PyPI - fastapi-rtk - Versions diffs - 1.0.8__tar.gz → 1.0.9__tar.gz - Mend

fastapi-rtk 1.0.8tar.gz → 1.0.9tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

{fastapi_rtk-1.0.8 → fastapi_rtk-1.0.9}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fastapi-rtk
-Version: 1.0.8
+Version: 1.0.9
 Summary: A package that provides a set of tools to build a FastAPI application with a Class-Based CRUD API.
 Project-URL: Homepage, https://codeberg.org/datatactics/fastapi-rtk
 Project-URL: Issues, https://codeberg.org/datatactics/fastapi-rtk/issues

{fastapi_rtk-1.0.8 → fastapi_rtk-1.0.9}/fastapi_rtk/__init__.py RENAMED Viewed

@@ -156,7 +156,6 @@ __all__ = [
     "docs",
     # .dependencies
     "set_global_user",
-    "permissions",
     "current_permissions",
     "has_access_dependency",
     # .exceptions

fastapi_rtk-1.0.9/fastapi_rtk/_version.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = "1.0.9"

{fastapi_rtk-1.0.8 → fastapi_rtk-1.0.9}/fastapi_rtk/auth/auth.py RENAMED Viewed

@@ -142,15 +142,6 @@ class Authenticator(BaseAuthenticator):
         except HTTPException as e:
             if not default_to_none:
                 raise e
-        # Retrieve list of apis, that user has access to
-        if user:
-            user.permissions = []
-            for role in user.roles:
-                for permission_api in role.permissions:
-                    user.permissions.append(permission_api.api.name)
-            user.permissions = list(set(user.permissions))
         return user, token

{fastapi_rtk-1.0.8 → fastapi_rtk-1.0.9}/fastapi_rtk/bases/file_manager.py RENAMED Viewed

@@ -35,6 +35,18 @@ class AbstractFileManager(abc.ABC):
         namegen: typing.Callable[[str], str] | None = None,
         permission: int | None = None,
     ):
+        """
+        Initializes the AbstractFileManager.
+        Args:
+            base_path (str | None, optional): Base path for file storage. Defaults to None.
+            allowed_extensions (list[str] | None, optional): Allowed file extensions. Defaults to None.
+            namegen (typing.Callable[[str], str] | None, optional): Callable for generating file names. Defaults to None.
+            permission (int | None, optional): File permission settings. Defaults to None.
+        Raises:
+            ValueError: If `base_path` is not set.
+        """
         if base_path is not None:
             self.base_path = base_path
         if allowed_extensions is not None:

