Flaskframework~30 mins

Decorator for role requirement in Flask - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Decorator for Role Requirement in Flask

📖 Scenario: You are building a simple Flask web app where some pages should only be accessible to users with certain roles, like 'admin' or 'editor'. You want to create a decorator that checks if the current user has the required role before allowing access.

🎯 Goal: Create a Flask decorator called role_required that takes a role name as an argument and restricts access to routes based on the user's role stored in g.user_role.

📋 What You'll Learn

Create a Flask app with a route

Create a decorator function called role_required that accepts a role string

Check the current user's role from g.user_role

Return a 403 Forbidden response if the user does not have the required role

Apply the decorator to a route to restrict access

💡 Why This Matters

🌍 Real World

Role-based access control is common in web apps to protect sensitive pages and actions. This decorator pattern helps keep your code clean and reusable.

💼 Career

Understanding decorators and access control is important for backend web development roles, especially when working with Flask or similar frameworks.

Progress0 / 4 steps

Set up Flask app and user role

Import Flask and g from flask. Create a Flask app called app. Set g.user_role to the string 'editor' inside a function called before_request decorated with @app.before_request.

Flask

from flask import Flask, g

app = Flask(__name__)

@app.before_request
# Set g.user_role to 'editor' here
# Your code here

Need a hint?

Use @app.before_request to run code before each request. Inside that function, set g.user_role = 'editor'.

Create the role_required decorator function

Define a function called role_required that takes a parameter role. Inside it, define a nested function decorator that takes a function f. Inside decorator, define a wrapper function wrapper that checks if g.user_role equals role. If not, return a 403 response using return 'Forbidden', 403. Otherwise, call and return f(). Use functools.wraps(f) to preserve function metadata. Return wrapper from decorator, and return decorator from role_required. Import functools at the top.

Flask

from flask import Flask, g
import functools

app = Flask(__name__)

@app.before_request
def before_request():
    g.user_role = 'editor'

# Define role_required decorator here
# Your code here

Need a hint?

Remember to import functools and use @functools.wraps(f) on the wrapper function. The decorator should check g.user_role against the required role.

Create a protected route using the decorator

Create a route /admin using @app.route('/admin'). Define a function admin_page that returns the string 'Welcome Admin'. Decorate admin_page with @role_required('admin') to restrict access to users with the 'admin' role.

Flask

from flask import Flask, g
import functools

app = Flask(__name__)

@app.before_request
def before_request():
    g.user_role = 'editor'

def role_required(role):
    def decorator(f):
        @functools.wraps(f)
        def wrapper(*args, **kwargs):
            if g.user_role != role:
                return 'Forbidden', 403
            return f(*args, **kwargs)
        return wrapper
    return decorator

# Create /admin route protected by @role_required('admin')
# Your code here

Need a hint?

Use @app.route('/admin') and decorate the function with @role_required('admin'). The function should return 'Welcome Admin'.

Add a public route without role restriction

Create a route /public using @app.route('/public'). Define a function public_page that returns the string 'Welcome Public'. This route should not have any role restrictions or decorators.

Flask

from flask import Flask, g
import functools

app = Flask(__name__)

@app.before_request
def before_request():
    g.user_role = 'editor'

def role_required(role):
    def decorator(f):
        @functools.wraps(f)
        def wrapper(*args, **kwargs):
            if g.user_role != role:
                return 'Forbidden', 403
            return f(*args, **kwargs)
        return wrapper
    return decorator

@app.route('/admin')
@role_required('admin')
def admin_page():
    return 'Welcome Admin'

# Create /public route without role restriction
# Your code here

Need a hint?

Just create a normal route /public without any decorators. The function should return 'Welcome Public'.