Before you use this snippet, I urge you to look at using Flask-Principal. It is a great piece of software, and is probably more secure than this, and definitely better maintained. However, I found that it was too much for my needs, and so I created this snippet.
This snippet is pretty simple. You just need to replace get_current_user_role() with however you get the user's current role and error_response() with however you want to notify the user that they are not logged in. After you do that, you should be good to go.
def requires_roles(*roles): def wrapper(f): @wraps(f) def wrapped(*args, **kwargs): if get_current_user_role() not in roles: return error_response() return f(*args, **kwargs) return wrapped return wrapper
Usage is equally as simple as the snippet itself. This is just a decorator that you pass the required roles into. The required roles can be any type of object, not just strings. Do note that if you use a login extension such as Flask-Login, you should call it after the login_required (or equivalent) decorator.
@app.route('/user') @required_roles('admin', 'user') def user_page(self): return "You've got permission to access this page."
This snippet by Alex Abbott can be used freely for anything you like. Consider it public domain.