Fix scopes on security sub-dependant

2 years ago · b8741d6bf4
2 changed files with 26 additions and 5 deletions
--- a/fastapi/dependencies/utils.py
+++ b/fastapi/dependencies/utils.py
@ -145,14 +145,14 @@ def get_sub_dependant(
    security_scopes: Optional[List[str]] = None,
 ) -> Dependant:
    security_requirement = None
-    security_scopes = security_scopes or []
+    use_scopes: List[str] = []
    if isinstance(depends, params.Security):
+        use_scopes = security_scopes or []
        dependency_scopes = depends.scopes
-        security_scopes.extend(dependency_scopes)
+        use_scopes.extend(dependency_scopes)
    if isinstance(dependency, SecurityBase):
-        use_scopes: List[str] = []
        if isinstance(dependency, (OAuth2, OpenIdConnect)):
-            use_scopes = security_scopes
+            use_scopes = security_scopes or []
        security_requirement = SecurityRequirement(
            security_scheme=dependency, scopes=use_scopes
        )
@ -160,7 +160,7 @@ def get_sub_dependant(
        path=path,
        call=dependency,
        name=name,
-        security_scopes=security_scopes,
+        security_scopes=use_scopes,
        use_cache=depends.use_cache,
    )
    if security_requirement:
--- a/tests/test_dependency_cache.py
+++ b/tests/test_dependency_cache.py
@ -48,6 +48,17 @@ async def get_scope_counter(
    }


+@app.get("/scope-sub-counter")
+async def get_scope_counter_sub(
+    count: int = Security(dep_counter),
+    scope_subcount: int = Security(super_dep, scopes=["scope"]),
+):
+    return {
+        "counter": count,
+        "scope_counter": scope_subcount,
+    }
+
+
 client = TestClient(app)


@ -89,3 +100,13 @@ def test_security_cache():
    response = client.get("/scope-counter/")
    assert response.status_code == 200, response.text
    assert response.json() == {"counter": 3, "scope_counter_1": 4, "scope_counter_2": 4}
+
+
+def test_security_cache_sub():
+    counter_holder["counter"] = 0
+    response = client.get("/scope-sub-counter/")
+    assert response.status_code == 200, response.text
+    assert response.json() == {"counter": 1, "scope_counter": 1}
+    response = client.get("/scope-sub-counter/")
+    assert response.status_code == 200, response.text
+    assert response.json() == {"counter": 2, "scope_counter": 2}