A Flask extension which limits access to views.
Project description
Flask-Access 
Simple protection of Flask endpoints.
Integrates well with Flask-Login.
Protect endpoints
Here, the endpoint "/secret-code"
requires a user to have "admin"
rights:
@app.route("/secret-code")
@flask_access.require("admin")
def secret_code():
return "1234"
You could have other requirements:
@flask_access.require("boss", 7, funny=True, bald=None)
Register a user loader
Flas-Access needs to associate the current request with a user that
has permission or not. Flask-Access will look for the current user
in app.config[flask_access.CURRENT_USER]
, here you can assign a
function that returns the current user.
app.config[flask_access.CURRENT_USER] = my_current_user_func
The type of the returned user can be whatever you are using in your
application to model users already, the only condition is that the user
class implements a method has_access
. If the user has no account return
True
to allow access. Anything other than True
or an instance of a
class implementing has_access
will have access denied.
If you are also using Flask-Login you can simply apply the assignment below :clap:
app.config[flask_access.CURRENT_USER] = flask_login.current_user
User access logic
In short, implement has_access(self, rights) -> bool
on your user class.
When a user attempts to access an endpoint, Flask-Access will load the current
user object user
and run user.has_access(rights)
, the rights
that get
passed in are the "boss", 7, funny=True, bald=None
from above.
If a user doesn't have an has_access
method, or the method doesn't return
True
, then access is denied :speak_no_evil:
Access denied handler
The default access denied handler calls flask.abort(403)
To set a custom access-denied handler:
app.config[flask_access.ABORT_FN] = my_custom_abort_func
Login required
If you are using flask_login.current_user
as your user loader then
flask_access.require
implies flask_login.login_required
, so no need to also
specify the latter.
Why? Well, if a user is not logged-in, flask_login.current_user
will return a
flask_login.AnonymousUserMixin
which does not have has_access
implemented,
hence no access for the user.
Example
An example with a primitive login/out system.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file flask-access-0.1.2.1.tar.gz
.
File metadata
- Download URL: flask-access-0.1.2.1.tar.gz
- Upload date:
- Size: 3.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b32ed7b1ed73f9313bef61f645f8a7c06448390ece65fa0137e4aeff3b7e6c85 |
|
MD5 | 258a7713ec11ea39a030fe18e7e4b1fe |
|
BLAKE2b-256 | a983ea6cb8d6e499da4c0e72f419029353e1d8cc84e53e445f0549ab6393b9ec |
File details
Details for the file flask_access-0.1.2.1-py3-none-any.whl
.
File metadata
- Download URL: flask_access-0.1.2.1-py3-none-any.whl
- Upload date:
- Size: 4.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3bd82d9e1b32b80b6a1c1f7ca2cb32682aac8a1b4f93bf67291a92b280b0ce6b |
|
MD5 | 4963d4dc81905cc1cca22e8aac822209 |
|
BLAKE2b-256 | 01ea34cba27dac32503d0292db5e2b6a080255a102feb21ddbd9527071414cf8 |