Skip to content

Latest commit



135 lines (110 loc) · 4.07 KB

File metadata and controls

135 lines (110 loc) · 4.07 KB


Build Status Coverage Status Version PyPI - Wheel Pyversions Download Gitter

flask-authz is an authorization middleware for Flask, it's based on PyCasbin.


pip install flask-authz

Or clone the repo:

$ git clone
$ python install

Module Usage:

from flask import Flask
from flask_authz import CasbinEnforcer
from casbin.persist.adapters import FileAdapter

app = Flask(__name__)
# Set up Casbin model config
app.config['CASBIN_MODEL'] = 'casbinmodel.conf'
# Set headers where owner for enforcement policy should be located
app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'}
# Set up Casbin Adapter
adapter = FileAdapter('rbac_policy.csv')
casbin_enforcer = CasbinEnforcer(app, adapter)

@app.route('/', methods=['GET'])
def get_root():
    return jsonify({'message': 'If you see this you have access'})

@app.route('/manager', methods=['POST'])
def make_casbin_change(manager):
    # Manager is an casbin.enforcer.Enforcer object to make changes to Casbin
    return jsonify({'message': 'If you see this you have access'})

Example Config
This example file can be found in tests/casbin_files

r = sub, obj, act

p = sub, obj, act

g = _, _

e = some(where (p.eft == allow))

m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Example Policy
This example file can be found in tests/casbin_files

p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
p, *, /login, *

p, anonymous, /, GET

g, cathy, dataset1_admin


  1. Fork
  2. Install Dev ENV
# Install Flask-Casbin with Dev packages
pip install -r dev_requirements.txt
pip install -r requirements.txt
pip install -e .
# Install Pre-commits
pre-commit install
# Create feature branch
git checkout -b feature-more-cool-stuff
# Code stuff

Then push your changes and create a PR

update requirements with pip-tools

# update requirements.txt
pip-compile --no-annotate --no-header --rebuild
# sync venv

Manually Bump Version

bumpversion major  # major release
bumpversion minor  # minor release
bumpversion patch  # hotfix release


The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:

  1. subject: the logged-in user name
  2. object: the URL path for the web resource like "dataset1/item1"
  3. action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"

For how to write authorization policy and other details, please refer to the Casbin's documentation.

Getting Help


This project is under Apache 2.0 License. See the LICENSE file for the full license text.