fastapi_rtk-1.0.9/fastapi_rtk/dependencies.py ADDED Viewed

@@ -0,0 +1,256 @@
+import fastapi
+import sqlalchemy
+from fastapi import Depends, HTTPException
+from .api.base_api import BaseApi
+from .const import PERMISSION_PREFIX, ErrorCode, logger
+from .db import db
+from .globals import g
+from .security.sqla.models import Api, Permission, PermissionApi, Role, User
+from .utils import smart_run
+__all__ = [
+    "set_global_user",
+    "current_permissions",
+    "has_access_dependency",
+]
+def set_global_user():
+    """
+    A dependency for FastAPI that will set the current user to the global variable `g.user`.
+    Usage:
+    ```python
+    async def get_info(
+            *,
+            session: AsyncSession | Session = Depends(get_async_session),
+            none: None = Depends(set_global_user()),
+        ):
+    ...more code
+    """
+    async def set_global_user_dependency(
+        user: User | None = Depends(
+            g.auth.fastapi_users.current_user(active=True, default_to_none=True)
+        ),
+    ):
+        g.user = user
+    return set_global_user_dependency
+def check_g_user():
+    """
+    A dependency for FastAPI that will check if the current user is set to the global variable `g.user`.
+    Usage:
+    ```python
+    async def get_info(
+            *,
+            session: AsyncSession | Session = Depends(get_async_session),
+            none: None = Depends(check_g_user()),
+        ):
+    ...more code
+    """
+    async def check_g_user_dependency():
+        if not g.user:
+            raise HTTPException(
+                fastapi.status.HTTP_401_UNAUTHORIZED,
+                ErrorCode.GET_USER_MISSING_TOKEN_OR_INACTIVE_USER,
+            )
+    return check_g_user_dependency
+def current_permissions(api: BaseApi):
+    """
+    A dependency for FastAPI that will return all permissions of the current user for the specified API.
+    Because it will implicitly check whether the user is authenticated, it can return `401 Unauthorized` or `403 Forbidden`.
+    Args:
+        api (BaseApi): The API to be checked.
+    Usage:
+    ```python
+    async def get_info(
+            *,
+            permissions: List[str] = Depends(current_permissions(self)),
+            session: AsyncSession | Session = Depends(get_async_session),
+        ):
+    ...more code
+    ```
+    """
+    async def current_permissions_depedency(_=Depends(_ensure_roles)):
+        sm = g.current_app.security
+        api_name = api.__class__.__name__
+        permissions = set[str]()
+        db_role_ids = list[int]()
+        # Retrieve permissions from built-in roles
+        for role in g.user.roles:
+            if role.name not in sm.builtin_roles:
+                db_role_ids.append(role.id)
+                continue
+            api_permission_tuples = sm.get_api_permission_tuples_from_builtin_roles(
+                role.name
+            )
+            for multi_apis_str, multi_perms_str in api_permission_tuples:
+                api_names = multi_apis_str.split("|")
+                perm_names = multi_perms_str.split("|")
+                if api_name in api_names:
+                    permissions.update(perm_names)
+        if db_role_ids:
+            query = (
+                sqlalchemy.select(Permission)
+                .join(PermissionApi)
+                .join(PermissionApi.roles)
+                .join(Api)
+                .where(Api.name == api_name, Role.id.in_(db_role_ids))
+            )
+            if api.base_permissions:
+                query = query.where(Permission.name.in_(api.base_permissions))
+            permissions_in_db = await smart_run(db.current_session.scalars, query)
+            permissions.update(perm.name for perm in permissions_in_db.all())
+        if api.base_permissions:
+            permissions = permissions.intersection(set(api.base_permissions))
+        return list(permissions)
+    return current_permissions_depedency
+def has_access_dependency(
+    api: BaseApi,
