烧瓶安全性在烧瓶管理员上分离访问数据 [英] flask security separating access data on flask admin
问题描述
我有一个用烧瓶建造的应用民宿. 每个寄宿家庭都有一个用户登录名,该登录名通过flask-security构建,每个寄宿家庭所有者都具有角色用户. 每个用户都可以通过flask-admin输入自己的寄宿家庭数据. 但是不幸的是,如果一个用户输入了他们的数据,那么其他具有角色 User 的用户也可以输入数据.
i have an aplication homestay reservation built with flask.. every homestay have an user login, this login built with flask-security and every owner of the homestay have role User. and every user can input their homestay data with flask-admin. but unfortunately if a user input their data, the others user which have role User can seing the data have input too..
所以..我的问题是,如果用户具有相同的角色,该如何分离数据? 用户A只能看到他的数据,用户B也可以看到..
so.. my question how to separate the data if a user have the same role..? user A can just see his data, and user B so too..
这是我的 models.py 代码:
roles_users = database.Table(
'roles_users',
database.Column('user_id', database.Integer(), database.ForeignKey('user.id')),
database.Column('role_id', database.Integer(), database.ForeignKey('role.id'))
)
class Role(database.Model, RoleMixin):
id = database.Column(database.Integer(), primary_key=True)
name = database.Column(database.String(80), unique=True)
description = database.Column(database.String(255))
def __str__(self):
return self.name
class User(database.Model, UserMixin):
id = database.Column(database.Integer, primary_key=True)
first_name = database.Column(database.String(255))
last_name = database.Column(database.String(255))
email = database.Column(database.String(255), unique=True)
password = database.Column(database.String(255))
active = database.Column(database.Boolean())
confirmed_at = database.Column(database.DateTime())
roles = database.relationship('Role', secondary=roles_users,
backref=database.backref('users', lazy='dynamic'))
def __str__(self):
return self.email
class Room(database.Model):
__tablename__ = 'room'
room_id = Column(Integer, primary_key=True)
room_name = Column(String)
room_description = Column(String)
room_images = Column(database.Unicode(128))
room_price = Column(Integer)
user_id = Column(Integer, ForeignKey(User.id))
这是我的 views.py :
class UserAccess(ModelView):
def is_accessible(self):
if not current_user.is_active or not current_user.is_authenticated:
return False
if current_user.has_role('user'):
return True
return False
def _handle_view(self, name, **kwargs):
"""
Override builtin _handle_view in order to redirect users when a view is not accessible.
"""
if not self.is_accessible():
if current_user.is_authenticated:
# permission denied
abort(403)
else:
# login
return redirect(url_for('security.login', next=request.url))
class Room(UserAccess):
form_overrides = dict(keterangan_kamar=CKEditorField)
create_template = 'admin/ckeditor.html'
edit_template = 'admin/ckeditor.html'
column_list = ('room_name', 'room_images', 'room_price')
def _list_thumbnail(view, context, model, name):
if not model.room_images:
return ''
return Markup('<img src="%s">' % url_for('static',
filename=form.thumbgen_filename(model.room_images)))
column_formatters = {
'room_images': _list_thumbnail
}
# Alternative way to contribute field is to override it completely.
# In this case, Flask-Admin won't attempt to merge various parameters for the field.
form_extra_fields = {
'room_images': form.ImageUploadField('Room Images',
base_path=file_path,
thumbnail_size=(100, 100, True))
}
推荐答案
您需要通过覆盖 get_count_query
You need to add a permanent filter to your Room view by overriding get_query and get_count_query
例如(请注意,我已经将您的Room类命名为RoomView,因为您已经有一个名为Room的类来代表数据库模型):
For example (note I've named your Room class to RoomView as you already have a class called Room representing the database model):
class RoomView(UserAccess):
def get_query(self):
return self.session.query(self.model).filter(
Room.user_id == current_user.id
)
def get_count_query(self):
return self.session.query(func.count('*')).select_from(self.model).filter(
Room.user_id == current_user.id
)
# ... your code etc
这篇关于烧瓶安全性在烧瓶管理员上分离访问数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
