Flask - Role Based Access Control

Role-Based Access Control (RBAC) is a security mechanism that restricts user access based on their roles within an application. Instead of assigning permissions to individual users, RBAC groups users into roles and each role has specific permissions.

For example, in a Flask app, we might have roles like admin, editor and user, where:

• Admin can manage users and settings.
• Editor can create and edit content.
• User can only view content.

This approach improves security, simplifies permission management and ensures users only access what they need.

Note: For storing users' details we are going to use flask-sqlalchemy and db-browser for performing database actions. we can find detailed tutorial here.

Installing Packages

To learn how to create and set-up flask app, refer to- Create Flask App

After creating a Flask app, we need to install modules required in this project, to install them execute this command in the terminal-

pip install flask flask-security flask-sqlalchemy flask-login email-validator

It will install these packages:

• Flask: A lightweight web framework for building web applications.
• Flask-Security: Adds authentication and role management features.
• Flask-SQLAlchemy: Integrates SQLAlchemy for easy database operations.
• Flask-Login: Manages user sessions and handles login/logout.
• email-validator: Validates email addresses for correct formatting.

File Structure

The file structure of this project after completion will look like this:

Importing Modules and Setting Configurations

Configurations are key-value settings that control the app's behavior, such as database connections, security settings and session management. These settings are stored in app.config and help customize the application's functionality. The configurations used in our app are-

• app.config['SECRET_KEY'] = 'your_secret_key': A secret key used for securely signing session cookies and protecting against attacks like CSRF.
• app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db': Defines the database location, here using SQLite (users.db) for storing user data.
• login_manager.login_view = 'login': Specifies the route where users should be redirected if they try to access a protected page without logging in. 

Create Database Models

This part defines our database models. We create two models User and Role with a many-to-many relationship via an association table. The fs_uniquifier is a required field for Flask-Security.

Explanation

• Association Table: roles_users is a helper table to create a many-to-many relationship between User and Role.
• User Model: Contains user details including email, password, activation status and a unique identifier (fs_uniquifier) for security. It also relates to roles.
• Role Model: Defines roles with a unique ID and name.

Defining Routes

In this section, we define all the routes for our application, such as home, signup, signin, logout and role-protected pages. The routes use Flask-Security decorators to restrict access based on user roles.

Explanation

• Flask-Security Setup: Initializes Flask-Security with the user datastore connecting the User and Role models.
• Home (/): Displays the index page with navigation links.
• Signup (/signup): Handles user registration and role assignment.
• Signin (/signin): Authenticates users based on email and password.
• Logout (/logout): Logs out the user.
• Protected Routes: (/teachers, /staff, /students, /mydetails) Use the @roles_accepted decorator to restrict access based on roles.

Creating Roles

We have tables but we still don't have roles created. We have to create those roles (Admin, Teacher, Staff, Student). Keep in mind that the id for Admin role must be 1, for Teacher: 2, Staff: 3 and Student: 4.

Create a new file "create_roles.py" in the same folder as app.py and add the below code. Remember to execute this file after the db creation.

Explanation

• app.app_context(): The code is wrapped in with app.app_context(): to ensure Flask’s application context is active for database operations.
• Role Insertion: Predefined roles are created with specific IDs and added to the database.
• Commit: Changes are committed and a success message is printed.

Application Entry Point

The following lines of code will be responsible for creating the databse and running the app in debug mode, if the database already exists then it simply connects the app to it

Creating HTML files

index.html

This file uses the Jinja2 templating engine. The current_user variable stores the logged-in user's details. {% if current_user.is_authenticated %} checks if a user is logged in and displays their email ({{ current_user.email }}). Since users can have multiple roles, a loop iterates through them. If no user is logged in, the {% else %} block runs.

Output:

signup.html page

The form's action is #, reloading the current page on submission. It uses the POST method to create a new database entry with fields for email, password and role selection via radio buttons. Jinja2's {% if %} checks if a user is logged in and if not, the form is shown; otherwise, a logged-in message appears.

Output:

signin.html

Similar to the signup page, check if a user is already logged in, if not then render the form asking for email and password. The form method should be POST.

Output:

teachers.html

The teachers passed in the render_template is a list of objects, containing all the columns of the user table, so we're using Python for loop in jinja2 to show the elements in the list in HTML ordered list tag.

Output:

staff.html

In this file, we are iterating all the staff and extracting their email IDs.

Output:

student.html

Iterating all the students and extracting their email IDs.

Output:

mydetails.html

Similar to the index page, to show the role use a for loop from Jinja2, becausea user can have more than one role i.e., current_user.roles is a list of roles that were queried from the database.

Output:

Running and Testing the Application

To correctly run the app we need to follow these step:

Step 1: First run the following command in the terminal.

python app.py

It will start the app and create the database "g4g.sqlite3"

Step 2: Then stop the app using CTRL + C and run the create_roles.py file using command-

python create_roles.py

This will create the roles in the database "g4g".

Step 3: Then again run the main flask app using command-

python app.py

Go to:

http://127.0.0.1:5000

Output

To demonstrate the working of app, sign up as a new user "geek" in student role.