Flask declarative authorization leveraging bouncer
flask-bouncer is an authorization library for Flask which restricts what resources a given user is allowed to access. All the permissions are defined in a single location.
Enough chit-chat – show me the code …
pip install flask-bouncer
from flask.ext.bouncer import requires, ensure, Bouncer app = Flask() bouncer = Bouncer(app) # Define your authorization in one place and in english ... @bouncer.authorization_method def define_authorization(user, they): if user.is_admin: they.can(MANAGE, ALL) else: they.can(READ, ('Article', 'BlogPost')) they.can(EDIT, 'Article', lambda a: a.author_id == user.id) # Then decorate your routes with your conditions. # If it fails it will return a 401 @app.route("/articles") @requires(READ, Article) def articles_index(): return "A bunch of articles" @app.route("/topsecret") @requires(READ, TopSecretFile) def topsecret_index(): return "A bunch of top secret stuff that only admins should see"
from flask.ext.bouncer import requires, ensure @app.route("/articles/<article_id>") @requires(READ, Article) def show_article(article_id): article = Article.find_by_id(article_id) # can the current user 'read' the article, if not it will throw a 401 ensure(READ,article) return render_template('article.html', article=article)
You can use the ensure_authorization feature to ensure that all of your routes in your application have been authorized
bouncer = Bouncer(app, ensure_authorization=True)
This will check each request to ensure that an authorization check (either ensure or requires) has been made
If you want to skip a certain route, decorate your route with @skip_authorization. Like so:
@app.route("/articles") @skip_authorization def articles_index(): return "A bunch of articles"
I ❤ Flask-Classy Like a lot. Flask-Classy is an extension that adds class-based REST views to Flask.
from flask.ext.classy import FlaskView from yourapp.models import Article class ArticleView(FlaskView) # an additional class attribute that you need to add for flask-bouncer __target_model__ = Article def index(self) return "Index" def get(self, obj_id): return "Get " # ... methods for post, delete (and even put, and patch if you so like
# in your application.py or the like app = Flask("classy") bouncer = Bouncer(app) ArticleView.register(app) # Which classy views do you want to lock down, you can pass multiple bouncer.monitor(ArticleView)
Then voila – flask-bouncer will implicitly add the following conditions to the routes:
If you want to over-write the default requirements, just add the @requires decorator to the function
By default flask-bouncer will inspect g for user or current_user. You can add your custom loader by decorating a function with @bouncer.user_loader