fix: make RBAC dependencies properly chain _inject_user for OPC authorization

This commit is contained in:
Gan, Jimmy
2026-04-02 00:25:32 +08:00
parent 213d0e897c
commit e46003711b
3 changed files with 8 additions and 9 deletions
+3 -6
View File
@@ -115,8 +115,7 @@ def has_page_access(user: User, page: str) -> bool:
def require_page(page: str):
"""FastAPI dependency factory — 403 if user lacks page access."""
async def checker(request: Request):
user: User = request.state.user
async def checker(user: User = Depends(_inject_user)):
if not has_page_access(user, page):
raise HTTPException(status_code=403, detail="Access denied")
return checker
@@ -124,8 +123,7 @@ def require_page(page: str):
def require_admin():
"""FastAPI dependency — 403 if user is not admin."""
async def checker(request: Request):
user: User = request.state.user
async def checker(user: User = Depends(_inject_user)):
if user.role != "admin":
raise HTTPException(status_code=403, detail="Admin only")
return checker
@@ -133,8 +131,7 @@ def require_admin():
def require_write():
"""FastAPI dependency — 403 if viewer tries non-GET method."""
async def checker(request: Request):
user: User = request.state.user
async def checker(request: Request, user: User = Depends(_inject_user)):
if user.role == "viewer" and request.method != "GET":
raise HTTPException(status_code=403, detail="Read-only access")
return checker