Only the buttons corrsponding to what actions uses are allowed to execute are displayed in frontend.

Changes: -One extre function added to depends that only check is user has specific permission added -Populate _action to returned dict in {resource}/grid
2026-03-13 10:32:25 +08:00 · 2021-01-17 10:29:23 +01:00
parent a1baa185a7
commit 643e66560c
2 changed files with 37 additions and 2 deletions
--- a/fastapi_admin/depends.py
+++ b/fastapi_admin/depends.py
@@ -131,3 +131,27 @@ class AdminLog:
 admin_log_create = AdminLog(action="create")
 admin_log_update = AdminLog(action="update")
 admin_log_delete = AdminLog(action="delete")
+
+
+class HasPermission:
+    def __init__(self, action: enums.PermissionAction):
+        self.action = action
+
+    async def __call__(self, resource: str = Path(...), user=Depends(get_current_user)):
+        if not app.permission or user.is_superuser:
+            return True #Hmm. Should superuser really cirumvent all permission checks. not a good practice!?!?!?!!?!!!
+        if not user.is_active:
+            return False
+        has_permission = False
+        await user.fetch_related("roles")
+        for role in user.roles:
+            if await role.permissions.filter(model=resource, action=self.action):
+                return True
+        if not has_permission:
+            return False
+
+
+has_read_permission = HasPermission(action=enums.PermissionAction.read)
+has_create_permission = HasPermission(action=enums.PermissionAction.create)
+has_update_permission = HasPermission(action=enums.PermissionAction.update)
+has_delete_permission = HasPermission(action=enums.PermissionAction.delete)
--- a/fastapi_admin/routes/rest.py
+++ b/fastapi_admin/routes/rest.py
@@ -25,7 +25,13 @@ from ..depends import (
    parse_body,
    read_checker,
    update_checker,
+    has_create_permission,
+    has_read_permission,
+    has_update_permission,
+    has_delete_permission,
+    get_current_user,
 )
+
 from ..factory import app
 from ..filters import get_filter_by_name
 from ..responses import GetManyOut
@@ -123,9 +129,14 @@ async def form(resource: str,):


@router.get("/{resource}/grid", dependencies=[Depends(read_checker)])
-async def grid(resource: str,):
+async def grid(resource: str,user=Depends(get_current_user)):
    resource = await app.get_resource(resource)
-    return resource.dict(by_alias=True, exclude_unset=True)
+    resource = resource.dict(by_alias=True, exclude_unset=True)
+    resource['fields']['_actions'] = \
+        {'delete': await has_delete_permission(resource, user),
+         'edit': await has_update_permission(resource, user),
+         'toolbar': {'create': await has_create_permission(resource, user)}}
+    return resource


@router.get("/{resource}/view", dependencies=[Depends(read_checker)])