def decorated_view(*args, **kwargs): permission = Permission(*[RoleNeed(role) for role in roles]) if permission.can(): return fn(*args, **kwargs) return lm.unauthorized()
from flask import url_for, redirect, request, current_app from flask_admin.contrib.sqla import ModelView from flask_admin import AdminIndexView, helpers, expose from werkzeug.security import generate_password_hash from flask_login import current_user, login_user, logout_user from models import User, Role, Device, Platforms_info, Ip, Project, Domain, Port, App from forms import LoginForm from flask_principal import (ActionNeed, AnonymousIdentity, Identity, identity_changed, identity_loaded, Permission, Principal, RoleNeed, Denial) # Initialize flask-principal prcp = Principal() anon_permission = Permission() admin_permission = Permission(RoleNeed('Admin')) admin_or_editor = Permission(RoleNeed('Admin'), RoleNeed('Devlop')) devlop_permission = Permission(RoleNeed('Devlop')) admin_denied = Denial(RoleNeed('Admin')) # Create customized model view class class UserModelView(ModelView): can_export = True can_view_details = True column_exclude_list = [ 'password', ] column_searchable_list = ('real_name', 'login', Role.name) column_display_all_relations = True
login_manager.session_protection = 'strong' login_manager.login_message = 'Please login to access this page.' login_manager.login_message_category = 'info' @login_manager.user_loader def load_user(user_id): from models import User return User.query.filter_by(id=user_id).first() #创建principal实例 principals = Principal() #设置了三种权限,会绑定到identity之后才发挥作用 admin_permission = Permission(RoleNeed('admin')) poster_permission = Permission(RoleNeed('poster')) default_permission = Permission(RoleNeed('default')) #创建celery实例 flask_celery = Celery() #创建mail实例 mail = Mail() #创建cache实例 cache = Cache() #创建assets实例 assets_env = Environment() main_css = Bundle('css/bootstrap.css',
from flask_login import LoginManager from flask_principal import Principal, Permission, RoleNeed from pony.flask import Pony from sqlalchemy import engine_from_config from .models import User, db from .utils.fetcher import Http_Fetcher from .utils.scheduler import RMFScheduler from .utils.app_logger import setup_log login_manager = LoginManager() login_manager.login_view = 'main.login' login_manager.login_message = 'Пожалуйста, авторизуйтесь' principals = Principal() admin_permission = Permission(RoleNeed('admin'), RoleNeed('su')) su_permission = Permission(RoleNeed('su')) fetcher = Http_Fetcher() scheduler = RMFScheduler() def create_app(config=None): app = Flask(__name__) formatter = logging.Formatter( '%(asctime)s - %(name)s - %(levelname)s - %(message)s') file_handler = TimedRotatingFileHandler('app/logs/application.log', when="midnight", backupCount=7) file_handler.setFormatter(formatter) file_handler.setLevel(logging.DEBUG)
import json from flask import ( jsonify, render_template, request ) from flask_principal import Permission, RoleNeed from mes.revise import bp from model import * admin_permission = Permission(RoleNeed('super')) user_permission = Permission(RoleNeed('user')) @bp.route('/bad_revise') def bad_revise(): return render_template('main/revise/bad_revise.html') @bp.route("/ajax_revise_get_bad", methods=['GET']) def ajax_revise_get_bad(): q_bad = BadList.query.all() bad_list = [] for bad in q_bad: temp = {} temp['bad_name'] = bad.bad_name temp['bad_code'] = bad.bad_code bad_list.append(temp) return jsonify(bad_list)
# Path to app root dir APP_ROOT = os.path.dirname(os.path.abspath(__file__)) #: Default cache type. CACHE_TYPE = "redis" #: Default cache URL for sessions. ACCESS_SESSION_REDIS_HOST = os.environ.get('APP_ACCESS_SESSION_REDIS_HOST', 'localhost') #: Cache for storing access restrictions ACCESS_CACHE = 'cap.modules.cache:current_cache' #: E-Groups for superuser rights SUPERUSER_EGROUPS = [ RoleNeed('*****@*****.**'), RoleNeed('*****@*****.**'), ] # Records # ======= #: Records sort/facets options RECORDS_REST_SORT_OPTIONS = dict(records=dict( bestmatch=dict( title=_('Best match'), fields=['_score'], order=1, ), mostrecent=dict( title=_('Most recent'), fields=['_updated'],
from flask_principal import Permission, RoleNeed admin_permission = Permission(RoleNeed('admin')) vip_permission = Permission(RoleNeed('vip'))
