Example of combining Flask-Security and Flask-Admin
by Steve Saporta
April 15, 2014
Flask-Security provides a convenient way to add authentication and authorization to a Flask web app. Flask-Admin provides a convenient way to perform CRUD operations on database tables. This example combines Flask-Security and Flask-Admin so that authorized administrators can maintain the lists of users and roles that control access to the app.
You could easily generalize this app so that administrators could manage all sorts of database tables, not just users and roles.
This app also provides a basic example of the use of several underlying technologies that support Flask-Security and Flask-Admin.
Here are some helpful links:
- Flask: http://flask.pocoo.org/
- Flask-Admin: https://flask-admin.readthedocs.org/en/latest/
- Flask-Security: https://pythonhosted.org/Flask-Security/
- Flask-Mail, which helps send email messages generated by Flask-Security: http://wtforms.simplecodes.com/docs/0.6.1/index.html
- SQLAlchemy, which supports SQL database access: http://wtforms.simplecodes.com/docs/0.6.1/index.html
- In particular, SQLAlchemy ORM is SQLAlchemy's object relational manager, used by Flask-Admin: http://docs.sqlalchemy.org/en/rel_0_9/orm/tutorial.html
- WTForms, which renders forms used by Flask-Admin: http://wtforms.simplecodes.com/docs/0.6.1/index.html
- I used a PostgreSQL database: http://www.postgresql.org/
- However, you might find an in-memory SQLite database convenient: https://sqlite.org/
- A nod to this StackOverflow article regarding an issue with the __hash__ function in Flask-Admin: http://stackoverflow.com/questions/19530368/sqlalchemy-typeerror-unhashable-type-creating-instance-sqlalchemy
- And to mrjoes for this article about encrypting the password form field in Flask-Admin: http://stackoverflow.com/questions/19530368/sqlalchemy-typeerror-unhashable-type-creating-instance-sqlalchemy
To run this app, you'll need to install:
- Python 3.3
- Flask
- Flask-Admin
- Flask-Security
- SQLAlchemy
- A database system (PostgreSQL, SQLite, or another database system of your choice)
- An empty database named "flask_example"
I personally ran it on Windows 7 with a PostgreSQL database, but you should be able to use the operating system and database system of your choice.
Comments throughout main.py explain what's going on.
Once you have the app running, you can view it in your browser (e.g. http://localhost:8080).
Some things to notice:
- When you first visit the app's home page, you'll be prompted to log in, thanks to Flask-Security.
- If you log in with username=someone@example.com and password=password, you'll have the "end-user" role.
- If you log in with username=admin@example.com and password=password, you'll have the "admin" role.
- Either role is permitted to access the home page.
- Either role is permitted to access the /admin page. However, unless you have the "admin" role, you won't see the tabs for administration of users and roles on this page.
- Only the admin role is permitted to access sub-pages of /admin page such as /admin/userview. Otherwise, you'll get a "forbidden" response.
- Note that, when editing a user, the names of roles are automatically populated thanks to Flask-Admin.
- You can add and edit users and roles. The resulting users will be able to log in (unless you set active=false) and, if they have the "admin" role, will be able to perform administration.
Enjoy!