm_name]
+            api_obj = api_map[api_name]
+            permission_api_tuples.append((permission, api_obj))
+            added_permission_api.add((permission.name, api_obj.name))
 
-            for permission in new_permissions:
-                session.add(
-                    PermissionApi(permission_id=permission.id, api_id=api_obj.id)
-                )
-                logger.info(f"ASSOCIATING PERMISSION {permission} WITH API {api_obj}")
-            await safe_call(session.commit())
+        return await self.security.associate_list_of_permission_with_api(
+            permission_api_tuples, session=session
+        )
 
-    async def _associate_permission_api_with_role(
-        self, session: AsyncSession | Session
+    async def _associate_role_with_permission_api(
+        self,
+        session: SQLASession,
+        roles: list[Role],
+        permission_apis: list[PermissionApi],
     ):
-        # Read config based roles
-        roles_dict = Setting.ROLES
-
-        for role_name, role_permissions in roles_dict.items():
-            role_stmt = select(Role).where(Role.name == role_name)
-            role_result = await safe_call(session.scalars(role_stmt))
-            role = role_result.first()
-            if not role:
-                role = Role(name=role_name)
-                logger.info(f"ADDING ROLE {role}")
-                session.add(role)
-
-            for api_name, permission_name in role_permissions:
-                permission_api_stmt = (
-                    select(PermissionApi)
-                    .where(
-                        and_(Api.name == api_name, Permission.name == permission_name)
-                    )
-                    .join(Permission)
-                    .join(Api)
-                )
-                permission_api = await safe_call(session.scalar(permission_api_stmt))
-                if not permission_api:
-                    permission_stmt = select(Permission).where(
-                        Permission.name == permission_name
-                    )
-                    permission = await safe_call(session.scalar(permission_stmt))
-                    if not permission:
-                        permission = Permission(name=permission_name)
-                        logger.info(f"ADDING PERMISSION {permission}")
-                        session.add(permission)
-
-                    stmt = select(Api).where(Api.name == api_name)
-                    api = await safe_call(session.scalar(stmt))
-                    if not api:
-                        api = Api(name=api_name)
-                        logger.info(f"ADDING API {api}")
-                        session.add(api)
-
-                    permission_api = PermissionApi(permission=permission, api=api)
-                    logger.info(f"ADDING PERMISSION-API {permission_api}")
-                    session.add(permission_api)
-
-                # Associate role with permission-api
-                if role not in permission_api.roles:
-                    permission_api.roles.append(role)
-                    logger.info(
-                        f"ASSOCIATING {role} WITH PERMISSION-API {permission_api}"
-                    )
-
-                await safe_call(session.commit())
-
-        # Get admin role
-        if g.admin_role is None:
-            logger.warning("Admin role is not set, skipping admin role association")
-            return
-
-        admin_role_stmt = select(Role).where(Role.name == g.admin_role)
-        admin_role = await safe_call(session.scalar(admin_role_stmt))
-
-        if admin_role:
-            # Get list of permission-api.assoc_permission_api_id of the admin role
-            stmt = (
-                select(PermissionApi)
-                .where(~PermissionApi.roles.contains(admin_role))
-                .join(Api)
-            )
-            result = await safe_call(session.scalars(stmt))
-            existing_assoc_permission_api_roles = result.all()
-
-            # Add admin role to all permission-api objects
-            for permission_api in existing_assoc_permission_api_roles:
-                permission_api.roles.append(admin_role)
-                logger.info(
-                    f"ASSOCIATING {admin_role} WITH PERMISSION-API {permission_api}"
-                )
-            await safe_call(session.commit())
+        role_map = {role.name: role for role in roles}
+        permission_api_map = {
+            (pa.permission.name, pa.api.name): pa for pa in permission_apis
+        }
+        permission_apis_to_exclude_from_admin = list[PermissionApi]()
+        role_permission_api_tuples = list[tuple[Role, PermissionApi]]()
+
+        for (
+            role_name,
+            role_api_permissions,
+        ) in self.security.get_role_and_api_permission_tuples_from_builtin_roles():
+            for api_name, permission_name in role_api_permissions:
+                role = role_map[role_name]
+                permission_api = permission_api_map[(permission_name, api_name)]
+                role_permission_api_tuples.append((role, permission_api))
+                if "|" in permission_name and role_name != g.public_role:
+                    # Exclude multi-tenant permissions from admin role if not explicitly set
+                    permission_apis_to_exclude_from_admin.append(permission_api)
+
+        if g.admin_role:
+            admin_role = role_map[g.admin_role]
+            for permission_api in [
+                pa
+                for pa in permission_apis
+                if pa not in permission_apis_to_exclude_from_admin
+            ]:
+                role_permission_api_tuples.append((admin_role, permission_api))
+
+        await self.security.associate_list_of_role_with_permission_api(
+            role_permission_api_tuples, session=session
+        )
 
     def _mount_static_folder(self):
         """