flask-admin: how to allow only super users can view the specified table column?

Question

I\'ve built an app with a table called Project which is stored in sqlite, I want allow only super users can view the approve colum

Answer 1

You can use BaseModelView.column_list attribute to specify dynamically calculated list of accessible columns, just make it a property. However different "field" attributes of ModelView are cached on application launch so you need to override their caches:

from flask import has_app_context

class ProjectView(sqla.ModelView):
    @property
    def _list_columns(self):
        return self.get_list_columns()

    @_list_columns.setter
    def _list_columns(self, value):
        pass

    @property
    def column_list(self):
        if not has_app_context() or current_user.has_role('superuser'):
            return ['team', 'project_name', 'approve']
        else:
            return ['team', 'project_name']

column_list attribute is used during application initialisation when current_user is not available. Use flask.has_app_context() method to check this state and pass application a full list of columns on launch.

If you need to specify different set of columns for editing you need form_rules attributes (you already used them in your question):

from flask_admin.form import rules

class ProjectView(sqla.ModelView):
    @property
    def _form_edit_rules(self):
        return rules.RuleSet(self, self.form_rules)

    @_form_edit_rules.setter
    def _form_edit_rules(self, value):
        pass

    @property
    def _form_create_rules(self):
        return rules.RuleSet(self, self.form_rules)

    @_form_create_rules.setter
    def _form_create_rules(self, value):
        pass

    @property
    def form_rules(self):
        form_rules = [
            rules.FieldSet(('team',), 'Personal Info'),
            rules.Header('Project Info'),
            rules.Field('project_name')
        ]
        if not has_app_context() or current_user.has_role('superuser'):
            form_rules.append('approve')
        form_rules.append(rules.Container('rule_demo.wrap', rules.Field('notes')))
        return form_rules

Also you do not need to use _handle_view to redirect user to login page. For this purpose BaseView.inaccessible_callback method is used:

def inaccessible_callback(self, name, **kwargs):
    if current_user.is_authenticated:
        abort(403)
    else:
        return redirect(url_for('security.login', next=request.url))