Bird
Raised Fist0
FastAPIframework~10 mins

Role-based access control in FastAPI - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to import the FastAPI class.

FastAPI
from fastapi import [1]
app = [1]()
Drag options to blanks, or click blank then click option'
AFastAPI
BRequest
CHTTPException
DDepends
Attempts:
3 left
💡 Hint
Common Mistakes
Importing Request instead of FastAPI
Trying to create app without importing FastAPI
2fill in blank
medium

Complete the code to define a dependency that checks user roles.

FastAPI
from fastapi import Depends, HTTPException

def get_current_user(role: str):
    def role_checker(user=Depends(get_user)):
        if user.role != [1]:
            raise HTTPException(status_code=403, detail="Forbidden")
        return user
    return role_checker
Drag options to blanks, or click blank then click option'
Aguest
Badmin
Cuser
Dmoderator
Attempts:
3 left
💡 Hint
Common Mistakes
Using the wrong role string
Not raising HTTPException on role mismatch
3fill in blank
hard

Fix the error in the route dependency injection for role-based access.

FastAPI
@app.get("/admin")
async def admin_panel(user=Depends([1]("admin"))):
    return {"message": f"Welcome {user.name} to admin panel"}
Drag options to blanks, or click blank then click option'
Aget_user
BDepends
Cget_current_user
DHTTPException
Attempts:
3 left
💡 Hint
Common Mistakes
Using Depends directly instead of the role-checking function
Using get_user which does not check roles
4fill in blank
hard

Fill both blanks to create a route that allows only moderators to access.

FastAPI
@app.get("/moderator")
async def mod_panel(user=Depends([1]([2]))):
    return {"message": f"Hello {user.name}, you are a moderator"}
Drag options to blanks, or click blank then click option'
Aget_current_user
B"moderator"
C"admin"
Dget_user
Attempts:
3 left
💡 Hint
Common Mistakes
Passing 'admin' instead of 'moderator'
Using get_user which does not enforce roles
5fill in blank
hard

Fill all three blanks to create a dictionary comprehension filtering users by role.

FastAPI
users = [
    {"name": "Alice", "role": "admin"},
    {"name": "Bob", "role": "user"},
    {"name": "Carol", "role": "moderator"}
]
admin_users = {user[[1]]: user for user in users if user[[2]] == [3]
Drag options to blanks, or click blank then click option'
A"name"
B"role"
C"admin"
D"user"
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'role' as key instead of 'name'
Filtering by wrong role string

Practice

(1/5)
1. What is the main purpose of role-based access control (RBAC) in FastAPI?
easy
A. To speed up API response times
B. To limit user actions based on their assigned roles
C. To automatically generate API documentation
D. To handle database migrations

Solution

  1. Step 1: Understand RBAC concept

    RBAC restricts what users can do depending on their roles, like admin or user.

  2. Step 2: Identify RBAC purpose in FastAPI

    FastAPI uses RBAC to check user roles before allowing access to certain endpoints.

  3. Final Answer:

    To limit user actions based on their assigned roles -> Option B

  4. Quick Check:

    RBAC = limit actions by roles [OK]
Hint: RBAC controls user permissions by roles, not speed or docs [OK]
Common Mistakes:
  • Confusing RBAC with performance optimization
  • Thinking RBAC auto-generates docs
  • Assuming RBAC manages database tasks
2. Which of the following is the correct way to declare a dependency that checks for an admin role in FastAPI?
easy
A. def admin_required(user: User = Depends(get_current_user)): if user.role == 'guest': raise HTTPException(status_code=401)
B. def admin_required(user: User): if user.role == 'admin': return True
C. def admin_required(): return 'admin' in user.roles
D. def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403)

Solution

  1. Step 1: Check dependency signature

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) uses Depends to get current user, which is required for role checking.

  2. Step 2: Verify role check logic

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) raises HTTP 403 if user is not admin, correctly enforcing access control.

