Role Based Access Control

Sometimes we need to protect endpoints with role access and role permissions. What for? to grant access to specific users.

Let’s get started…

First Step

We have to create a REST API first. Let’s create:

$ flask api new User --crud

Create User

First we need to create a role for the user:

$ flask role new admin -d "Admin Role"

Now we create an admin user:

$ flask user new admin@email.com -r admin

And input the required data which appears at the terminal.

What if I create a user without role access? of course you can!

Protect Endpoints With Roles

All you need is to add an authenticate decorator with a roles to the view, like this:

@authenticate(roles={"admin": []})
# your view here...

For example, edit the get view decorator in the api/user.py file, as follows:

@authenticate(roles={"admin": []})
@marshal_with(ReadUserSchema(many=True), 200)
def get():
    """
    Read all data.
    """

    data = User.query.all()
    return data

Now the /api/user/get endpoint can be accessed by admin only!

Protect Endpoint With Role Permissions

First you have to create role permissions first:

$ flask permission new can_all -d "Permission to do anything"

And add permission to the authenticate decorator, for example:

@authenticate(roles={"admin": ["can_all"]})
@marshal_with(ReadUserSchema(many=True), 200)
def get():
    """
    Read all data.
    """

    data = User.query.all()
    return data

Now the /api/user/get endpoint can only be accessed by admins who have the permission can_all!