Giter VIP home page Giter VIP logo

flask-bouncer's Introduction

flask-bouncer

Flask declarative authorization leveraging bouncer

Build Status

flask-bouncer is an authorization library for Flask which restricts what resources a given user is allowed to access. All the permissions are defined in a single location.

Enough chit-chat – show me the code …

Installation

pip install flask-bouncer

Usage

from flask.ext.bouncer import requires, ensure, Bouncer
app = Flask()
bouncer = Bouncer(app)

# Define your authorization in one place and in english ...
@bouncer.authorization_method
def define_authorization(user, they):
    if user.is_admin:
        they.can(MANAGE, ALL)
    else:
        they.can(READ, ('Article', 'BlogPost'))
        they.can(EDIT, 'Article', lambda a: a.author_id == user.id)

# Then decorate your routes with your conditions.
# If it fails it will return a 401
@app.route("/articles")
@requires(READ, Article)
def articles_index():
    return "A bunch of articles"

@app.route("/topsecret")
@requires(READ, TopSecretFile)
def topsecret_index():
    return "A bunch of top secret stuff that only admins should see"
  • When you are dealing with a specific resource, then use the ensure method
from flask.ext.bouncer import requires, ensure
@app.route("/articles/<article_id>")
@requires(READ, Article)
def show_article(article_id):
    article = Article.find_by_id(article_id)

    # can the current user 'read' the article, if not it will throw a 401
    ensure(READ,article)
    return render_template('article.html', article=article)
  • Check out bouncer with more details about defining Abilities
  • flask-bouncer by default looks for current_user or user stored in flask’s g

Lock It Down

You can use the ensure_authorization feature to ensure that all of your routes in your application have been authorized

bouncer = Bouncer(app, ensure_authorization=True)

This will check each request to ensure that an authorization check (either ensure or requires) has been made

If you want to skip a certain route, decorate your route with @skip_authorization. Like so:

@app.route("/articles")
@skip_authorization
def articles_index():
    return "A bunch of articles"

Flask-Classy Support

I ❤ Flask-Classy Like a lot. Flask-Classy is an extension that adds class-based REST views to Flask.

1) Define you View similarly as you would with flask-classy

from flask.ext.classy import FlaskView
from yourapp.models import Article

class ArticleView(FlaskView)

    # an additional class attribute that you need to add for flask-bouncer
    __target_model__ = Article

    def index(self)
        return "Index"

    def get(self, obj_id):
        return "Get "

    # ... methods for post, delete (and even put, and patch if you so like

2) Register the View with flask and bouncer

# in your application.py or the like

app = Flask("classy")
bouncer = Bouncer(app)
ArticleView.register(app)

# Which classy views do you want to lock down, you can pass multiple
bouncer.monitor(ArticleView)

Then voila – flask-bouncer will implicitly add the following conditions to the routes:

  • You need ‘READ’ privileges for ‘index’,‘show’ and ‘get’
  • You need ‘CREATE’ privileges for ‘new’,‘put’ and ‘post’
  • You need ‘UPDATE’ privileges for ‘edit’ and ‘patch’

If you want to over-write the default requirements, just add the @requires decorator to the function

Configuration

current_user

By default flask-bouncer will inspect g for user or current_user. You can add your custom loader by decorating a function with @bouncer.user_loader

Other Features

Notes

  • This library focusing only on Authorization, we leave Authentication to other libraries such as flask-login.

Thank You!

  • Ryan Bates, and his excellent CanCan ruby library which this the inspiration for this library

Questions / Issues

Feel free to ping me on twitter: @tushman or add issues or PRs at https://github.com/jtushman/flask-bouncer

flask-bouncer's People

Contributors

jtushman avatar klinkin avatar apiguy avatar

Watchers

Jeroen Grusewski avatar James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.