  3. Final Answer:

    def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) -> Option D

  4. Quick Check:

    Depends + role check + HTTPException = def admin_required(user: User = Depends(get_current_user)): if user.role != 'admin': raise HTTPException(status_code=403) [OK]
Hint: Use Depends to get user, then check role and raise HTTPException [OK]
Common Mistakes:
  • Not using Depends to get current user
  • Checking wrong role or missing exception
  • Returning True instead of raising exception
3. Given this FastAPI endpoint with role check dependency: 
async def get_admin_data(admin: None = Depends(admin_required)):
    return {"data": "secret"}
What happens if a user with role 'user' calls this endpoint?
medium
A. The endpoint raises HTTP 403 Forbidden error
B. The endpoint returns {"data": "secret"}
C. The endpoint raises HTTP 401 Unauthorized error
D. The endpoint returns an empty response

Solution

  1. Step 1: Understand admin_required behavior

    admin_required raises HTTP 403 if user role is not 'admin'.

  2. Step 2: Apply to user role 'user'

    User role 'user' is not 'admin', so HTTP 403 is raised before endpoint runs.

  3. Final Answer:

    The endpoint raises HTTP 403 Forbidden error -> Option A

  4. Quick Check:

    Non-admin user triggers 403 error [OK]
Hint: Non-admin roles cause 403 error before endpoint runs [OK]
Common Mistakes:
  • Confusing 401 Unauthorized with 403 Forbidden
  • Expecting endpoint to return data for non-admin
  • Thinking empty response is returned
4. Identify the error in this FastAPI role check dependency: 
def check_admin(user: User = Depends(get_current_user)):
    if user.role == 'admin':
        return True
    else:
        return False

@app.get('/admin')
async def admin_panel(is_admin: bool = Depends(check_admin)):
    if not is_admin:
        raise HTTPException(status_code=403)
    return {"msg": "Welcome admin"}
medium
A. Dependency should raise HTTPException directly, not return bool
B. Depends should not be used inside dependency functions
C. The endpoint should not check is_admin, dependency handles it
D. The function should return user object, not bool

Solution

  1. Step 1: Analyze dependency behavior

    check_admin returns True/False instead of raising HTTPException on failure.

  2. Step 2: Understand best practice for RBAC in FastAPI

    Dependencies should raise HTTPException to stop execution early, not return bool flags.

  3. Final Answer:

    Dependency should raise HTTPException directly, not return bool -> Option A

  4. Quick Check:

    Raise exception in dependency, don't return bool [OK]
Hint: Raise HTTPException in dependency to block access immediately [OK]
Common Mistakes:
  • Returning bool instead of raising exception
  • Not stopping request early in dependency
  • Misusing Depends inside dependencies
5. You want to create a reusable role checker in FastAPI that allows multiple roles (e.g., 'admin' or 'moderator') to access an endpoint. Which approach correctly implements this?
hard
A. def role_checker(user: User = Depends(get_current_user)): if user.role == 'admin' and user.role == 'moderator': return True raise HTTPException(status_code=403)
B. def role_checker(user: User = Depends(get_current_user)): if user.role != 'admin' or user.role != 'moderator': raise HTTPException(status_code=403)
C. def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker
D. def role_checker(allowed_roles: list[str]): for role in allowed_roles: if role == user.role: return True return False

Solution

  1. Step 1: Understand reusable dependency pattern

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker returns a function that checks if user role is in allowed_roles, raising HTTPException if not.

  2. Step 2: Verify logic for multiple roles

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker correctly uses 'not in' to allow any role in the list, making it reusable.

  3. Final Answer:

    def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker -> Option C

  4. Quick Check:

    Reusable role check with allowed_roles list = def role_checker(allowed_roles: list[str]): def checker(user: User = Depends(get_current_user)): if user.role not in allowed_roles: raise HTTPException(status_code=403) return checker [OK]
Hint: Return inner function checking role in allowed_roles, raise HTTPException [OK]
Common Mistakes:
  • Using incorrect logic with 'or' instead of 'in'
  • Returning bool instead of raising exception
  • Checking impossible conditions like role == 'admin' and 'moderator'