Menu
Are there any actively maintained plugins out there which would help me create a Flask app with role based access control? e.g. admin role, accounting role, hr role...
Flask-User looks good, but these discussions indicate the maintainer is gone...
https://gitter.im/Flask-User/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge
Flask-Login needs Flask-Security, which is unmaintained, but there is Flask-Security-Too. The latter implements authorization via Flask-Principal, which last release was in 2013 - looks pretty dead to me ( https://github.com/mattupstate/flask-principal/issues/50 ).
Thanks for any recommendations.
306
I'm on the same journey.. You may have a look at flask-RBAC => https://flask-rbac.readthedocs.io/ where RBAC just stands for "Role Based Access Control"...
the last commit is less than 30 days ago
I'm not expert enough to say if it is better than the ones you cites but it may worth it with such an explicit name. Let me know what you think off it.
(PS : i'm not affiliate in anyway with this project)
148
It is also possible that none of the solutions will be 100% appropriate, ie that you will need changes or extensions.
In such situations, my suggestion is best to start with, say, the basic model and expand it exactly to your needs. And the ideas and approaches of some plugins can help you with your solution. The advantage of this approach is that you will learn much more about what is happening under the hood, unlike that one import from some plugins.
Plugins are great, a lot of effort has been put into expanding the community. There is no dilemma.
Take the answer as motivation because your problem can start version 0.0.1 with minimal code:
class RolesUsers(Base):
__tablename__ = 'roles_users'
id = db.Column(db.Integer(), primary_key=True)
user_id = db.Column(db.Integer(), db.ForeignKey('user.id'))
role_id = db.Column(db.Integer(), db.ForeignKey('role.id'))
class Role(RoleMixin, Base):
__tablename__ = 'role'
id = db.Column(db.Integer(), primary_key=True)
name = db.Column(db.String(80), unique=True)
def __repr__(self):
return self.name
class User(UserMixin, Base):
__tablename__ = 'user'
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(120), index=True, unique=True)
roles = db.relationship('Role', secondary='roles_users',
backref=db.backref('users', lazy='dynamic'))
See M2M
Now you have one mini application that represents the mentioned first version 0.0.1 :) Since you don't use FLASK for a while, I did my best to remind you of some basic details through the comments.
import datetime
from functools import wraps
from flask import Flask, redirect, url_for, session, render_template_string
from flask_sqlalchemy import SQLAlchemy
# Class-based application configuration
class ConfigClass(object):
""" Flask application config """
# Flask settings
SECRET_KEY = 'This is an INSECURE secret!! DO NOT use this in production!!'
# Flask-SQLAlchemy settings
SQLALCHEMY_DATABASE_URI = 'sqlite:///db.sqlite' # File-based SQL database
SQLALCHEMY_TRACK_MODIFICATIONS = False # Avoids SQLAlchemy warning
def create_app():
""" Flask application factory """
# Create Flask app load app.config
app = Flask(__name__)
app.config.from_object(__name__+'.ConfigClass')
# Initialize Flask-SQLAlchemy
db = SQLAlchemy(app)
@app.before_request
def before_request():
try:
print("Current Role: ", session['role'])
except:
print("Current Role: Guest")
# Define the User data-model.
class User(db.Model):
__tablename__ = 'users'
id = db.Column(db.Integer, primary_key=True)
active = db.Column('is_active', db.Boolean(), nullable=False, server_default='1')
# User authentication information. The collation='NOCASE' is required
# to search case insensitively when USER_IFIND_MODE is 'nocase_collation'.
email = db.Column(db.String(255, collation='NOCASE'), nullable=False, unique=True)
email_confirmed_at = db.Column(db.DateTime())
password = db.Column(db.String(255), nullable=False, server_default='')
# User information
first_name = db.Column(db.String(100, collation='NOCASE'), nullable=False, server_default='')
last_name = db.Column(db.String(100, collation='NOCASE'), nullable=False, server_default='')
# Define the relationship to Role via UserRoles
roles = db.relationship('Role', secondary='user_roles')
# Define the Role data-model
class Role(db.Model):
__tablename__ = 'roles'
id = db.Column(db.Integer(), primary_key=True)
name = db.Column(db.String(50), unique=True)
# Define the UserRoles association table
class UserRoles(db.Model):
__tablename__ = 'user_roles'
id = db.Column(db.Integer(), primary_key=True)
user_id = db.Column(db.Integer(), db.ForeignKey('users.id', ondelete='CASCADE'))
role_id = db.Column(db.Integer(), db.ForeignKey('roles.id', ondelete='CASCADE'))
# First Drop then Create all database tables
db.drop_all()
db.create_all()
# Create '[email protected]' user with no roles
if not User.query.filter(User.email == '[email protected]').first():
user = User(
email='[email protected]',
email_confirmed_at=datetime.datetime.utcnow(),
password='Password1',
)
db.session.add(user)
db.session.commit()
# Create '[email protected]' user with 'Admin' and 'Agent' roles
if not User.query.filter(User.email == '[email protected]').first():
user = User(
email='[email protected]',
email_confirmed_at=datetime.datetime.utcnow(),
password='Password1',
)
user.roles.append(Role(name='Admin'))
user.roles.append(Role(name='Member'))
db.session.add(user)
db.session.commit()
def access_required(role="ANY"):
"""
see: https://flask.palletsprojects.com/en/2.1.x/patterns/viewdecorators/
"""
def wrapper(fn):
@wraps(fn)
def decorated_view(*args, **kwargs):
if session.get("role") == None or role == "ANY":
session['header'] = "Welcome Guest, Request a new role for higher rights!"
