-
Notifications
You must be signed in to change notification settings - Fork 72
Access Control
The complexity of implementing proper API access control depends on the granularity of required the access control:
With application-level access control, all authenticated users can retrieve all API data. You can implement application-wide access control using the flask before_request decorator.
Access control can be enforced on the API endpoints by means of function decorators that will be applied to the API endpoints of the class where the decorators are declared. This is demonstrated in this example. In this example we add the flask-httpauth login_required decorator to the decorators list of the User class:
class User(SAFRSBase, db.Model):
"""
description: Protected user resource
"""
__tablename__ = "users"
id = db.Column(db.String(32), primary_key=True)
username = db.Column(db.String(32))
# The custom_decorators will be applied to all API endpoints
decorators = [auth.login_required]We create a simplistic verify_password function to verify the username and password sent in the Authorization header
@auth.verify_password
def verify_password(username_or_token, password):
# Implement your authentication here
if username_or_token == "user" and password == "pass":
return True
return FalseThe decorators can be customized, this example shows a custom decorator where authentication is only required for specific HTTP methods. These decorators are also applied to the relationships exposed by the class objects.
More granular access control for attributes can be implemented
- by overriding the
_s_check_permsmethod - by overriding the
_s_postand_s_patchmethods (HTTP methods) - in the class
__init__constructror for post requests - in the
orm.reconstructorfor patch requests - in the
to_dictjson serialization method - using a custom SQLAlchemy column type
Access control for relationships can be implemented
- in the relationship target classes.
- by overriding
_s_relationships - by overriding
_s_get_related