Flask-Admin Role based resource permissions
A quick and dirty solution to my own problem:
1. Create a generic function to check ownership in the ModelView class
def is_owned(self, id): model = db.session.query(self.model).filter(self.model.id == id).all() if len(model) == 0: return False else: model = model[0] if model.user_id == current_user.id: return True return False
2. Override ModelView's on_model_change, on_form_prefill, on_model_delete, get_query and get_count_query methods to check for ownership (user_id = current_user.id):
def on_model_change(self, form, model, is_created): if not self.is_owned(model.id): abort(403)def on_form_prefill(self, form, id): if not self.is_owned(id): abort(403)def on_model_delete(self, model): if not self.is_owned(model.id): abort(403)def get_query(self): return super(Tables, self).get_query().filter(self.model.user_id == current_user.id)def get_count_query(self): return super(Tables,self).get_count_query().filter(self.model.user_id == current_user.id)