flask admin url of View still accessible after setting is_accessible to False

400 Views Asked by Jonathan Scholbach At 03 April 2025 at 21:14

I would like to protect access to my Views based on flask-security roles. So, for instance, I have set up:

class AdminView(ModelView):    
    def is_accessible(self):
        return current_user.has_role('admin')

and

admin.add_view(AdminView(User, db.session))

The logic works: when I log in with a non-admin user, I don't see the User table, when I log in with an admin user, I see it.

But...

entering the url

localhost/admin/user

still gives every user access to the user table, for both admins and non-admins. How can I use flask Admin to protect also the url against access of non-admins? (Honestly, I would have expected def is_accessible() to manage that in the first place.)

Original Q&A

There are 1 best solutions below

smundlay On 12 September 2017 at 06:40

you could add a @login_required decorator to your view (read here) & since you are using flask-security, which is built partially on top of flask-login, that decorator might already be there.

flask admin url of View still accessible after setting is_accessible to False

There are 1 best solutions below

Related Questions in FLASK

Related Questions in FLASK-ADMIN

Trending Questions

Popular # Hahtags

Popular Questions