+    permission: str,
+):
+    """
+    A dependency for FastAPI to check whether current user has access to the specified API and permission.
+    Because it will implicitly check whether the user is authenticated, it can return `401 Unauthorized` or `403 Forbidden`.
+    Usage:
+    ```python
+    @self.router.get(
+            "/_info",
+            response_model=self.info_return_schema,
+            dependencies=[Depends(has_access(self, "info"))],
+        )
+    ...more code
+    ```
+    Args:
+        api (BaseApi): The API to be checked.
+        permission (str): The permission to check.
+    """
+    permission = f"{PERMISSION_PREFIX}{permission}"
+    async def check_permission():
+        _ensure_roles(ErrorCode.PERMISSION_DENIED)
+        # First, check built-in roles (avoiding unnecessary DB queries)
+        # This also covers the case for API and permission name with pipes
+        sm = g.current_app.security
+        if any(
+            sm.has_access_in_builtin_roles(
+                role.name, api.__class__.__name__, permission
+            )
+            for role in g.user.roles
+        ):
+            logger.debug(
+                f"User {g.user} has access to {api.__class__.__name__} with permission {permission} via built-in roles."
+            )
+            return
+        db_role_ids = [
+            role.id for role in g.user.roles if role.name not in sm.builtin_roles
+        ]
+        if not db_role_ids:
+            raise HTTPException(
+                fastapi.status.HTTP_403_FORBIDDEN, ErrorCode.PERMISSION_DENIED
+            )
+        api_name = api.__class__.__name__
+        exist_query = (
+            sqlalchemy.select(Permission)
+            .join(PermissionApi)
+            .join(PermissionApi.roles)
+            .join(Api)
+            .where(
+                Api.name == api_name,
+                Permission.name == permission,
+                Role.id.in_(db_role_ids),
+            )
+            .exists()
+        )
+        result: bool = await smart_run(
+            db.current_session.scalar, sqlalchemy.select(exist_query)
+        )
+        if result:
+            return
+        raise HTTPException(
+            fastapi.status.HTTP_403_FORBIDDEN, ErrorCode.PERMISSION_DENIED
+        )
+    return check_permission
+async def set_global_background_tasks(background_tasks: fastapi.BackgroundTasks):
+    """
+    A dependency for FastAPI that will set the `background_tasks` to the global variable `g.background_tasks`.
+    Usage:
+    ```python
+    async def get_info(
+            *,
+            session: AsyncSession | Session = Depends(get_async_session),
+            none: None = Depends(set_global_background_tasks),
+        ):
+    ...more code
+    """
+    g.background_tasks = background_tasks
+async def set_global_request(request: fastapi.Request):
+    """
+    A dependency for FastAPI that will set the `request` to the global variable `g.request`.
+    Usage:
+    ```python
+    async def get_info(
+            *,
+            session: AsyncSession | Session = Depends(get_async_session),
+            none: None = Depends(set_global_request),
+        ):
+    ...more code
+    """
+    g.request = request
+def _ensure_roles(err_forbidden_message=ErrorCode.GET_USER_NO_ROLES):
+    """
+    A dependency for FastAPI that will ensure the current user has roles assigned.
+    Args:
+        err_forbidden_message (str): The error message to be used when raising `403 Forbidden`. Defaults to `ErrorCode.GET_USER_NO_ROLES`.
+    Raises:
+        HTTPException: Raised when the user is not authenticated.
+        HTTPException: Raised when the user has no roles assigned.
+    """
+    if not g.user:
+        raise HTTPException(
+            fastapi.status.HTTP_401_UNAUTHORIZED,
+            ErrorCode.GET_USER_MISSING_TOKEN_OR_INACTIVE_USER,
+        )
+    if not g.user.roles:
+        raise HTTPException(fastapi.status.HTTP_403_FORBIDDEN, err_forbidden_message)

