Reputation: 385
Flask-Admin with Custom Security
I'm new to Flask-Admin and I was able to implement it to my app. Everything is working fine. Admin views are set and they can display and create/delete data.
When I look for the security options I see that I can roll my own. But it shows a class based view example (mine is function based) and requires to use Flask-Login. I don't want to use that. I already have authorization check for the necessary paths like the following;
def login_required(something):
@wraps(something)
def wrap(*args, **kwargs):
if 'logged_in' in session:
return test(*args, **kwargs)
else:
return redirect(url_for('main.login'))
return wrap
@main_blueprint.route('/')
@login_required
def index():
form = MessageForm(request.form)
return render_template('index.html', form=form)
@main_blueprint.route('/login', methods=['GET', 'POST'])
def login():
error = None
form = LoginForm(request.form)
if request.method == 'POST':
if form.validate_on_submit():
user = User.query.filter_by(name=request.form['name']).first()
if user is not None and bcrypt.check_password_hash(user.password, request.form['password']):
session['logged_in'] = True
session['user_id'] = user.id
session['role'] = user.role
session['user'] = user.name
flash('Welcome')
return redirect(url_for('main.index'))
else:
error = 'Invalid Username or Password.'
flash('Invalid Username/Password Combination')
return render_template('login.html', form=form, error=error)
I've tried to do to do the following
@main_blueprint.route('/admin')
@login_required
def admin():
return render_template('admin/master.html')
But obviously that's not working.
How can I implement my own security to the Flask-Admin paths without using Flask-Login or Flask-Security or any other additional modules??
Upvotes: 1
Views: 757
Answers (1)
Reputation: 385
I think I found my answer. With the help of https://danidee10.github.io/2016/11/14/flask-by-example-7.html I was able to implement it to my app.
class AdminView(sqla.ModelView):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.static_folder = 'static'
def is_accessible(self):
return session.get('role') == 'admin'
def inaccessible_callback(self, name, **kwargs):
if not self.is_accessible():
return redirect(url_for('main.login', next=request.url))
and changed admin = Admin(app) to:
admin = Admin(app, name='Dashboard', index_view=AdminView(User, db.session, url='/admin', endpoint='admin'))
Upvotes: 2
Related Questions
- How to use Flask-admin with flask-principal(security) to handle users by roles?
- Admin(only) registration of users, Flask-Security
- flask-security - admin create user, force user to choose password
- Flask-Admin Role Based Access - Modify access based on role
- flask security separating access data on flask admin
- How to secure the flask-admin panel with flask-security
- Trying to implement flask-security
- How to secure Flask-Admin if my only user is going to be the Admin?
- Flask-Security access Login Manager
- Flask-Admin & Authentication: "/admin" is protected but "/admin/anything-else" is not