fix: revert to original _inject_user in main.py, ensure it runs before require_page
This commit is contained in:
@@ -115,7 +115,8 @@ def has_page_access(user: User, page: str) -> bool:
|
||||
|
||||
def require_page(page: str):
|
||||
"""FastAPI dependency factory — 403 if user lacks page access."""
|
||||
async def checker(user: User = Depends(_inject_user)):
|
||||
async def checker(request: Request):
|
||||
user: User = request.state.user
|
||||
if not has_page_access(user, page):
|
||||
raise HTTPException(status_code=403, detail="Access denied")
|
||||
return checker
|
||||
@@ -123,7 +124,8 @@ def require_page(page: str):
|
||||
|
||||
def require_admin():
|
||||
"""FastAPI dependency — 403 if user is not admin."""
|
||||
async def checker(user: User = Depends(_inject_user)):
|
||||
async def checker(request: Request):
|
||||
user: User = request.state.user
|
||||
if user.role != "admin":
|
||||
raise HTTPException(status_code=403, detail="Admin only")
|
||||
return checker
|
||||
@@ -131,18 +133,8 @@ def require_admin():
|
||||
|
||||
def require_write():
|
||||
"""FastAPI dependency — 403 if viewer tries non-GET method."""
|
||||
async def checker(request: Request, user: User = Depends(_inject_user)):
|
||||
async def checker(request: Request):
|
||||
user: User = request.state.user
|
||||
if user.role == "viewer" and request.method != "GET":
|
||||
raise HTTPException(status_code=403, detail="Read-only access")
|
||||
return checker
|
||||
|
||||
|
||||
async def _inject_user(request: Request):
|
||||
"""Dependency to store user in request.state for rbac dependencies.
|
||||
|
||||
Import auth module at runtime to avoid circular imports.
|
||||
"""
|
||||
import auth as auth_module
|
||||
user = await auth_module.get_current_user(request)
|
||||
request.state.user = user
|
||||
return user
|
||||
|
||||
Reference in New Issue
Block a user