{fastapi_rtk-1.0.8 → fastapi_rtk-1.0.9}/fastapi_rtk/fastapi_react_toolkit.py RENAMED Viewed

@@ -16,13 +16,11 @@ from fastapi.templating import Jinja2Templates
 from fastapi_babel import BabelMiddleware
 from jinja2 import Environment, TemplateNotFound, select_autoescape
 from prometheus_fastapi_instrumentator import Instrumentator
-from sqlalchemy import and_, select
-from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy.orm import Session
 from starlette.routing import _DefaultLifespan
 from .api.model_rest_api import ModelRestApi
 from .auth import Auth
+from .backends.sqla.session import SQLASession
 from .cli.commands.db import upgrade
 from .cli.commands.translate import init_babel_cli
 from .const import (
@@ -418,175 +416,121 @@ class FastAPIReactToolkit:
         async with db.session() as session:
             logger.info("INITIALIZING DATABASE")
-            await self._insert_permissions(session)
-            await self._insert_apis(session)
-            await self._insert_roles(session)
-            await self._associate_permission_with_api(session)
-            await self._associate_permission_api_with_role(session)
+            permissions = await self._insert_permissions(session)
+            apis = await self._insert_apis(session)
+            roles = await self._insert_roles(session)
+            assert permissions is not None, "Permissions should not be None"
+            assert apis is not None, "APIs should not be None"
+            permission_apis = await self._associate_permission_with_api(
+                session, permissions, apis
+            )
+            assert roles is not None, "Roles should not be None"
+            assert permission_apis is not None, "PermissionApis should not be None"
+            await self._associate_role_with_permission_api(
+                session, roles, permission_apis
+            )
             if self.cleanup:
                 await self.security.cleanup()
             logger.info("DATABASE INITIALIZED")
-    async def _insert_permissions(self, session: AsyncSession | Session):
-        new_permissions = self.total_permissions()
-        stmt = select(Permission).where(Permission.name.in_(new_permissions))
-        result = await safe_call(session.scalars(stmt))
-        existing_permissions = [permission.name for permission in result.all()]
-        if len(new_permissions) == len(existing_permissions):
-            return
-        permission_objs = [
-            Permission(name=permission)
-            for permission in new_permissions
-            if permission not in existing_permissions
+    async def _insert_permissions(self, session: SQLASession):
+        permissions = self.total_permissions() + [
+            x[1] for x in self.security.get_api_permission_tuples_from_builtin_roles()
         ]
-        for permission in permission_objs:
-            logger.info(f"ADDING PERMISSION {permission}")
-            session.add(permission)
-        await safe_call(session.commit())
-    async def _insert_apis(self, session: AsyncSession | Session):
-        new_apis = [api.__class__.__name__ for api in self.apis]
-        stmt = select(Api).where(Api.name.in_(new_apis))
-        result = await safe_call(session.scalars(stmt))
-        existing_apis = [api.name for api in result.all()]
-        if len(new_apis) == len(existing_apis):
-            return
-        api_objs = [Api(name=api) for api in new_apis if api not in existing_apis]
-        for api in api_objs:
-            logger.info(f"ADDING API {api}")
-            session.add(api)
-        await safe_call(session.commit())
-    async def _insert_roles(self, session: AsyncSession | Session):
-        new_roles = [x for x in [g.admin_role, g.public_role] if x is not None]
-        stmt = select(Role).where(Role.name.in_(new_roles))
-        result = await safe_call(session.scalars(stmt))
-        existing_roles = [role.name for role in result.all()]
-        if len(new_roles) == len(existing_roles):
-            return
+        permissions = list(dict.fromkeys(permissions))
+        return await self.security.create_permissions(permissions, session=session)
-        role_objs = [
-            Role(name=role) for role in new_roles if role not in existing_roles
+    async def _insert_apis(self, session: SQLASession):
+        apis = [api.__class__.__name__ for api in self.apis] + [
+            x[0] for x in self.security.get_api_permission_tuples_from_builtin_roles()
         ]
-        for role in role_objs:
-            logger.info(f"ADDING ROLE {role}")
-            session.add(role)
-        await safe_call(session.commit())
+        apis = list(dict.fromkeys(apis))
+        return await self.security.create_apis(apis, session=session)
+    async def _insert_roles(self, session: SQLASession):
+        roles = self.security.get_roles_from_builtin_roles()
+        if g.admin_role and g.admin_role not in roles:
+            roles.append(g.admin_role)
+        if g.public_role and g.public_role not in roles:
+            roles.append(g.public_role)
+        return await self.security.create_roles(roles, session=session)
+    async def _associate_permission_with_api(
+        self,
+        session: SQLASession,
+        permissions: list[Permission],
+        apis: list[Api],
+    ):
+        permission_map = {permission.name: permission for permission in permissions}
+        api_map = {api.name: api for api in apis}
+        permission_api_tuples = list[tuple[Permission, Api]]()
+        added_permission_api = set[tuple[str, str]]()
-    async def _associate_permission_with_api(self, session: AsyncSession | Session):
         for api in self.apis:
-            new_permissions = getattr(api, "permissions", [])
-            if not new_permissions:
+            api_permissions = api.permissions
+            if not api_permissions:
                 continue
-            # Get the api object
-            api_stmt = select(Api).where(Api.name == api.__class__.__name__)
-            api_obj = await safe_call(session.scalar(api_stmt))
-            if not api_obj:
-                raise ValueError(f"API {api.__class__.__name__} not found")
-            permission_stmt = select(Permission).where(
-                and_(
-                    Permission.name.in_(new_permissions),
-                    ~Permission.id.in_([p.permission_id for p in api_obj.permissions]),
-                )
-            )
-            permission_result = await safe_call(session.scalars(permission_stmt))
-            new_permissions = permission_result.all()
-            if not new_permissions:
