Role Based Access Control

Sometimes we need to protect endpoints with role access and role permissions. What for? to grant access to specific users.

Let’s get started…

First Step

We have to create a REST API first. Let’s create:

$ flask api new User --crud

Create User

First we need to create a role for the user:

$ flask role new admin -d "Admin Role"

Now we create an admin user:

$ flask user new admin@email.com -r admin

And input the required data which appears at the terminal.

What if I create a user without role access? of course you can!

Protect Endpoints With Roles

All you need is to add an authenticate decorator with a roles to the view, like this:

@authenticate(roles={"admin": []})
# your view here...

For example, edit the read view in the apis/user.py file and add the authenticate decorator, as follows:

@authenticate(roles={"admin": []})
@marshal_with(200, ReadUserSchema(many=True))
def read():
    """
    Read all data.
    """

    data = User.query.all()
    return data

Now the /api/user/read endpoint can be accessed by admin only!

Protect Endpoint With Role Permissions

First you have to create role permissions first:

$ flask permission new can_all -d "Permission to do anything"

And add permission to the authenticate decorator, for example:

@authenticate(roles={"admin": ["can_all"]})
@marshal_with(200, ReadUserSchema(many=True))
def read():
    """
    Read all data.
    """

    data = User.query.all()
    return data

Now the /api/user/read endpoint can only be accessed by admins who have the permission can_all!