flask - document level user access/authorization/security
I am wondering how to authorize access at the document level in a flask
app. For example, imagine a sytem that stores customer emails. How can I
ensure that User A is only able to search and retrieve User A's emails?
I am using flask-principal and I suspect that this can be done with a Need
but I would like to follow a common pattern to ensure it is secure.
Here are some details to motivate my situation. I have multiple
datastores, one of which is elasticsearch. One solution could be to store
a user-specific token in each document, and then specify that token as a
group filter at query time. However, I'm not sure what the best way would
be to create, store, or protect this token. I could also be totally off
track with this solution.
No comments:
Post a Comment