if os.path.isfile(app_config_file): app.config.from_pyfile(app_config_file, silent=True) elif platform == "linux2" and os.path.isfile('/etc/astrobox/application.cfg'): app.config.from_pyfile('/etc/astrobox/application.cfg', silent=True) assets = Environment(app) Compress(app) userManager = None eventManager = None loginManager = None softwareManager = None discoveryManager = None principals = Principal(app) admin_permission = Permission(RoleNeed("admin")) user_permission = Permission(RoleNeed("user")) # only import the octoprint stuff down here, as it might depend on things defined above to be initialized already from octoprint.server.util import LargeResponseHandler, ReverseProxied, restricted_access, PrinterStateConnection, admin_validator, UrlForwardHandler, user_validator, user_or_logout_validator from astroprint.printer.manager import printerManager from octoprint.settings import settings import octoprint.util as util import octoprint.events as events import astroprint.users as users from astroprint.software import softwareManager as swManager from astroprint.boxrouter import boxrouterManager from astroprint.network.manager import networkManager from astroprint.camera import cameraManager
from flask_principal import Principal from flask_login import current_user, user_loaded_from_request, user_logged_in from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded, identity_changed, Identity from app import enums from app.services.user_service import UserService principal = Principal(use_sessions=False, skip_static=True) admin_permission = Permission(RoleNeed(enums.Role.ADMIN)) @user_loaded_from_request.connect def on_user_loaded(sender, user): identity_changed.send(sender, identity=Identity(user.id)) @user_logged_in.connect def on_user_logged_in(sender, user): identity_changed.send(sender, identity=Identity(user.id)) @identity_loaded.connect def on_identity_loaded(sender, identity): # Set the identity user object identity.user = current_user # Add the UserNeed to the identity if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id))
def user_role() -> RoleNeed: return RoleNeed("user")
def test_role() -> RoleNeed: return RoleNeed("test")
def admin_role() -> RoleNeed: return RoleNeed("admin")
login_manager.session_protection = "strong" login_manager.login_message = "Please login to access this page." login_manager.login_message_category = "info" @login_manager.user_loader def user_loader(id): from app.database.models import BlogUser return BlogUser.query.filter_by(id=id).first() # 角色权限 from flask_principal import Principal, Permission, RoleNeed principal = Principal() permission_admin = Permission(RoleNeed('admin')) permission_poster = Permission(RoleNeed('poster')) permission_default = Permission(RoleNeed('default')) # 消息队列、异步任务 from flask_celery import Celery celery = Celery() # 邮件 from flask_mail import Mail mail = Mail() # 缓存 from flask_cache import Cache cache = Cache()
#!/usr/bin/env python # encoding: utf-8 """ @author: zhanghe @software: PyCharm @file: permissions.py @time: 2017/6/8 下午11:16 """ from flask_principal import Permission, RoleNeed # 模块列表 modules = [ u'会员', u'订单', u'留言', u'系统', u'权限', u'统计', ] # 模块权限 permission_user = Permission(RoleNeed(u'会员')) permission_order = Permission(RoleNeed(u'订单')) permission_msg = Permission(RoleNeed(u'留言')) permission_sys = Permission(RoleNeed(u'系统')) permission_admin = Permission(RoleNeed(u'权限')) permission_stats = Permission(RoleNeed(u'统计')) permission_other = Permission(RoleNeed(u'其它'))
def on_identity_loaded(sender, identity): identity.user = current_user if hasattr(current_user, "id"): identity.provides.add(UserNeed(current_user.id)) identity.provides.add(RoleNeed("blogger"))
# -*- coding: utf-8 -*- from flask_principal import Permission, RoleNeed from flask import json, jsonify, request, Blueprint, flash from flask_security import auth_token_required, http_auth_required, login_required, current_user from ..models import db, Templates from mongoengine.queryset import Q temp_api = Blueprint('template_api', __name__, url_prefix='/api/pulse/templates') # Create a permission with a single Need, in this case a RoleNeed. admin_permission = Permission(RoleNeed('admin')) editor_permission = Permission(RoleNeed('editor')) @temp_api.route('', methods=['GET']) @temp_api.route('/', methods=['GET']) def get_templates_api(): if current_user.has_role('admin'): templates = Templates.objects.all().order_by('-pub_date') elif current_user.has_role('editor'): templates = Templates.objects( Q(status='public') | Q(contributor=current_user.email)).order_by('-pub_date') else: templates = Templates.objects(Q(status='public')).order_by('-pub_date') return jsonify({'result': templates})
def is_accessible(self): permission = Permission(RoleNeed('super')) return permission.can()
