Context

Currently, any route mounted within a Flama app is visible to the outside world without any restriction. However, it could be that users of the library want to expose certain routes only for authenticated users of theirs, with certain permissions. For this to happen, one of the requirements will be that the routes "know" which permissions are needed for them to be accessible.

Proposed solution

The interface of the solution could look something like:

from flama import Flama

class FooResource(RESTResource, metaclass=CRUDListResourceType):
    name = "foo"
    verbose_name = "Foo"

    model = models.foo
    schema = schemas.Foo

app = Flama()

app.resources.add_resource("/foo/", resource=FooResource, permissions=["iam.user.authenticated"])

@app.route("/", permission="iam.user.authenticated")
def home():
    return {"message": "Hello 🔥"} 

which, at some point will involve adding to the tags of the resource such permissions passed as arguments before, i.e.:

route.tags["permissions"] = ["iam.user.authenticated"]}

Indeed, a mokey-patching strategy would consist in doing the following:

def tag_route(route):
    try:
        for r in route.routes:
            tag_route(r)
    except AttributeError:
        route.tags = {"permissions": ["iam.user.authenticated"] if route.name in WHITELISTED_ROUTES else []}

for route in app.routes:
    tag_route(route)

However, this hack does not give the granularity of having different permissions etc. which is why we think implementing this as a fundamental feature of Flama is needed.