Home Python C Language C ++ HTML 5 CSS Javascript Java Kotlin SQL DJango Bootstrap React.js R C# PHP ASP.Net Numpy Dart Pandas Digital Marketing
× Flask
Introduction Overview Flask vs Django Virtual Environment Installing Flask Structure Server Routing Request Templates Flask Forms File Uploads Flask Models Query Migrations Authentications Password Authorization Blueprints Error Handling Middleware Extensions RESTful APIs JSON Authentication Pagination Tests Tools Production Deploying WSGI Caching Jobs Real Time Asynchronous

Authorization in Flask

Introduction

This article explains how to implement role-based access control and protect routes using decorators in Flask. Role-based access control ensures that only users with specific roles can access certain parts of the application.

Step 1: Setting Up Flask and SQLAlchemy

Start by installing Flask and SQLAlchemy:

            pip install flask flask-sqlalchemy

Configure your Flask app:

            from flask import Flask, redirect, url_for, request, flash
            from flask_sqlalchemy import SQLAlchemy

            app = Flask(__name__)
            app.config['SECRET_KEY'] = 'your_secret_key'
            app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///roles.db'
            db = SQLAlchemy(app)

Step 2: Defining the User Model

Create a User model with a role field:

            class User(db.Model):
                id = db.Column(db.Integer, primary_key=True)
                username = db.Column(db.String(80), unique=True, nullable=False)
                role = db.Column(db.String(20), nullable=False)

            db.create_all()

Example roles could include admin, editor, and viewer.

Step 3: Creating Role-Based Access Control Decorators

Define a decorator to check the user's role before allowing access to a route:

            from functools import wraps

            def role_required(required_role):
                def decorator(func):
                    @wraps(func)
                    def wrapper(*args, **kwargs):
                        # Simulate fetching the current user (replace with real logic)
                        current_user = User.query.filter_by(username='example_user').first()
                        if current_user and current_user.role == required_role:
                            return func(*args, **kwargs)
                        else:
                            flash('Access denied. You do not have the required role.')
                            return redirect(url_for('login'))
                    return wrapper
                return decorator

Step 4: Protecting Routes

Use the decorator to restrict access to specific routes:

            @app.route('/admin')
            @role_required('admin')
            def admin_page():
                return 'Welcome, Admin! This is the admin page.'

            @app.route('/editor')
            @role_required('editor')
            def editor_page():
                return 'Welcome, Editor! This is the editor page.'

            @app.route('/viewer')
            @role_required('viewer')
            def viewer_page():
                return 'Welcome, Viewer! This is the viewer page.'

Step 5: Adding Users with Roles

Create a route to add new users with specific roles:

            @app.route('/add-user', methods=['POST'])
            def add_user():
                username = request.form.get('username')
                role = request.form.get('role')
                user = User(username=username, role=role)
                db.session.add(user)
                db.session.commit()
                flash('User added successfully!')
                return redirect(url_for('login'))

Form for adding users:

            <form method="POST" action="/add-user">
                Username: <input type="text" name="username"><br>
                Role: <select name="role">
                    <option value="admin">Admin</option>
                    <option value="editor">Editor</option>
                    <option value="viewer">Viewer</option>
                </select><br>
                <button type="submit">Add User</button>
            </form>

Step 6: Testing Role-Based Access Control

Start the Flask application, add users with different roles, and test accessing the protected routes. Ensure that only users with the correct roles can access specific pages.

Conclusion

Role-based access control allows you to secure your application by restricting access to routes based on user roles. By using decorators, you can easily enforce these restrictions and manage user permissions effectively.

Advertisement





Q3 Schools : India


Online Complier

HTML 5

Python

java

C++

C

JavaScript

Website Development

HTML

CSS

JavaScript

Python

SQL

Campus Learning

C

C#

java