A Flask extension which limits access to views.
Project description
Flask-Access 
Simple protection of Flask endpoints.
Integrates well with Flask-Login.
Protect endpoints
Here, the endpoint "/secret-code" requires a user to have "admin" rights:
@app.route("/secret-code")
@flask_access.require("admin")
def secret_code():
return "1234"
You could have other requirements:
@flask_access.require("boss", 7, funny=True, bald=None)
Register a user loader
Flas-Access needs to associate the current request with a user that
has permission or not. Flask-Access will look for the current user
in app.config[flask_access.CURRENT_USER], here you can assign a
function that returns the current user.
app.config[flask_access.CURRENT_USER] = my_current_user_func
The type of the returned user can be whatever you are using in your
application to model users already, the only condition is that the user
class implements a method has_access. If the user has no account return
True to allow access. Anything other than True or an instance of a
class implementing has_access will have access denied.
If you are also using Flask-Login you can simply apply the assignment below :clap:
app.config[flask_access.CURRENT_USER] = flask_login.current_user
User access logic
In short, implement has_access(self, rights) -> bool on your user class.
When a user attempts to access an endpoint, Flask-Access will load the current
user object user and run user.has_access(rights), the rights that get
passed in are the "boss", 7, funny=True, bald=None from above.
If a user doesn't have an has_access method, or the method doesn't return
True, then access is denied :speak_no_evil:
Access denied handler
The default access denied handler calls flask.abort(403)
To set a custom access-denied handler:
app.config[flask_access.ABORT_FN] = my_custom_abort_func
Login required
If you are using flask_login.current_user as your user loader then
flask_access.require implies flask_login.login_required, so no need to also
specify the latter.
Why? Well, if a user is not logged-in, flask_login.current_user will return a
flask_login.AnonymousUserMixin which does not have has_access implemented,
hence no access for the user.
Example
An example with a primitive login/out system.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file flask-access-0.1.1.1.tar.gz.
File metadata
- Download URL: flask-access-0.1.1.1.tar.gz
- Upload date:
- Size: 3.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1fb6a7c876498fd5a6b052b1bf765e0d4c0279fab72c7c5a363c9f0bdeb22815
|
|
| MD5 |
acab5200c3b11be3b2f78b9a14d3a6e1
|
|
| BLAKE2b-256 |
1b9f825a1de36f512cb8a20433b39f60ad208e0d6a83a39be904e91019cfade3
|
File details
Details for the file flask_access-0.1.1.1-py3-none-any.whl.
File metadata
- Download URL: flask_access-0.1.1.1-py3-none-any.whl
- Upload date:
- Size: 4.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2a68c865a122bc09f2c1ab51d05ca04c2f9557e2983f7daefe6b14a7097c20cf
|
|
| MD5 |
a8b35d06d7fb97b2bf806fac9991aeb7
|
|
| BLAKE2b-256 |
d2c2da7d0619ef652af11c99c0ba827d9b4f13806645fddd52b96daf1dfe4a77
|
