Simple Permissions Solution

owen.campbell · May 15, 2019, 9:58am

There are lots of ways to handle permissions (This example being one), so I thought I’d share a very simple solution I’ve used in a couple of places:

Create a permissions table with a user column linked to the Users table and a True/False column for each permission you want:

Create auth_required and permission_required decorators. I tend to do that in a separate decorators server module:

    import functools
    import anvil.users
    from anvil.tables import app_tables

    def auth_required(func):

        @functools.wraps(func)
        def wrapped(*args, **kwargs):
            if not anvil.users.get_user():
                raise ValueError("Authentication required")
            else:
                return func(*args, **kwargs)

        return wrapped

    def permission_required(permissions):
        def permission_required_decorator(func):

            @functools.wraps(func)
            def wrapped(*args, **kwargs):
                user = anvil.users.get_user()
                
                #  Handle the fact that permissions might be a string or a list
                if isinstance(permissions, str):
                    all_permissions = [permissions]
                else:
                    all_permissions = permissions
                
                #  Get the relevant data table record or create one if it doesn't exist
                permissions_row = (app_tables.permissions.get(user=user)) or (
                    app_tables.permissions.add_row(user=user)
                )
                
                #  Raise an error if any of the required permissions is missing
                has_permission = all(
                    [permissions_row[permission] for permission in all_permissions]
                )
                if not has_permission:
                    raise ValueError("Permission required")
                else:
                    return func(*args, **kwargs)

            return wrapped
        return permission_required_decorator

Finally, use the decorators on any server function where permission is required. You can pass it a single permission or a list if more than one is necessary (using the same names as the True/False columns in your permissions table):

    import anvil.server
    from decorators import permission_required

    @anvil.server.callable
    @permission_required("access_ui")
    @auth_required
    def some_function:
        do_something()

    @anvil.server.callable
    @permission_required(["access_ui", "edit_redacted_things"])
    @auth_required
    def some_other_function:
        do_something_else()

The order of the decorators mattters here - first check that the user exists and is authorised, then check that it has the necessary permissions and only then make the function callable.

david.wylie · May 15, 2019, 10:59am

Note there used to be an issue whereby you needed to put the name of the function as a parameter to the first decorator when stacking decorators like this, eg :

@anvil.server.callable("funcname")
...other decorators ..
def funcname():
  etc.

Not sure if that still needs to be done?

owen.campbell · May 15, 2019, 11:00am

I don’t think so, but I’d forgotten about that one, so I’ll bear it in mind. Ta!

(I have this working in several apps without any problem - possibly the issue has been fixed?)

david.wylie · May 15, 2019, 11:03am

Here’s the link to the topic where @daviesian discusses it -

meredydd · May 15, 2019, 12:13pm

I have this working in several apps without any problem

[Nerd hat: ON] Your code works because you use the @functools.wraps() decorator, which returns a wrapper function with the correct __name__. This causes @anvil.server.callable's default behaviour to work, so you don’t have to specify the name manually.

(Anvil’s autocompleter is not [yet?] clever enough to work out whether a decorator preserves __name__ or not. So it happily assumes all decorators preserve __name__, whether or not they actually do!)

owen.campbell · May 15, 2019, 12:24pm

There was a point in time when I knew that and used the functools library for precisely that reason, but I have lost many grey cells since then.

jshaffstall · August 14, 2020, 6:48pm

Thanks so much for posting this! I needed to do some fairly app specific permissions checking, and was getting errors because I wasn’t using functools.wraps. Everything works nicely after adding that.

support1 · January 27, 2022, 12:05am

I am so lost on this.
Trying - Authorisation — Anvil Extras documentation

owen.campbell · January 27, 2022, 8:57am

What’s your question? That error is exactly what the decorator raises if the server function is called without there being a logged in user.

How was the function called? Was a user logged in at the time?

support1 · January 29, 2022, 8:36pm

Thank you Owen for responding,
I placed sensitive_server_function() under the →

class StoringDisplayingData(StoringDisplayingDataTemplate):
  def __init__(self, **properties):

while not being logged in so this True the error is appropriate, I’m just confused on how to allow certain pages to be access by users with the role of admin.

right now I’m using this -

def require_account():
  user = anvil.users.get_user()
  if user:
    return user
  user = anvil.users.login_with_form(allow_cancel=True)
  form = get_form()
  form.set_account_state(user)
  return user

to make sure a user is present to access the pages - but I’m stuck on how to only permit admins to certain pages

support1 · January 30, 2022, 12:39am

Well, I’m going this route, I hope it’s the correct way of doing thing