+            for permission_name in api_permissions:
+                if (permission_name, api.__class__.__name__) in added_permission_api:
+                    continue
+                permission = permission_map[permission_name]
+                api_obj = api_map[api.__class__.__name__]
+                permission_api_tuples.append((permission, api_obj))
+                added_permission_api.add((permission.name, api_obj.name))
+        for (
+            api_name,
+            perm_name,
+        ) in self.security.get_api_permission_tuples_from_builtin_roles():
+            if (perm_name, api_name) in added_permission_api:
                 continue
+            permission = permission_map[perm_name]
+            api_obj = api_map[api_name]
+            permission_api_tuples.append((permission, api_obj))
+            added_permission_api.add((permission.name, api_obj.name))
-            for permission in new_permissions:
-                session.add(
-                    PermissionApi(permission_id=permission.id, api_id=api_obj.id)
-                )
-                logger.info(f"ASSOCIATING PERMISSION {permission} WITH API {api_obj}")
-            await safe_call(session.commit())
+        return await self.security.associate_list_of_permission_with_api(
+            permission_api_tuples, session=session
+        )
-    async def _associate_permission_api_with_role(
-        self, session: AsyncSession | Session
+    async def _associate_role_with_permission_api(
+        self,
+        session: SQLASession,
+        roles: list[Role],
+        permission_apis: list[PermissionApi],
     ):
-        # Read config based roles
-        roles_dict = Setting.ROLES
-        for role_name, role_permissions in roles_dict.items():
-            role_stmt = select(Role).where(Role.name == role_name)
-            role_result = await safe_call(session.scalars(role_stmt))
-            role = role_result.first()
-            if not role:
-                role = Role(name=role_name)
-                logger.info(f"ADDING ROLE {role}")
-                session.add(role)
-            for api_name, permission_name in role_permissions:
-                permission_api_stmt = (
-                    select(PermissionApi)
-                    .where(
-                        and_(Api.name == api_name, Permission.name == permission_name)
-                    )
-                    .join(Permission)
-                    .join(Api)
-                )
-                permission_api = await safe_call(session.scalar(permission_api_stmt))
-                if not permission_api:
-                    permission_stmt = select(Permission).where(
-                        Permission.name == permission_name
-                    )
-                    permission = await safe_call(session.scalar(permission_stmt))
-                    if not permission:
-                        permission = Permission(name=permission_name)
-                        logger.info(f"ADDING PERMISSION {permission}")
-                        session.add(permission)
-                    stmt = select(Api).where(Api.name == api_name)
-                    api = await safe_call(session.scalar(stmt))
-                    if not api:
-                        api = Api(name=api_name)
-                        logger.info(f"ADDING API {api}")
-                        session.add(api)
-                    permission_api = PermissionApi(permission=permission, api=api)
-                    logger.info(f"ADDING PERMISSION-API {permission_api}")
-                    session.add(permission_api)
-                # Associate role with permission-api
-                if role not in permission_api.roles:
-                    permission_api.roles.append(role)
-                    logger.info(
-                        f"ASSOCIATING {role} WITH PERMISSION-API {permission_api}"
-                    )
-                await safe_call(session.commit())
-        # Get admin role
-        if g.admin_role is None:
-            logger.warning("Admin role is not set, skipping admin role association")
-            return
-        admin_role_stmt = select(Role).where(Role.name == g.admin_role)
-        admin_role = await safe_call(session.scalar(admin_role_stmt))
-        if admin_role:
-            # Get list of permission-api.assoc_permission_api_id of the admin role
-            stmt = (
-                select(PermissionApi)
-                .where(~PermissionApi.roles.contains(admin_role))
-                .join(Api)
-            )
-            result = await safe_call(session.scalars(stmt))
-            existing_assoc_permission_api_roles = result.all()
-            # Add admin role to all permission-api objects
-            for permission_api in existing_assoc_permission_api_roles:
-                permission_api.roles.append(admin_role)
-                logger.info(
-                    f"ASSOCIATING {admin_role} WITH PERMISSION-API {permission_api}"
-                )
-            await safe_call(session.commit())
+        role_map = {role.name: role for role in roles}
+        permission_api_map = {
+            (pa.permission.name, pa.api.name): pa for pa in permission_apis
+        }
+        permission_apis_to_exclude_from_admin = list[PermissionApi]()
+        role_permission_api_tuples = list[tuple[Role, PermissionApi]]()
+        for (
+            role_name,
+            role_api_permissions,
+        ) in self.security.get_role_and_api_permission_tuples_from_builtin_roles():
+            for api_name, permission_name in role_api_permissions:
+                role = role_map[role_name]
+                permission_api = permission_api_map[(permission_name, api_name)]
+                role_permission_api_tuples.append((role, permission_api))
+                if "|" in permission_name and role_name != g.public_role:
+                    # Exclude multi-tenant permissions from admin role if not explicitly set
+                    permission_apis_to_exclude_from_admin.append(permission_api)
+        if g.admin_role:
+            admin_role = role_map[g.admin_role]
+            for permission_api in [
+                pa
+                for pa in permission_apis
+                if pa not in permission_apis_to_exclude_from_admin
+            ]:
+                role_permission_api_tuples.append((admin_role, permission_api))
+        await self.security.associate_list_of_role_with_permission_api(
+            role_permission_api_tuples, session=session
+        )
     def _mount_static_folder(self):
         """

fastapi-rtk 1.0.8__tar.gz → 1.0.9__tar.gz

fastapi-rtk 1.0.8tar.gz → 1.0.9tar.gz