Authorization helps control what users can do in an app. It keeps private parts safe and stops people from doing things they shouldn't.
from flask import Flask, request, abort app = Flask(__name__) @app.route('/secret') def secret(): user_role = request.headers.get('Role') if user_role != 'admin': abort(403) # Forbidden return 'Welcome, admin!'
Use abort(403) to stop users without permission.
Check user roles or permissions before showing sensitive info.
if user_role == 'admin': return 'Access granted' else: abort(403)
allowed_roles = ['admin', 'editor'] if user_role in allowed_roles: return 'Access granted' else: abort(403)
from flask_login import current_user if not current_user.is_authenticated: abort(401) # Unauthorized if not current_user.has_permission('edit'): abort(403)
This Flask app has a dashboard route. It checks the user's role from the request headers. If the user is not an admin, it stops with a 403 error. Otherwise, it shows a welcome message.
from flask import Flask, request, abort app = Flask(__name__) @app.route('/dashboard') def dashboard(): user_role = request.headers.get('Role') if user_role != 'admin': abort(403) # Forbidden return 'Welcome to the admin dashboard!' if __name__ == '__main__': app.run(debug=True)
Authorization is different from authentication. Authentication checks who you are; authorization checks what you can do.
Always validate permissions on the server side to keep your app secure.
Authorization controls user access to parts of your app.
It protects sensitive data and features.
Use simple role checks and return errors if access is denied.