Flask-admin: way to protect the entire /admin interface?

Created on 12 Sep 2015  路  4Comments  路  Source: flask-admin/flask-admin

I am using the is_accessible method to protect all my views, is there any way to protect the entire /admin interface?

picture coreybrett

Most helpful comment

Adding to the comments above: If you derive all your views from some custom base class implementing is_accessible, you can already control which views are accessible. If you also want to protect the start page (the one not showing any data list), you need to add your own index view.

`class SecuredHomeView(AdminIndexView):
def is_accessible(self):
# your access logic goes here, or derive this class also from your common base class!
pass

@expose('/')                                                                   
def index(self):                                                               
    return self.render('/admin/index.html')`

And in the flask admin constructor, replace unsecured default index view with your custom one:

flask.Admin(..., index_view=SecuredHomeView(url='/admin'))

picture steinsag on 30 Jan 2017
👍10

All 4 comments

If using Flask-Login Overwrite the is_accessible method as in the oficial example

# Create customized model view class
class MyModelView(ModelView):
    def is_accessible(self):
        return login.current_user.is_authenticated()

https://github.com/flask-admin/flask-admin/blob/master/examples/auth-mongoengine/app.py#L89

Or If using Flask-Security and its roles

class MyModelAdmin(ModelAdmin):

   roles_accepted = ['a_lit_of_roles']

    def is_accessible(self):
        roles_accepted = getattr(self, 'roles_accepted', None)
        return is_accessible(roles_accepted=roles_accepted, user=current_user)

    def _handle_view(self, name, *args, **kwargs):
        if not current_user.is_authenticated():
            return redirect(url_for_security('login', next="/admin"))
        if not self.is_accessible():
            return self.render("admin/denied.html")

example: https://github.com/quokkaproject/quokka/blob/development/quokka/core/admin/models.py#L46

rochacbruno picture rochacbruno on 12 Sep 2015
👍2

This example is also very nice https://github.com/flask-admin/flask-admin/blob/master/examples/auth-flask-login/app.py#L102

rochacbruno picture rochacbruno on 12 Sep 2015

http://stackoverflow.com/a/32992127/4683950
look at that comment on stackoverflow

espoirMur picture espoirMur on 28 Jan 2017
👍1

Adding to the comments above: If you derive all your views from some custom base class implementing is_accessible, you can already control which views are accessible. If you also want to protect the start page (the one not showing any data list), you need to add your own index view.

`class SecuredHomeView(AdminIndexView):
def is_accessible(self):
# your access logic goes here, or derive this class also from your common base class!
pass

@expose('/')                                                                   
def index(self):                                                               
    return self.render('/admin/index.html')`

And in the flask admin constructor, replace unsecured default index view with your custom one:

flask.Admin(..., index_view=SecuredHomeView(url='/admin'))

steinsag picture steinsag on 30 Jan 2017
👍10
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pmazurek picture pmazurek  路  6Comments
toolness picture toolness  路  4Comments
macfire picture macfire  路  3Comments
xqliu picture xqliu  路  5Comments
lucasvo picture lucasvo  路  3Comments