return redirect(url_for('index'))
if session.get("role") == 'Member' and role == 'Member':
print("access: Member")
session['header'] = "Welcome to Member Page!"
return redirect(url_for('index'))
if session.get("role") == 'Admin' and role == 'Admin':
session['header'] = "Welcome to Admin Page!"
print("access: Admin")
else:
session['header'] = "Oh no no, you haven'tn right of access!!!"
return redirect(url_for('index'))
return fn(*args, **kwargs)
return decorated_view
return wrapper
# The index page is accessible to anyone
@app.route('/')
def index():
print("index:", session.get("role", "nema"))
return render_template_string('''
<h3>{{ session["header"] if session["header"] else "Welcome Guest!" }}</h3>
<a href="/admin_role">Get Admin Role</a>    |   
<a href="/admin_page">Admin Page</a> <br><br>
<a href="/member_role">Get Member Role</a>    |   
<a href="/member_page">Member Page</a> <br><br>
<a href="/guest_role">Get Guest Role</a> <br><br>
<a href="/data">Try looking at DATA with different roles</a>
''')
@app.route('/data')
def data():
return render_template_string("""
<a href="/admin_role">Admin Role</a>
<a href="/member_role">Member Role</a>
<a href="/guest_role">Guest Role</a>
<br><p>The data page will display a different context depending on the access rights.</p><br>
{% if not session['role'] %}
<h2>You must have diffrent role for access to the data.</h2>
<a href="{{ url_for('.index') }}">Go back?</a>
{% endif %}
{% if session['role'] == 'Member' or session['role'] == 'Admin' %}
<h2>USERS:</h2>
<table>
<tr>
<th>ID</th>
<th>EMAIL</th>
</tr>
{% for u in users %}
<tr>
<td>{{ u.id }}</td>
<td>{{ u.email }}</td>
</tr>
{% endfor %}
</table>
{% endif %}
{% if session['role'] == 'Admin' %}
<h2>ROLE:</h2>
<table>
<tr>
<th>ID</th>
<th>NAME</th>
</tr>
{% for r in roles %}
<tr>
<td>{{ r.id }}</td>
<td>{{ r.name }}</td>
</tr>
{% endfor %}
</table>
<h2>USER ROLES:</h2>
<table>
<tr>
<th>ID</th>
<th>USER ID</th>
<th>ROLE ID</th>
</tr>
{% for ur in user_roles %}
<tr>
<td>{{ ur.id }}</td>
<td>{{ ur.user_id }}</td>
<td>{{ ur.role_id }}</td>
</tr>
{% endfor %}
</table>
{% endif %}
""",
users=User.query,
roles= Role.query,
user_roles=UserRoles.query)
@app.route("/member_role")
def member_role():
"""
Anyone can access the url and get the role of a MEMBER.
"""
r = Role.query.get(2)
session['role'] = r.name
session['header'] = "Welcome to Member Access!"
return render_template_string('<h2>{{ session["header"] }}</h2> <a href="/">Go back?</a>')
@app.route("/member_page")
@access_required(role="Member")
def member_page():
# session['header'] = "Welcome to Admin Page!"
return render_template_string('<h1>{{ session["header"] }}</h1> <a href="/">Go back?</a>')
@app.route("/admin_role")
def admin_role():
"""
Anyone can access the url and get the role of a ADMIN.
"""
r = Role.query.get(1)
session['role'] = r.name
session['header'] = "Welcome to Admin Access!"
return render_template_string('<h1>{{ session["header"] }}</h1> <a href="/">Go back?</a>')
@app.route("/admin_page")
@access_required(role="Admin")
def admin_page():
"""
This url requires an ADMIN role.
"""
return render_template_string('<h1>{{ session["header"] }}</h1> <a href="/">Go back?</a>')
@app.route("/guest_role")
def guest_role():
"""
For the GUEST, we will only delete the session and thus 'kill' the roles.
"""
session.clear()
return redirect(url_for('index'))
return app
# Start development web server
if __name__ == '__main__':
app = create_app()
app.run(host='0.0.0.0', port=5000, debug=True)
And now we can play because there are certain rules and these are: that the admin page can be accessed only if you have an admin role, the same applies to the member and his page. Also, you have a list of data that makes up the mentioned model from the first version of the answer. This list of data can also be seen with different roles. Details: if you have an admin role then you will be able to see all the data to be displayed, if you have a member role then you can only see users and of course you will not be able to see any data if you are a guest.
Here it is in pictorial form.
I hope now that this simple example will be helpful in further learning for both you and other members of the stackcoverflow community.
And I firmly believe that you will soon have a much better version.
Happy coding ...
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
