Challenge - 5 Problems

🎖️

Permission Mastery in Flask

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

What happens when a user without permission accesses this Flask route?

Consider this Flask route that checks user permissions before allowing access:

from flask import Flask, abort
app = Flask(__name__)

@app.route('/admin')
def admin_panel():
    user = get_current_user()
    if not user.has_permission('admin'):
        abort(403)
    return 'Welcome to admin panel'

What will the user see if they do not have the 'admin' permission?

Flask

from flask import Flask, abort
app = Flask(__name__)

@app.route('/admin')
def admin_panel():
    user = get_current_user()
    if not user.has_permission('admin'):
        abort(403)
    return 'Welcome to admin panel'

AThe server crashes with an exception.

BThe user sees a 403 Forbidden error page.

CThe user is redirected to the login page.

DThe user sees the message 'Welcome to admin panel'.

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Identify the syntax error in this Flask permission check

Look at this Flask route code snippet:

@app.route('/dashboard')
def dashboard():
    user = get_current_user()
    if user.has_permission('view_dashboard')
        return 'Dashboard content'
    else:
        abort(403)

What is the syntax error here?

Flask

@app.route('/dashboard')
def dashboard():
    user = get_current_user()
    if user.has_permission('view_dashboard')
        return 'Dashboard content'
    else:
        abort(403)

AMissing colon ':' after the if condition.

BMissing parentheses in abort call.

CIndentation error in the else block.

DRoute decorator is missing parentheses.

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What is the response status code when permission check passes?

Given this Flask route:

@app.route('/settings')
def settings():
    user = get_current_user()
    if user.has_permission('edit_settings'):
        return 'Settings page', 200
    else:
        abort(403)

What HTTP status code will the client receive if the user has the 'edit_settings' permission?

Flask

@app.route('/settings')
def settings():
    user = get_current_user()
    if user.has_permission('edit_settings'):
        return 'Settings page', 200
    else:
        abort(403)

A500

B404

C403

D200

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this permission check always allow access?

Examine this Flask route:

@app.route('/profile')
def profile():
    user = get_current_user()
    if user.has_permission('view_profile') == False:
        return 'Access denied', 403
    return 'User profile'

Users report they can access the profile page even without permission. Why?

Flask

@app.route('/profile')
def profile():
    user = get_current_user()
    if user.has_permission('view_profile') == False:
        return 'Access denied', 403
    return 'User profile'

AThe permission check uses '== False' which may fail if has_permission returns None or other falsy values.

BThe function get_current_user() is not defined, so user is None.

CThe route decorator is missing parentheses.

DThe return statement for access denied is missing abort() call.

Attempts:

2 left

🧠 Conceptual

expert

3:00remaining

Which approach best secures multiple routes with the same permission check?

You want to protect several Flask routes so only users with 'editor' permission can access them. Which approach is best to avoid repeating permission checks in every route?

ACheck permissions only in the first route and assume users have permission for others.

BManually add the permission check code inside each route function.

CCreate a custom decorator that checks 'editor' permission and apply it to all relevant routes.

DUse a global before_request function that aborts if the user lacks 'editor' permission for all routes.

Attempts:

2 left