Merge dev to main: Security improvements and comprehensive test infrastructure #39
@@ -4,7 +4,7 @@ import threading
|
||||
import tempfile
|
||||
from typing import Optional
|
||||
from pydantic import BaseModel
|
||||
from fastapi import HTTPException, Request, status
|
||||
from fastapi import HTTPException, Request, status, Depends
|
||||
|
||||
import config
|
||||
|
||||
@@ -136,3 +136,16 @@ def require_write():
|
||||
if user.role == "viewer" and request.method != "GET":
|
||||
raise HTTPException(status_code=403, detail="Read-only access")
|
||||
return checker
|
||||
|
||||
|
||||
async def _inject_user(request: Request, user = Depends(lambda: None)):
|
||||
"""Dependency to store user in request.state for rbac dependencies.
|
||||
|
||||
Note: This expects auth to be handled by a parent dependency.
|
||||
Import auth module at runtime to avoid circular imports.
|
||||
"""
|
||||
if user is None:
|
||||
import auth as auth_module
|
||||
user = await auth_module.get_current_user(request)
|
||||
request.state.user = user
|
||||
return user
|
||||
|
||||
Reference in New Issue
Block a user