flask-login 中基于角色的授权
Role based authorization in flask-login
我需要在现有的 Flask 应用程序中引入基于角色的授权。因此,我不能只用 flask-user 交换当前使用的 flask-login 包。尽管如此,我必须限制 "admin" 用户对某些端点的访问,而无需重建整个代码库。
我想到了这样的装饰器:
def admin_required(func):
"""
Modified login_required decorator to restrict access to admin group.
"""
@wraps(func)
def decorated_view(*args, **kwargs):
if current_user.group != 0: # zero means admin, one and up are other groups
flash("You don't have permission to access this resource.", "warning")
return redirect(url_for("main.home"))
return func(*args, **kwargs)
return decorated_view
我将它与原始 login_required 装饰器一起使用,如下所示:
@app.route("/admin-restricted"):
@login_required
@admin_required
def admin_resource():
return "Hello admin"
一切都按预期进行,但我有两个问题:
- 我的方法安全吗?我是否遗漏了潜在的安全漏洞?不幸的是,我对 Flask 内部结构的了解有限。
- 还有其他 simple/safe/pythonic 方法吗?我就是觉得不对。
处理基于角色的权限更常用的方法是使用 Flask Principal。
在主应用中:
from flask_principal import Principal
# load the extension
principals = Principal(app)
@identity_loaded.connect_via(app)
def on_identity_loaded(sender, identity):
# Set the identity user object
identity.user = current_user
# Add the UserNeed to the identity
if hasattr(current_user, 'employee_id'):
identity.provides.add(UserNeed(current_user.employee_id))
# Assuming the User model has a list of roles, update the
# identity with the roles that the user provides
if hasattr(current_user, 'position'):
# for role in current_user.role:
identity.provides.add(RoleNeed(str(current_user.position)))
admin_permission = Permission(RoleNeed('admin'))
然后在路线中:
@app.route("/admin-restricted"):
@login_required
@admin_permission.require(http_exception=403)
def admin_resource():
return "Hello admin"
我需要在现有的 Flask 应用程序中引入基于角色的授权。因此,我不能只用 flask-user 交换当前使用的 flask-login 包。尽管如此,我必须限制 "admin" 用户对某些端点的访问,而无需重建整个代码库。
我想到了这样的装饰器:
def admin_required(func):
"""
Modified login_required decorator to restrict access to admin group.
"""
@wraps(func)
def decorated_view(*args, **kwargs):
if current_user.group != 0: # zero means admin, one and up are other groups
flash("You don't have permission to access this resource.", "warning")
return redirect(url_for("main.home"))
return func(*args, **kwargs)
return decorated_view
我将它与原始 login_required 装饰器一起使用,如下所示:
@app.route("/admin-restricted"):
@login_required
@admin_required
def admin_resource():
return "Hello admin"
一切都按预期进行,但我有两个问题:
- 我的方法安全吗?我是否遗漏了潜在的安全漏洞?不幸的是,我对 Flask 内部结构的了解有限。
- 还有其他 simple/safe/pythonic 方法吗?我就是觉得不对。
处理基于角色的权限更常用的方法是使用 Flask Principal。
在主应用中:
from flask_principal import Principal
# load the extension
principals = Principal(app)
@identity_loaded.connect_via(app)
def on_identity_loaded(sender, identity):
# Set the identity user object
identity.user = current_user
# Add the UserNeed to the identity
if hasattr(current_user, 'employee_id'):
identity.provides.add(UserNeed(current_user.employee_id))
# Assuming the User model has a list of roles, update the
# identity with the roles that the user provides
if hasattr(current_user, 'position'):
# for role in current_user.role:
identity.provides.add(RoleNeed(str(current_user.position)))
admin_permission = Permission(RoleNeed('admin'))
然后在路线中:
@app.route("/admin-restricted"):
@login_required
@admin_permission.require(http_exception=403)
def admin_resource():
return "Hello admin"