Role Based Access Control¶
Sometimes we need to protect endpoints with role access and role permissions. What for? to grant access to specific users.
Let’s get started…
First Step¶
We have to create a REST API first. Let’s create:
$ flask api new User --crud
Create User¶
First we need to create a role for the user:
$ flask role new admin -d "Admin Role"
Now we create an admin user:
$ flask user new admin@email.com -r admin
And input the required data which appears at the terminal.
What if I create a user without role access? of course you can!
Protect Endpoints With Roles¶
All you need is to add an authenticate decorator with a roles to the view, like this:
@authenticate(roles={"admin": []})
# your view here...
For example, edit the read
view in the apis/user.py
file and add the authenticate
decorator, as follows:
@authenticate(roles={"admin": []})
@marshal_with(200, ReadUserSchema(many=True))
def read():
"""
Read all data.
"""
data = User.query.all()
return data
Now the /api/user/read
endpoint can be accessed by admin only!
Protect Endpoint With Role Permissions¶
First you have to create role permissions first:
$ flask permission new can_all -d "Permission to do anything"
And add permission to the authenticate
decorator, for example:
@authenticate(roles={"admin": ["can_all"]})
@marshal_with(200, ReadUserSchema(many=True))
def read():
"""
Read all data.
"""
data = User.query.all()
return data
Now the /api/user/read
endpoint can only be accessed by admins who have the permission can_all
!