Source code for flask_resty.authorization
from . import authentication
from .exceptions import ApiError
# -----------------------------------------------------------------------------
[docs]class AuthorizationBase:
"""Base class for the API authorization components.
Authorization components control access to objects based on the credentials
from authentication component.
Authorization components can control access in the following ways:
- Disallowing a request as a whole
- Filtering the list of visible rows in the database
- Disallowing specific modify actions
For many CRUD endpoints, :py:class:`AuthorizeModifyMixin` allows consistent
control of modify operations.
"""
[docs] def get_request_credentials(self):
"""Retrieve the credentials stored in the
:py:class:`flask.ctx.AppContext`.
"""
return authentication.get_request_credentials()
[docs] def authorize_request(self):
"""Authorization hook called before processing a request.
Typically this hook will inspecting :py:data:`flask.request`.
"""
raise NotImplementedError()
[docs] def filter_query(self, query, view):
"""Filter a query to hide unauthorized rows.
:param query: The SQL construction object.
:type query: :py:class:`sqlalchemy.orm.query.Query`
:param view: The View instance
:type view: :py:class:`ModelView`
:return: The filtered SQL construction object.
:rtype: :py:class:`sqlalchemy.orm.query.Query`
"""
raise NotImplementedError()
[docs] def authorize_save_item(self, item):
"""Authorization hook called before saving a created or updated item.
This will generally be called after `authorize_create_item` or
`authorize_update_item` below.
:param obj item: The model instance
"""
raise NotImplementedError()
[docs] def authorize_create_item(self, item):
"""Authorization hook called before creating a new item.
:param obj item: The model instance
"""
raise NotImplementedError()
[docs] def authorize_update_item(self, item, data):
"""Authorization hook called before updating an existing item.
:param obj item: The model instance
:param dict data: A mapping from field names to updated values
"""
raise NotImplementedError()
[docs] def authorize_delete_item(self, item):
"""Authorization hook called before deleting an existing item.
:param obj item: The model instance
"""
raise NotImplementedError()
[docs]class HasCredentialsAuthorizationBase(AuthorizationBase):
"""A base authorization component that requires some authentication.
This authorization component doesn't check the credentials, but will block
all requests that do not provide some credentials.
"""
[docs] def authorize_request(self):
if self.get_request_credentials() is None:
raise ApiError(401, {"code": "invalid_credentials.missing"})
# -----------------------------------------------------------------------------
[docs]class AuthorizeModifyMixin(AuthorizationBase):
"""An authorization component that consistently authorizes all modifies.
Child classes should implement :py:meth:`authorize_modify_item`.
"""
[docs] def authorize_save_item(self, item):
self.authorize_modify_item(item, "save")
[docs] def authorize_create_item(self, item):
self.authorize_modify_item(item, "create")
[docs] def authorize_update_item(self, item, data):
self.authorize_modify_item(item, "update")
[docs] def authorize_delete_item(self, item):
self.authorize_modify_item(item, "delete")
[docs] def authorize_modify_item(self, item, action):
"""Authorization hook for all modification actions on an item.
:param obj item: The model instance
:param str action: One of ``'save' | 'create' | 'update' | 'delete'``
"""
raise NotImplementedError()
# -----------------------------------------------------------------------------
[docs]class NoOpAuthorization(AuthorizationBase):
"""An authorization component that allows any action."""
[docs] def authorize_request(self):
pass
[docs] def filter_query(self, query, view):
return query
[docs] def authorize_save_item(self, item):
pass
[docs] def authorize_create_item(self, item):
pass
[docs] def authorize_update_item(self, item, data):
pass
[docs] def authorize_delete_item(self, item):
pass
[docs]class HasAnyCredentialsAuthorization(
HasCredentialsAuthorizationBase, NoOpAuthorization
):
"""An authorization component that allows any action when authenticated.
This doesn't check the credentials; it just checks that some valid
credentials were provided.
"""
pass