from flask_principal import Principal, Permission, RoleNeed from redidropper.models.role_entity import \ ROLE_ADMIN, ROLE_TECHNICIAN, ROLE_RESEARCHER_ONE, ROLE_RESEARCHER_TWO from redidropper.main import app # @TODO: read https://pythonhosted.org/Flask-Security/api.html # from flask_security import roles_accepted # from flask_security import roles_required, auth_token_required # from pages import ProjectRolePermission # load the Principal extension principals = Principal(app) # define a permission perm_admin = Permission(RoleNeed(ROLE_ADMIN)) perm_technician = Permission(RoleNeed(ROLE_TECHNICIAN)) perm_researcher_one = Permission(RoleNeed(ROLE_RESEARCHER_ONE)) perm_researcher_two = Permission(RoleNeed(ROLE_RESEARCHER_TWO)) perm_admin_or_technician = Permission(RoleNeed(ROLE_ADMIN), RoleNeed(ROLE_TECHNICIAN)) @app.route('/admin') @perm_admin.require() def admin(): """ Render the technician's home page from flask import abort abort(403) """ return render_template('admin.html', user_links=get_user_links())
import bcrypt from flask_login import LoginManager, UserMixin from flask_principal import RoleNeed, Permission from db import mongo admin_role = RoleNeed('admin') corrector_role = RoleNeed('corrector') roles = {'admin': admin_role, 'editor': corrector_role} admin_permission = Permission(admin_role) edit_permission = Permission(corrector_role, admin_role) login_manager = LoginManager() class User(UserMixin): def __init__(self, id, str_roles, retry_count): self.id = id self.str_roles = str_roles self.roles = [] for r in str_roles: self.roles.append(roles[r]) self.retry_count = retry_count def check_pw(self, pw): db_pw = mongo.db.users.find_one({'username': self.id})['password'] return bcrypt.hashpw(pw.encode('utf-8'), db_pw) == db_pw def need_change_pw(self):
# -*- coding: utf8 -*- from __future__ import unicode_literals from collections import namedtuple from functools import partial from flask_principal import ActionNeed, RoleNeed, Permission # 角色 MEMBER = 'MEMBER' ADMIN = 'ADMIN' ROLES = [(MEMBER, '用户'), (ADMIN, '系统管理员')] member_permission = Permission(RoleNeed(MEMBER)) admin_permission = Permission(RoleNeed(ADMIN)) # edit = Permission(ActionNeed()) # 粗粒度的权限保护 # BlogPostNeed = namedtuple('blog_post', ['method', 'value']) # EditBlogPostNeed = partial(BlogPostNeed, 'edit') # # # class EditBlogPostPermission(Permission): # def __init__(self, post_id): # need = EditBlogPostNeed(unicode(post_id)) # super(EditBlogPostPermission, self).__init__(need) # **usage: # edit_blog_post_permission = EditBlogPostPermission(post_id) # 1.接口中拥有编辑该篇文章的权限(接口内权限访问) # with edit_blog_post_permission.require():
from flask_principal import Identity, AnonymousIdentity, identity_changed, RoleNeed, UserNeed, Permission # String must not have spaces, as users can have multiple roles # And this is accomplished by a space delimited string. # For more information, see example data for MongoDB _ADMIN_ROLE = "admin" _EDITOR_ROLE = "editor" _PEERLEADER_ROLE = "peer_leader" _USER_ROLE = "user" _ADMIN_NEED = RoleNeed(_ADMIN_ROLE) _EDITOR_NEED = RoleNeed(_EDITOR_ROLE) _PEERLEADER_NEED = RoleNeed(_PEERLEADER_ROLE) _USER_NEED = RoleNeed(_USER_ROLE) _ADMIN_PERM = Permission(_ADMIN_NEED) _EDITOR_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED) _PEERLEADER_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED, _PEERLEADER_NEED) _USER_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED, _PEERLEADER_NEED, _USER_NEED) def get_all_roles(): return [_ADMIN_ROLE, _EDITOR_ROLE, _PEERLEADER_ROLE, _USER_ROLE] def has_admin(): return _ADMIN_PERM.can()
#! /usr/bin/env python # -*- coding: utf-8 -*- # Author:huchong from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded from flask_login import current_user # Create a permission with a single Need, in this case a RoleNeed. admin_permission = Permission(RoleNeed('admin')) editor_permission = Permission(RoleNeed('editor')).union(admin_permission) reader_permission = Permission(RoleNeed('reader')).union(editor_permission) # 用法: # # protect a view with a principal for that need # @app.route('/admin') # @admin_permission.require() # def do_admin_index(): # return Response('Only if you are an admin') @identity_loaded.connect def on_identity_loaded(sender, identity): identity.user = current_user if hasattr(current_user, 'username'): identity.provides.add(UserNeed(current_user.username)) if hasattr(current_user, 'role'): identity.provides.add(RoleNeed(current_user.role)) identity.allow_read = identity.can(reader_permission) identity.allow_edit = editor_permission.allows(identity)
