Add Roles and Permission models so that only admins can access /admin

2024-11-15 01:05:42 +00:00 · 2019-07-09 15:41:16 +02:00 · 2019-07-09 15:41:16 +02:00 · 79cccd36ee
commit 79cccd36ee
parent 66d9ab8a93
8 changed files with 159 additions and 4 deletions
--- a/app/decorators.py
+++ b/app/decorators.py
@ -0,0 +1,19 @@
 from functools import wraps
 from flask import abort
 from flask_login import current_user
 from .models import Permission
 def permission_required(permission):
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            if not current_user.can(permission):
                abort(403)
            return f(*args, **kwargs)
        return decorated_function
    return decorator
 def admin_required(f):
    return permission_required(Permission.ADMIN)(f)
--- a/app/main/init.py
+++ b/app/main/init.py
@ -2,4 +2,11 @@ from flask import Blueprint
 main = Blueprint('main', __name__)
-from . import views
+
 from . import views, errors
 from ..models import Permission
@main.app_context_processor
 def inject_permissions():
    return dict(Permission=Permission)
--- a/app/main/views.py
+++ b/app/main/views.py
@ -1,7 +1,16 @@
 from flask import render_template
 from . import main
 from ..decorators import admin_required
 from flask_login import login_required
@main.route('/')
 def index():
    return render_template('main/index.html.j2')
@main.route('/admin')
@login_required
@admin_required
 def for_admins_only():
    return "For administrators!"
--- a/app/models.py
+++ b/app/models.py
@ -1,19 +1,69 @@
 from flask import current_app
-from flask_login import UserMixin
+from flask_login import UserMixin, AnonymousUserMixin
 from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
 from werkzeug.security import generate_password_hash, check_password_hash
 from . import db
 from . import login_manager
 class Permission:
    CREATE_JOB = 1
    DELETE_JOB = 2
    # WRITE = 4
    # MODERATE = 8
    ADMIN = 16
 class Role(db.Model):
    __tablename__ = 'roles'
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String(64), unique=True)
    default = db.Column(db.Boolean, default=False, index=True)
    permissions = db.Column(db.Integer)
    users = db.relationship('User', backref='role', lazy='dynamic')
    def __init__(self, **kwargs):
        super(Role, self).__init__(**kwargs)
        if self.permissions is None:
            self.permissions = 0
    def __repr__(self):
        return '<Role %r>' % self.name
    def add_permission(self, perm):
        if not self.has_permission(perm):
            self.permissions += perm
    def remove_permission(self, perm):
        if self.has_permission(perm):
            self.permissions -= perm
    def reset_permissions(self):
        self.permissions = 0
    def has_permission(self, perm):
        return self.permissions & perm == perm
    @staticmethod
    def insert_roles():
        roles = {
                    'User': [Permission.CREATE_JOB],
                    'Administrator': [Permission.ADMIN,
                                      Permission.CREATE_JOB,
                                      Permission.DELETE_JOB]
        }
        default_role = 'User'
        for r in roles:
            role = Role.query.filter_by(name=r).first()
            if role is None:
                role = Role(name=r)
            role.reset_permissions()
            for perm in roles[r]:
                role.add_permission(perm)
            role.default = (role.name == default_role)
            db.session.add(role)
        db.session.commit()
 class User(UserMixin, db.Model):
    __tablename__ = 'users'
@ -27,6 +77,14 @@ class User(UserMixin, db.Model):
    def __repr__(self):
        return '<User %r>' % self.username
    def __init__(self, **kwargs):
        super(User, self).__init__(**kwargs)
        if self.role is None:
            if self.email == current_app.config['OPAQUE_ADMIN']:
                self.role = Role.query.filter_by(name='Administrator').first()
            if self.role is None:
                self.role = Role.query.filter_by(default=True).first()
    def generate_confirmation_token(self, expiration=3600):
        s = Serializer(current_app.config['SECRET_KEY'], expiration)
        return s.dumps({'confirm': self.id}).decode('utf-8')
@ -72,6 +130,23 @@ class User(UserMixin, db.Model):
    def verify_password(self, password):
        return check_password_hash(self.password_hash, password)
    def can(self, perm):
        return self.role is not None and self.role.has_permission(perm)
    def is_administrator(self):
        return self.can(Permission.ADMIN)
 class AnonymousUser(AnonymousUserMixin):
    def can(self, permissions):
        return False
    def is_administrator(self):
        return False
 login_manager.anonymous_user = AnonymousUser  # Flask-Login is told to use the application’s custom anonymous user by setting its class in the login_manager.anonymous_user attribute.
@login_manager.user_loader
 def load_user(user_id):
--- a/app/templates/main/admin.html.j2
+++ b/app/templates/main/admin.html.j2
@ -0,0 +1,12 @@
 {% extends "base.html.j2" %}
 {% block page_content %}
 <h1>Administration tools</h1>
 <div class="col s12">
  <div class="card large">
    <div class="card-content">
      <span class="card-title">User list</span>
    </div>
  </div>
 </div>
 {% endblock %}
--- a/config.py
+++ b/config.py
@ -11,6 +11,7 @@ class Config:
        ['true', 'on', '1']
    MAIL_USERNAME = os.environ.get('MAIL_USERNAME')
    MAIL_PASSWORD = os.environ.get('MAIL_PASSWORD')
    OPAQUE_ADMIN = os.environ.get('OPAQUE_ADMIN')
    OPAQUE_MAIL_SUBJECT_PREFIX = '[Opaque]'
    OPAQUE_MAIL_SENDER = 'Opaque Development <dev.opaque@gmail.com>'
    SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
--- a/migrations/versions/01a7d98d9647_.py
+++ b/migrations/versions/01a7d98d9647_.py
@ -0,0 +1,32 @@
 """empty message
 Revision ID: 01a7d98d9647
 Revises: 69f5d9c59c34
 Create Date: 2019-07-09 10:59:08.639902
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '01a7d98d9647'
 down_revision = '69f5d9c59c34'
 branch_labels = None
 depends_on = None
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('roles', sa.Column('default', sa.Boolean(), nullable=True))
    op.add_column('roles', sa.Column('permissions', sa.Integer(), nullable=True))
    op.create_index(op.f('ix_roles_default'), 'roles', ['default'], unique=False)
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_index(op.f('ix_roles_default'), table_name='roles')
    op.drop_column('roles', 'permissions')
    op.drop_column('roles', 'default')
    # ### end Alembic commands ###
--- a/opaque.py
+++ b/opaque.py
@ -1,5 +1,5 @@
 from app import create_app, db
-from app.models import User, Role
+from app.models import User, Role, Permission
 from flask_migrate import Migrate
 import os
@ -10,7 +10,7 @@ migrate = Migrate(app, db)
@app.shell_context_processor
 def make_shell_context():
-    return dict(db=db, User=User, Role=Role)
+    return dict(db=db, User=User, Role=Role, Permission=Permission)
@app.cli.command()