I'm using flask, flask-jwt and flask-restful. I can get the access_token , but once any user gets authenticated he can do everything to all database tables using the REST-API endpoint , how can I implement authorization where certain user can do specific action to certain row/field in database "one belongs to him for example".
All articles I've read talks about getting authenticated only, but do not go beyond.
I found a solution, actually jwt just returns a signed token which contains the user identity and other information, to see details included in the token one can use the following website: https://jwt.io/
Using flask-jwt , there is an object called current_identity which can be obtained under any function decorated by @jwt_required, it has to be imported first:
from flask_jwt import jwt_required , current_identity
current_identity in my case returned id and name of the user whose trying to insert/update data through the API endpoint.
using some logic to compare the user related data from the database and his id can be used to authorize or prohibit the user from manipulating/reading data.