Bird
Raised Fist0
FastAPIframework~30 mins

Role-based access control in FastAPI - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Role-based access control
📖 Scenario: You are building a simple web API for a company. Different users have different roles like 'admin' and 'user'. You want to control which parts of the API each role can access.
🎯 Goal: Create a FastAPI app that defines user roles and restricts access to an endpoint based on the user's role.
📋 What You'll Learn
Create a dictionary called users with usernames as keys and their roles as values.
Create a variable called allowed_roles that lists roles allowed to access a protected endpoint.
Write a function called check_access that takes a username and returns True if the user role is in allowed_roles, otherwise False.
Create a FastAPI endpoint /protected that returns a message only if the user has access, otherwise returns a 403 error.
💡 Why This Matters
🌍 Real World
Role-based access control is used in many web apps to protect sensitive data and features. For example, only admins can change settings, while regular users can only view content.
💼 Career
Understanding how to implement role-based access control is important for backend developers and security engineers to build secure applications.
Progress0 / 4 steps
1
Create user roles dictionary
Create a dictionary called users with these exact entries: 'alice': 'admin', 'bob': 'user', 'carol': 'guest'.
FastAPI
Hint

Use curly braces to create a dictionary. Keys are usernames, values are roles as strings.

2
Define allowed roles list
Create a list called allowed_roles containing the strings 'admin' and 'user'.
FastAPI
Hint

Use square brackets to create a list of allowed roles.

3
Write access check function
Write a function called check_access that takes a parameter username. It should return True if users[username] is in allowed_roles, otherwise False. Use users.get(username) to safely get the role.
FastAPI
Hint

Use def to define the function. Use users.get(username) to get the role safely.

4
Create protected FastAPI endpoint
Import FastAPI and HTTPException from fastapi. Create a FastAPI app called app. Add a GET endpoint /protected that takes a query parameter username. Use check_access to allow access only if it returns True. If access is denied, raise HTTPException with status code 403 and detail 'Access denied'. If allowed, return a JSON message {'message': 'Welcome, {username}!'}.
FastAPI
Hint

Use @app.get decorator to create the endpoint. Use raise HTTPException to block access.

Practice

(1/5)
1. What is the main purpose of role-based access control (RBAC) in FastAPI?
easy
A. To speed up API response times
B. To limit user actions based on their assigned roles
C. To automatically generate API documentation
D. To handle database migrations

Solution

  1. Step 1: Understand RBAC concept

    RBAC restricts what users can do depending on their roles, like admin or user.

  2. Step 2: Identify RBAC purpose in FastAPI

    FastAPI uses RBAC to check user roles before allowing access to certain endpoints.

  3. Final Answer:

    To limit user actions based on their assigned roles -> Option B

  4. Quick Check:

    RBAC = limit actions by roles [OK]
Hint: RBAC controls user permissions by roles, not speed or docs [OK]
Common Mistakes:
  • Confusing RBAC with performance optimization
  • Thinking RBAC auto-generates docs
  • Assuming RBAC manages database tasks
2. Which of the following is the correct way to declare a dependency that checks for an admin role in FastAPI?
easy
A. def admin_required(user: User = Depends(get_current_user)): if user.role == 'guest': raise HTTPException(status_code=401)
B. def admin_required(user: User): if user.role == 'admin': return True
C. def admin_required(): return 'admin' in user.roles
D. def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403)

Solution

  1. Step 1: Check dependency signature

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) uses Depends to get current user, which is required for role checking.

  2. Step 2: Verify role check logic

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) raises HTTP 403 if user is not admin, correctly enforcing access control.

  3. Final Answer:

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) -> Option D

  4. Quick Check:

    Depends + role check + HTTPException = def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) [OK]
Hint: Use Depends to get user, then check role and raise HTTPException [OK]
Common Mistakes:
  • Not using Depends to get current user
  • Checking wrong role or missing exception
  • Returning True instead of raising exception
3. Given this FastAPI endpoint with role check dependency: 
async def get_admin_data(admin: None = Depends(admin_required)):
    return {"data": "secret"}
What happens if a user with role 'user' calls this endpoint?
medium
A. The endpoint raises HTTP 403 Forbidden error
B. The endpoint returns {"data": "secret"}
C. The endpoint raises HTTP 401 Unauthorized error
D. The endpoint returns an empty response

Solution

  1. Step 1: Understand admin_required behavior

    admin_required raises HTTP 403 if user role is not 'admin'.

  2. Step 2: Apply to user role 'user'

    User role 'user' is not 'admin', so HTTP 403 is raised before endpoint runs.

  3. Final Answer:

    The endpoint raises HTTP 403 Forbidden error -> Option A

  4. Quick Check:

    Non-admin user triggers 403 error [OK]
Hint: Non-admin roles cause 403 error before endpoint runs [OK]
Common Mistakes:
  • Confusing 401 Unauthorized with 403 Forbidden
  • Expecting endpoint to return data for non-admin
  • Thinking empty response is returned
4. Identify the error in this FastAPI role check dependency: 
def check_admin(user: User = Depends(get_current_user)):
    if user.role == 'admin':
        return True
    else:
        return False

@app.get('/admin')
async def admin_panel(is_admin: bool = Depends(check_admin)):
    if not is_admin:
        raise HTTPException(status_code=403)
    return {"msg": "Welcome admin"}
medium
A. Dependency should raise HTTPException directly, not return bool
B. Depends should not be used inside dependency functions
C. The endpoint should not check is_admin, dependency handles it
D. The function should return user object, not bool

Solution

  1. Step 1: Analyze dependency behavior

    check_admin returns True/False instead of raising HTTPException on failure.

  2. Step 2: Understand best practice for RBAC in FastAPI

    Dependencies should raise HTTPException to stop execution early, not return bool flags.

  3. Final Answer:

    Dependency should raise HTTPException directly, not return bool -> Option A

  4. Quick Check:

    Raise exception in dependency, don't return bool [OK]
Hint: Raise HTTPException in dependency to block access immediately [OK]
Common Mistakes:
  • Returning bool instead of raising exception
  • Not stopping request early in dependency
  • Misusing Depends inside dependencies
5. You want to create a reusable role checker in FastAPI that allows multiple roles (e.g., 'admin' or 'moderator') to access an endpoint. Which approach correctly implements this?
hard
A. def role_checker(user: User = Depends(get_current_user)): if user.role == 'admin' and user.role == 'moderator': return True raise HTTPException(status_code=403)
B. def role_checker(user: User = Depends(get_current_user)): if user.role != 'admin' or user.role != 'moderator': raise HTTPException(status_code=403)
C. def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker
D. def role_checker(allowed_roles: list[str]): for role in allowed_roles: if role == user.role: return True return False

Solution

  1. Step 1: Understand reusable dependency pattern

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker returns a function that checks if user role is in allowed_roles, raising HTTPException if not.

  2. Step 2: Verify logic for multiple roles

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker correctly uses 'not in' to allow any role in the list, making it reusable.

  3. Final Answer:

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker -> Option C

  4. Quick Check:

    Reusable role check with allowed_roles list = def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker [OK]
Hint: Return inner function checking role in allowed_roles, raise HTTPException [OK]
Common Mistakes:
  • Using incorrect logic with 'or' instead of 'in'
  • Returning bool instead of raising exception
  • Checking impossible conditions like role == 'admin' and 'moderator'