Checking permissions inside a path operation function

[Kh-Oleg]

Is it possible to perform authorization check (for an authenticated user) inside the path operation function?

Example:
Suppose we have Fief service with two permissions: createCastle and createSimpleCastle and a service capable of creating both types of castles. Is it possible to do something like this?

@app.post('/api/create-castle')
async def create_castle(request: Request, user: FiefUserInfo = Depends(oauth2.current_user())):
    if hasPermission(user, 'createCastle'):
        # create a castle
        return Response(content='castle created')
    else if hasPermission(user, 'createSimpleCastle'):
        # create simple castle
        return Response(content='simple castle created')
    else:
        return Response(403 - Not authorized)

How could hasPermission function look like?

The reason for that is to have a single path in API and a single path operation function in source code.

[frankie567]

Yes, that could be done "manually" using the authenticated dependency which returns you a FiefAccessTokenInfo dictionary:

def has_permission(access_token_info: FiefAccessTokenInfo, permission: str) -> bool:
    return permission in access_token_info["permissions"]


@app.post('/api/create-castle')
async def create_castle(
    request: Request,
    access_token_info: FiefAccessTokenInfo = Depends(auth.authenticated())
):
    ...

If you also need the user object in your endpoint, you can also add the current_user dependency, it'll work as expected.