def test_invenio_access_permission_cache_roles_updates( app, dynamic_permission ): """Testing ActionRoles cache with inserts/updates/deletes.""" # This test case is doing the same of user test case but using roles. cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): # Creation of some data to test. role_1 = Role(name='role_1') role_2 = Role(name='role_2') role_3 = Role(name='role_3') role_4 = Role(name='role_4') role_5 = Role(name='role_5') role_6 = Role(name='role_6') db.session.add(role_1) db.session.add(role_2) db.session.add(role_3) db.session.add(role_4) db.session.add(role_5) db.session.add(role_6) db.session.add(ActionRoles(action='open', role=role_1)) db.session.add(ActionRoles(action='write', role=role_4)) db.session.flush() # Creation of identities to test. identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name)) identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name)) identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name)) identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name)) identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name)) identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name)) # Test if role 1 can open. In this case, the cache should store only # this object. permission_open = dynamic_permission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # Test if role 4 can write. In this case, the cache should have this # new object and the previous one (Open is allowed to role_1) permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # If we add a new role to the action open, the open action in cache # should be removed but it should still containing the write entry. db.session.add(ActionRoles(action='open', role=role_2)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = dynamic_permission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_2) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # Test if the new role is added to the action 'open' permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # If we update an action swapping a role, the cache containing the # action, should be removed. role_4_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_4).first() role_4_action_write.role = role_3 db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is not None assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # Test if the role_3 can write now. permission_write = dynamic_permission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_4) permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_3.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If we remove a role from an action, the cache should clear the # action item. role_3_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_3).first() db.session.delete(role_3_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionRoles(action='write', role=role_5)) db.session.flush() permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) permission_write = dynamic_permission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = dynamic_permission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) role_5_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_5).first() role_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = dynamic_permission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) ) db.session.add(ActionRoles(action='write', role=role_4)) permission_write = dynamic_permission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) db.session.add(ActionRoles(action='open', argument='1', role=role_6)) db.session.flush() permission_open_1 = dynamic_permission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_fake_role_6) assert permission_open_1.allows(identity_fake_role_6) assert current_access.get_action_cache('open::1') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) user_6_action_open_1 = ActionRoles.query.filter_by( action='open', argument='1', role_id=role_6.id).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = dynamic_permission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_fake_role_6) assert current_access.get_action_cache('open::2') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) )
