Access control


  • principal: a user or role

  • membership: parent resource type for privacy sharing

  • model: database model name (e.g. Person)

  • resource: resource type (e.g. person)

  • rbac: role-based access control (defined in rbac.yaml)

  • role: a group name (e.g. admin or list-<id>-<level>)

  • privacy: sharing options as defined in rbac.yaml (e.g. secret [default], public, invitee, member, manager)

  • actions: crudlghij (create, read, update, del, list, guest/member, host/manager, invitee, join)

In rbac.yaml, define the RBAC policies for each principal/resource combination. That file will be parsed into a singleton variable upon initial startup. This implementation implements RBAC similar to that of kubernetes or AWS IAM, with the added capability of a simple privacy permission within each object (database record) which creates an implied ACL for read-only access by members of the object’s group.

Group names currently used are:

  • admin

  • user

  • pending

  • person

  • <resource>-<id>-<privacy>

These are defined in session_auth.py’s account_login() method.

created 20-may-2019 by richb@instantlinux.net refactored 6-mar-2020


AccessControl([policy_file, model])

Role-based access control

class apicrud.access.AccessControl(policy_file=None, model=None)

Role-based access control

  • policy_file (str) – name of the yaml definitions file

  • model (obj) – a model to be validated for permissions


Read RBAC default policies from rbac.yaml, process any string substitutions, and convert * for re.match()


filename (str) – filename containing RBAC definitions

rbac_permissions(query=None, owner_uid=None, membership=None, id=None, privacy=None)

Evaluate an access request for self.auth roles of self.uid in self.resource against defined policies

  • query (obj) – an existing record (takes precedence over owner_uid)

  • owner_uid (str) – owner-uid of a record

  • membership (str) – resource type which defines membership privacy

  • id (str) – the resource ID if membership is set


actions available to principal

Return type


with_filter(query, access='r')

Apply RBAC and privacy to a query

  • query (obj) – a resource query in SQLalchemy

  • access (str) – one of lrwcd (list, read, write, create, delete)


updated SQLalchemy query with filter applied

Return type


TODO restrictions on contact-read by list-id

with_permission(access, query=None, new_uid=None, membership=None, id=None)

Evaluate permission to access an object identified by an open query or new uid. Pass in at least one of the query/uid/eid params

  • access (str) – one of lrwcd (list, read, write, create, delete)

  • query (obj) – a resource query by id in SQLalchemy

  • new_uid (str) – user id of a new record

  • membership (str) – resource type which defines membership privacy

  • id (str) – resource ID


True if access allowed

Return type