1. 首頁
  2. 問答
  3. Flask-Admin&Authentication:「/ admin」受保護,但「/ admin/anything-else」不是

Flask-Admin&Authentication:「/ admin」受保護,但「/ admin/anything-else」不是

2013-07-11 36 views
9

我想用Flask和Flask-SuperAdmin自定義管理員視圖,但是,索引視圖和子視圖是顯然不是使用相同的方法is_accessible方法:Flask-Admin&Authentication:「/ admin」受保護,但「/ admin/anything-else」不是

編輯:我設法弄清楚我做錯了什麼。我需要在每個視圖類中定義is_accessible。這是良好的完成與混入類,如顯示在固定的代碼:

應用程序/前端/ admin.py(FIXED &工作代碼

from flask.ext.security import current_user, login_required 
from flask.ext.superadmin import expose, AdminIndexView 
from flask.ext.superadmin.model.base import ModelAdmin 
from ..core import db 

# all admin views should subclass AuthMixin 
class AuthMixin(object): 
    def is_accessible(self): 
     if current_user.is_authenticated() and current_user.has_role('Admin'): 
      return True 
     return False 

# the view that gets used for the admin home page 
class AdminIndex(AuthMixin, AdminIndexView): 
    # use a custom template for the admin home page 
    @expose('/') 
    def index(self): 
     return self.render('admin/index.jade') 

# base view for all other admin pages 
class AdminBase(AuthMixin, ModelAdmin): # AuthMixin must come before ModelAdmin! 
    """A base class for customizing admin views using our DB connection.""" 
    session = db.session 

# customize the form displays for User and Role models 

class UserAdmin(AdminBase): 
    list_display = ('email',) 
    search_fields = ('email',) 
    exclude = ['password',] 
    #fields_order = ['email', 'active', 'last_login_at',] 

class RoleAdmin(AdminBase): 
    field_args = {'name': {'label': 'Role Name'}, 
       'description': {'description': "Duties & Responsibilities"}} 
    list_display = ('name', 'description')

然後設置瓶應用與我們聯繫的觀點:
應用/ factory.py

app = Flask(package_name, instance_relative_config=True) 
# other app setup stuff like db, mail, ... 

from .frontend.admin import AdminIndex, UserAdmin, RoleAdmin 
admin = Admin(app, name='PyCBM Admin', 
       index_view=AdminIndex(url='/admin', name='Admin Home')) 
admin.register(User, UserAdmin) 
admin.register(Role, RoleAdmin)

所以,就像標題所說,這裏的問題:

/admin throws a 403 when an 'Admin' user isn't logged in, like it should, but 
/admin/user lets anybody right on in.

我通過源代碼挖來試圖找到另一個「全局管理員藍圖」安全功能 - 也許我是盲人 - 但我找不到一個。

來源

2013-07-11 Brian

+0

你應該回答你自己的問題,以標記此爲已解決 –

+2

這實際上不是flask-admin,這是flask-superadmin – Hut8

回答

1

如果你去flask_superadmin/base.py,在線193有下面的代碼片段:

def _handle_view(self, name, *args, **kwargs): 
    if not self.is_accessible(): 
     return abort(403)

所以,也許這種方法必須由AdminIndex被重寫,以避免返回abort(403)但重定向到/login

來源

2013-11-06 15:26:23 crm

+0

@ app.errorhandler(403) def page_forbiden(e): return redirect(url_for_s ecurity( 「登錄」)) – OWADVL

相關問題

 相關問題