@requires need to check all scopes to be required or just one?

[danbailo]

I'm thinking about it because we can have any cenarys, example:

Supposing we have three roles of user: user, admin and superuser.

The current method will check just the first scope in scopes(:has_required_scope) and return False if it not in.

@requires(['user', 'admin'])
async def foo():
    ...

If the current user is an admin, he could access the resource foo, but he won't, because the actual logic will stop it.

Thereby, if the idea of the @requires is enforces all scopes, ok, makes sense, otherwise, we can easily fix it with this snippet:

def has_required_scope(conn: HTTPConnection, scopes: typing.Sequence[str]) -> bool:
    inside_scopes = [scope in conn.auth.scopes for scope in scopes]
    return any(inside_scopes)

But, what i suggest is split this validator in two.

@requires_all and @requires_any, thereby we can allow the request only if the current user is inside of all scopes or just one, for example.

[Kludex]

Thereby, if the idea of the @requires is enforces all scopes, ok, makes sense, otherwise, we can easily fix it with this snippet:

That's it. 👍

[danbailo]

Ty for attention