passing dynamic input to flask-user @roles_required decorator

Question

Context:

I want to restrict access to a user's page only to the user. since I wont know the user's names I cant specify their name in the roles_required decorator.

So what im doing at the moment is using flask-user to assign a role to the user and using @roles_required decorator to restrict the access to this user only. FYI im setting the roles name to the users_id(uuid)

Problem:

I cant hardcode the users role id in the roles_required() decorator. How can i possibly set this to a variable? so that i can do a query against my db to check if this user should be able to access

@route('/api/<userid>') 

@roles_required('<userid>') #38096c6c-fd3d-44fc-8918-b2632b41540e

    def my_homepage():
        return "hello world"

the issue is because I am dynamically creating the route because each user has their own page (which is their uuid), I cant hardcode the role required as it depends on the page address

I'm open to suggestions to go another route. i just want the cleanest solution in the end

score 2 · Accepted Answer · answered Jan 03 '21 at 11:41

2

I'd just do it in the view:

@route('/api/<userid>') 
def my_homepage(userid):
    if current_user.id != userid:
        abort(403, "You can't access that")

answered Jan 03 '21 at 11:41

dmitrybelyakov

3,709
2
22
26

passing dynamic input to flask-user @roles_required decorator

1 Answers1