Reputation: 31
i try to build a REST API with Flask-JSONAPI and Flask Security.
I use Auth Token for authentication and @login_required
to secure my API Endpints. (Authentication)
But now I want to ensure that only the owner of objects (Creator) can (C)RUD the data. Right now every user can see every object that is created. (Autorisation)
I want to use Resource Manager here but did't find a proper example for Flask Security in Resource Managers. For Example the user (person) can only see the computer objects associated with the same user id. Do I have to use the Auth Token for that? Is there a simple way to get the id of the user logged in, doing the request?
Upvotes: 1
Views: 142
Reputation: 35
from flask_security import current user
That represents a user instance of the currently logged in user. This user can be anonymous in cases where no user is logged in, but if a user is logged in then the object will represent an object of the User class.
Upvotes: 1