Flask-ACL is a Python package which provides configurable access control lists for Flask.
It is designed to allow for you to get started authorizing users immediately, but allows for a very high level of customization.
At the very minimum, you must setup a Login Manager, SECRET_KEY, and login view:
from flask import Flask, render_template
from flask.ext.login import LoginManager
from flask.ext.acl import ACLManager
app = Flask(__name__)
app.config['SECRET_KEY'] = 'monkey'
authn = LoginManager(app)
authz = ACLManager(app)
@app.route('/login')
def login():
return render_template('login.html'), 401
Then you can start attaching ACLs to your routes:
@app.route('/users_area')
@authz.route_acl('''
ALLOW AUTHENTICATED http.get
DENY ANY ALL
''')
def users_area():
# only authenticated users will get this far
You can also check for permissions on your models by defining an __acl__ attribute:
class MyModel(object):
__acl__ = '''
ALLOW AUTHENTICATED ALL
DENY ANY ALL
'''
# ...
@app.route('/model/<id>')
def show_a_model(id):
obj = MyModel.get(id)
if not auths.can('read', obj):
abort(404)
else:
return render_template('mymodel.html', obj=obj)