Hide Flask-Admin behind simple HTTP auth

This example is about Flask-Admin, which is a library that adds a smart automatic CRUD panel according to your data models (typically SQLAlchemy models).

If you have a simple website or want to separate your normal user authentication system from the admin login, or just want a quick temporary solution for securing your admin panel, here is how you can do it using simple HTTP authentication:

from flask import request, Response
from werkzeug.exceptions import HTTPException
import flask_admin.contrib.sqla

class ModelView(flask_admin.contrib.sqla.ModelView):
    def is_accessible(self):
        auth = request.authorization or request.environ.get('REMOTE_USER')  # workaround for Apache
        if not auth or (auth.username, auth.password) != app.config['ADMIN_CREDENTIALS']:
            raise HTTPException('', Response(
                "Please log in.", 401,
                {'WWW-Authenticate': 'Basic realm="Login Required"'}
            ))
        return True

Then just use this class or subclass it as normal.

This code, of course, refers to the app configuration. You need something like:

app.config['ADMIN_CREDENTIALS'] = ('admin', 'pa$$word')

Created 24 Jul 2015 (last updated 29 Jul 2015)

Hide Flask-Admin behind simple HTTP auth

Comments powered by Disqus