A Flask extension which limits access to views.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for barischj from gravatar.com barischj

Unverified details

These details have not been verified by PyPI
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Requires: Python >=3

Classifiers

Project description

Flask-Access CircleCI

Simple protection of Flask endpoints.

Integrates well with Flask-Login.

Protect endpoints

Here, the endpoint "/secret-code" requires a user to have "admin" rights:

@app.route("/secret-code")
@flask_access.require("admin")
def secret_code():
    return "1234"

You could have other requirements:

@flask_access.require("boss", 7, funny=True, bald=None)

Register a user loader

Flas-Access needs to associate the current request with a user that has permission or not. Flask-Access will look for the current user in app.config[flask_access.CURRENT_USER], here you can assign a function that returns the current user.

app.config[flask_access.CURRENT_USER] = my_current_user_func

The type of the returned user can be whatever you are using in your application to model users already, the only condition is that the user class implements a method has_access. If the user has no account return True to allow access. Anything other than True or an instance of a class implementing has_access will have access denied.

If you are also using Flask-Login you can simply apply the assignment below :clap:

app.config[flask_access.CURRENT_USER] = flask_login.current_user

User access logic

In short, implement has_access(self, rights) -> bool on your user class.

When a user attempts to access an endpoint, Flask-Access will load the current user object user and run user.has_access(rights), the rights that get passed in are the "boss", 7, funny=True, bald=None from above.

If a user doesn't have an has_access method, or the method doesn't return True, then access is denied :speak_no_evil:

Access denied handler

The default access denied handler calls flask.abort(403)

To set a custom access-denied handler:

app.config[flask_access.ABORT_FN] = my_custom_abort_func

Login required

If you are using flask_login.current_user as your user loader then flask_access.require implies flask_login.login_required, so no need to also specify the latter.

Why? Well, if a user is not logged-in, flask_login.current_user will return a flask_login.AnonymousUserMixin which does not have has_access implemented, hence no access for the user.

Example

An example with a primitive login/out system.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for barischj from gravatar.com barischj

Unverified details

These details have not been verified by PyPI
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Requires: Python >=3

Classifiers

Release history Release notifications | RSS feed

This version

0.1.2.1

0.1.2

0.1.1.1

0.1.1

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

flask-access-0.1.2.1.tar.gz (3.4 kB view hashes)

Uploaded Source

Built Distribution

flask_access-0.1.2.1-py3-none-any.whl (4.8 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page