Skip to content

Access Control

Jump to bottom
Thomas Pollet edited this page Mar 15, 2020 · 20 revisions

Application-Wide Access Control

You can implement application-wide access control using the flask before_request decorator

Class-Level Access Control

Access control can be enforced on the API endpoints by means of function decorators that will be applied to the API endpoints of the class where the decorators are declared. This is demonstrated in this example. In this example we add the flask-httpauth login_required decorator to the decorators list of the User class:

class User(SAFRSBase, db.Model):
    """
        description: Protected user resource
    """

    __tablename__ = "users"
    id = db.Column(db.String(32), primary_key=True)
    username = db.Column(db.String(32))
    # The custom_decorators will be applied to all API endpoints
    decorators = [auth.login_required]

We create a simplistic verify_password function to verify the username and password sent in the Authorization header

@auth.verify_password
def verify_password(username_or_token, password):
    # Implement your authentication here
    if username_or_token == "user" and password == "pass":
        return True

    return False

The decorators can be customized, this example shows a custom decorator where authentication is only required for specific HTTP methods. These decorators are also applied to the relationships exposed by the class objects.

Access Control for Attributes and Relationships

More granular access control for attributes can be implemented

Access control for relationships should be implemented in the relationship target classes.

Clone this wiki locally