search

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.72k stars 1.37k forks source link

How do I associate automatically generated permissions with the Public role? #2274

Open yamen321 opened 1 month ago

yamen321 commented 1 month ago

Hello,

I have a question regarding permissions associated with the "Public" role.

I've spent a lot of time digging through the documentation as well as the source code, but I couldn't figure out the simplest method to add a CRUD permission like "can list on view" without using the security roles/list UI on the actual web app.

For example, I have a view named "HomepageView" and I would like to add the automatically generated permissions "can list on HomepageView" and "can show on HomepageView" to the Public role so that users can view data displayed on that view without having to log in.

I was able to accomplish this using the built-in security UI as shown below: image

However, I wasn't able to do this using the FAB_ROLES setting in the config file as explained in the documentation: image

Is it even possible to use the config file to accomplish this?

Yoyasp commented 1 month ago

Hi there,

By default there are only two roles (Admin and Public). These are defined in the options AUTH_ROLE_ADMIN and AUTH_ROLE_PUBLIC. If you have roles defined in the FAB_ROLES definition Appbuilder will create a new role in the database on startup that has those permissions listed. However new users will not automatically have this role assigned. In your case the role: ReadOnly will be created but users that are not logged in will still only have the role: Public assigned.

You could set the AUTH_ROLE_PUBLIC to this new ReadOnly role, but that would mean that every visitor can show the data of all your models (including User info). So that would not be the way to go....

Im assuming the View you want everybody to see is a ModelView.

You could create a new FAB_ROLES mapping for the Public role:

FAB_ROLES = {
    "Public": [
        ["HomepageView", "can_list"],
        ["HomepageView", "can_show"],
        ["HomepageView", "menu_access"],
        ["HomepageView", "can_get"],
        ["HomepageView", "can_info"]
    ]
}

Another way is to create your own custom PublicModelView that has all the code of the ModelView except the @has_access decorator and let your HomePageView inherit from there.

One more side note: Your view is named HomePageView, i assume that this is your index/landing page when people visit your site. Have you looked at the IndexView?