Flask - Role Based Access Control

0 1002

Introduction

Implementing Role Based Access Control (RBAC) in Flask is essential for securing applications with multiple user roles—such as admins, editors, and regular users. This guide walks through how to define roles, protect routes, and restrict access based on user permissions.

Why Use Role Based Access Control?

RBAC helps manage application permissions by grouping users into roles and assigning capabilities accordingly. It prevents unauthorized access and simplifies permission management as your Flask app grows.

Required Extensions

Make sure you have the following Flask extensions installed to manage authentication and session data efficiently:

pip install Flask Flask-Login Flask-SQLAlchemy

Setting Up the App

Initialize your Flask application, database, and login manager:

from flask import Flask, redirect, url_for, render_template
from flask_sqlalchemy import SQLAlchemy
from flask_login import LoginManager, UserMixin, login_user, login_required, current_user

app = Flask(__name__)
app.config['SECRET_KEY'] = 'your_secret_key'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///app.db'

db = SQLAlchemy(app)
login_manager = LoginManager(app)
login_manager.login_view = 'login'

Create User and Role Models

Define your database models to include roles linked to users:

class Role(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String(50), unique=True)

class User(UserMixin, db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(50), unique=True, nullable=False)
    password = db.Column(db.String(128), nullable=False)
    role_id = db.Column(db.Integer, db.ForeignKey('role.id'))
    role = db.relationship('Role')  # Link a role to each user

Load User Callback

Tell Flask-Login how to load users from the session:

@login_manager.user_loader
def load_user(user_id):
    return User.query.get(int(user_id))

Add Role Check Decorator

Create a decorator to verify roles before accessing routes:

from functools import wraps
from flask import abort

def role_required(required_role):
    def decorator(f):
        @wraps(f)
        def wrapped(*args, **kwargs):
            if not current_user.is_authenticated:
                return login_manager.unauthorized()
            if current_user.role.name != required_role:
                abort(403)  # Forbidden
            return f(*args, **kwargs)
        return wrapped
    return decorator

Protecting Routes

Use the decorator to restrict access based on roles:

@app.route('/admin')
@login_required
@role_required('admin')
def admin_panel():
    return render_template('admin.html')

@app.route('/editor')
@login_required
@role_required('editor')
def editor_panel():
    return render_template('editor.html')

User Registration with Roles

During user signup, assign roles based on requirements:

@app.route('/register', methods=['GET', 'POST'])
def register():
    # Registration logic here...
    # On success, create a User with a specific Role
    # db.session.commit()
    return redirect(url_for('login'))

Conclusion

Using Flask for Role Based Access Control makes it easier to manage complex permissions across different user types. By defining roles, protecting routes with decorators, and integrating with Flask-Login, you can build robust, secure Flask applications.

If you’re passionate about building a successful blogging website, check out this helpful guide at Coding Tag – How to Start a Successful Blog. It offers practical steps and expert tips to kickstart your blogging journey!

For dedicated UPSC exam preparation, we highly recommend visiting www.iasmania.com. It offers well-structured resources, current affairs, and subject-wise notes tailored specifically for aspirants. Start your journey today!