# coding=utf-8 from __future__ import absolute_import from flask_principal import Permission, RoleNeed admin_permission = Permission(RoleNeed('admin')) normal_permission = Permission(RoleNeed('normal'))
#!/usr/bin/env python # -*- coding: utf-8 -*- from flask_login import current_user # from flask.ext.principal import Permission, RoleNeed, UserNeed, identity_loaded # from flask.ext.login import current_user from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded # admin_need = RoleNeed('admin') # editor_need = RoleNeed('editor') # writer_need = RoleNeed('writer') # reader_need = RoleNeed('reader') su_need = RoleNeed('su') su_permission = Permission(su_need) admin_permission = Permission(RoleNeed('admin')).union(su_permission) editor_permission = Permission(RoleNeed('editor')).union(admin_permission) writer_permission = Permission(RoleNeed('writer')).union(editor_permission) reader_permission = Permission(RoleNeed('reader')).union(writer_permission) @identity_loaded.connect # Both of this and the following works # @identity_loaded.connect_via(current_app) def on_identity_loaded(sender, identity): # Set the identity user object identity.user = current_user # Add the UserNeed to the identity if hasattr(current_user, 'username'): identity.provides.add(UserNeed(current_user.username))
DEBUG=True, SECRET_KEY=os.urandom(16).encode('base-64'), SQLALCHEMY_DATABASE_URI='postgresql://*****:*****@localhost/mytest', SQLALCHEMY_COMMIT_ON_TEARDOWN=True ) app.debug = True db = SQLAlchemy(app) login_manager = LoginManager(app) login_manager.login_view = 'login' principals = Principal(app) # Needs be_admin = RoleNeed('admin') be_user = RoleNeed('user') app_needs = { 'admin': be_admin, 'user': be_user } admin_perm = Permission(be_admin) admin_perm.description = "Admin's permissions" user_perm = Permission(be_user) user_perm.description = "User's permissions" app_perms = [admin_perm, user_perm] DEFAULT_ROLE = be_user @identity_loaded.connect_via(app) def on_identity_loaded(sender, identity):
logging.basicConfig(level=logging.DEBUG) # -------------------------------------------------------------------------------------------------# # Permission objects # Permission types (dict) PERM_TYPE = { 'self_admin': 'self-administrator', 'subgroups': 'create subgroups', 'courses': 'create courses' } # The list of permission tuples (for forms) PERMISSION_LIST = list(perm_tuple for perm_tuple in PERM_TYPE.items()) # Create the permission with RoleNeeds. role_permission = Permission(RoleNeed('Instructor'), RoleNeed('Mentor'), RoleNeed('Teacher'), RoleNeed('TA'), RoleNeed('TeachingAssistant')) # -------------------------------------------------------------------------------------------------# # Decorators for permission checking def subgroup_create_perm(func): """ Check whether the current user can create a subgroup under a group. Permission: 1.the user is a member of the ancestors of the group OR 2. the group is the target group where subgroups can be created under. """ @wraps(func)
# # You should have received a copy of the GNU General Public License # along with Invenio; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, # MA 02111-1307, USA. # # In applying this license, RERO does not # waive the privileges and immunities granted to it by virtue of its status # as an Intergovernmental Organization or submit itself to any jurisdiction. """Permission for this module.""" from flask_login import current_user from flask_principal import RoleNeed from invenio_access.permissions import DynamicPermission record_edit_permission = DynamicPermission(RoleNeed('cataloguer')) def cataloguer_permission_factory(record, *args, **kwargs): """User has editor role.""" return record_edit_permission def can_edit(user=None): """User has editor role.""" if not user: user = current_user return user.is_authenticated and record_edit_permission.can()
from .models import User from flask_login import current_user from flask_principal import RoleNeed, UserNeed, Permission, identity_changed def load_user(user_id): return User.query.get(user_id) @identity_changed.connect def on_identity_loaded(sender, identity): identity.user = current_user if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id)) if getattr(current_user, 'is_admin', False): identity.provides.add(RoleNeed('admin')) admin_permission = Permission(RoleNeed('admin'))
def decorated_view(*args, **kwargs): permissions = [Permission(RoleNeed(role)) for role in roles] for p in permissions: if not p.can(): return lm.unauthorized() return fn(*args, **kwargs)