Consider a FastAPI route protected by a dependency that checks if the user has the 'admin' role. If a user with only the 'user' role tries to access it, what will be the HTTP response status code?
from fastapi import FastAPI, Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer app = FastAPI() oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token") fake_users_db = { "alice": {"username": "alice", "roles": ["user"]}, "bob": {"username": "bob", "roles": ["admin"]} } def get_current_user(token: str = Depends(oauth2_scheme)): user = fake_users_db.get(token) if not user: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication") return user def require_admin(user: dict = Depends(get_current_user)): if "admin" not in user["roles"]: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions") return user @app.get("/admin") async def read_admin_data(user: dict = Depends(require_admin)): return {"msg": "Welcome admin!"}
Think about what happens when the user is authenticated but lacks the required role.
The dependency require_admin checks if the user has the 'admin' role. If not, it raises a 403 Forbidden error, indicating the user is authenticated but not authorized to access the resource.
Choose the code snippet that correctly checks if the current user has the 'editor' role and raises a 403 error if not.
Remember that roles are stored as a list inside a dictionary.
Option B correctly checks if the string 'editor' is in the list stored under the 'roles' key in the user dictionary. Other options either compare list to string or use incorrect attribute access.
Given a user with roles ['user', 'editor'] accessing a route protected by a dependency that requires the 'editor' role, what will be the response?
from fastapi import FastAPI, Depends, HTTPException, status app = FastAPI() fake_users_db = { "carol": {"username": "carol", "roles": ["user", "editor"]} } def get_current_user(token: str): user = fake_users_db.get(token) if not user: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) return user def require_editor(user: dict = Depends(get_current_user)): if "editor" not in user["roles"]: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) return user @app.get("/edit") async def edit_content(user: dict = Depends(require_editor)): return {"msg": f"Hello {user['username']}, you can edit content."}
Check if the required role is present in the user's roles list.
The user 'carol' has the 'editor' role among others, so the dependency passes and the route returns a success message.
What error will this FastAPI dependency raise when called?
def require_admin(user: dict = Depends(get_current_user)): if user['roles'] != 'admin': raise HTTPException(status_code=403, detail='Forbidden') return user
Consider the data type of user['roles'] and what the comparison checks.
The code compares a list (user['roles']) to a string ('admin'), which is always False, so the HTTPException is always raised even if 'admin' is in the list.
Which is the best explanation for why FastAPI uses dependencies to implement role-based access control?
Think about how dependencies help organize code and enforce checks.
FastAPI dependencies provide a clean way to run code before route handlers. This lets you check user roles in one place and reuse that logic across routes, keeping code organized and secure.