2

I would like to protect access to my Views based on flask-security roles. So, for instance, I have set up:

class AdminView(ModelView):    
    def is_accessible(self):
        return current_user.has_role('admin')

and

admin.add_view(AdminView(User, db.session))

The logic works: when I log in with a non-admin user, I don't see the User table, when I log in with an admin user, I see it.

But...

entering the url

localhost/admin/user

still gives every user access to the user table, for both admins and non-admins. How can I use flask Admin to protect also the url against access of non-admins? (Honestly, I would have expected def is_accessible() to manage that in the first place.)

Jonathan Scholbach
  • 4,925
  • 3
  • 23
  • 44
  • 1
    There is a self-contained example of handling Flask-Admin role based permissions on [SO](https://stackoverflow.com/a/33653754/2800058). – pjcunningham Sep 12 '17 at 09:01

1 Answers1

-1

you could add a @login_required decorator to your view (read here) & since you are using flask-security, which is built partially on top of flask-login, that decorator might already be there.

smundlay
  • 155
  • 7
  • Actually that doesn't help me, since I have roles-based. The permissions, which Role can see which View are edible by the admins during runtime. That's why I need some solution within the class definition of the flask-Admin Views. – Jonathan Scholbach Sep 12 '17 at 07:36
  • Okay, I see your problem. You could firstly always built your own route decorator. Or, check out the Flask-Principal extension: https://pythonhosted.org/Flask-Principal/ – smundlay Sep 18 '17 at 03:40
  • Since I already got Flask-Security working, which includes Flask-Principal, I don't understand, what you want to tell me with the last sentence in your comment. – Jonathan Scholbach Sep 18 '17 at 14:41