Search code examples
flaskflask-adminflask-security

How to secure Flask-Admin if my only user is going to be the Admin?

I have seen plenty of solutions online, however all of them addressed more complex apps which allow external users to create accounts. In my case the only user will be the admin. How do I secure the /admin routes created by Flask-Admin in an efficient way?

Solution

  • You can use Flask-Login for that. I usually add a route to the AdminIndexView class that handles the login if the user isn't logged in, yet. Otherwise the default admin page will be shown. 

    from flask import Flask
from flask_login import LoginManager
from flask_admin import Admin


app = Flask(__name__)

login_manager = LoginManager(app)
login_manager.session_protection = 'strong'
login_manager.login_view = 'admin.login'

admin = Admin(app, index_view=MyIndexView())

    The definition of MyAdminView can look like this:

    from flask_admin import AdminIndexView, expose, helpers


class FlaskyAdminIndexView(AdminIndexView):

    @expose('/')
    def index(self):
        if not login.current_user.is_authenticated:
            return redirect(url_for('.login'))
        return super(MyAdminIndexView, self).index()

    @expose('/login', methods=['GET', 'POST'])
    def login(self):
        form = LoginForm(request.form)
        if helpers.validate_form_on_submit(form):
            user = form.get_user()
            if user is not None and user.verify_password(form.password.data):
                login.login_user(user)
            else:
                flash('Invalid username or password.')
        if login.current_user.is_authenticated:
            return redirect(url_for('.index'))
        self._template_args['form'] = form
        return super(MyAdminIndexView, self).index()

    @expose('/logout')
    @login_required
    def logout(self):
        login.logout_user()
        return redirect(url_for('.login'))

    This integrates Flask-Login unobtrusively in the Flask-Admin interface. You will still need to implement the user and password verification like described in the Flask-Login documentation.

    EDIT

    To prevent unauthorized access to your admin routes create a ModelView class for each view and add a function is_accessible() with the following code:

    def is_accessible(self):
    if (not login.current_user.is_active or not
            login.current_user.is_authenticated):
        return False
    return True