I've managed to make a Flask-Login app that will log people in using LDAP. That is, I can use the login process and @login_required decorators to distinguish between two types of users:
- Unauthenticated (username/password not recognized as a valid combo in LDAP)
- Authenticated (user can login to LDAP using the given username/password)
What I want now is:
- Unauthenticated (username/password not recognized as a valid combo in LDAP)
- Unauthorized (username/password is a valid LDAP combo, but user is not a member of the right LDAP groups)
- Authorized (user's credentials are in LDAP and user is a member of the appropriate LDAP groups)
In pseudocode, I'd like this:
@app.route("/")
def index():
return render_template("index.html")
# This is for any authenticated user
@app.route('/allmembers')
@login_required
def allmembers():
return render_template("allmembers.html")
# This is for only certain LDAP group members
@app.route('/secret')
@authorization_required(allowed_groups=["secret", "top-secret"]) # does this exist?
@login_required
def secret():
return render_template("secret.html")
I've looked at the "is_authenticated" method that goes with the Flask-Login "User" class, but that really seems to only get me to #1. Is there a Flask-type method to proceed from the authenticated status to authorized status?
Or does Flask-Login's usefulness end after the authentication, and I need to figure out how to roll my own @authorization_required
decorator?