smorest_crud.access_control.models module¶

class smorest_crud.access_control.models.AccessControlQuery(entities, session=None)[source]¶

Bases: flask_sqlalchemy.BaseQuery

Base query class to use for access restriction.

query_for_user(user)[source]¶

Access control query for the given user instance.

Return type: Type[AccessControlQuery]

class smorest_crud.access_control.models.AccessControlUser(*args, **kwds)[source]¶

Bases: Generic[smorest_crud.access_control.models.T]

A model mixin to implement access checks for a given model/user.

Required on all models for views with access checks enabled.

Example:

class PetQuery(AccessControlQuery):
    def query_for_user(self, user) -> "PetQuery":
        return self.filter_by(owner=user)

class Pet(Model, AccessControlUser):
    query_class = PetQuery

    def user_can_read(self, user) -> bool:
        return self.user_can_write(user) or self.owner.id == user.id

    def user_can_write(self, user) -> bool:
        return user.is_admin  # only administrators can edit pets

classmethod get_for_user_or_404(user, id_value)[source]¶

Get instance by key if user allowed to read. :type user: Type[~T] :param user: user instance to check access for :type id_value: Union[str, int] :param id_value: value of the key attribute for filtering

Return type: ~T

query_class: Type[smorest_crud.access_control.models.AccessControlQuery]¶

classmethod query_for_user(user)[source]¶

Filter list of items for user, or None if disallowed.

Return type: Optional[AccessControlQuery]

user_can_create(user, args)[source]¶

Check if user is allowed to create.

Return type: bool

user_can_read(user)[source]¶

Check if user is allowed to access this object at all.

Defaults to calling self.user_can_write(user).

Return type: bool

user_can_write(user)[source]¶

Check if user can make any modifications to this object (update, delete).

Return type: bool