It is certainly not clever to allow anybody request data on the server. Fortunately, you can take advantage of lgui embedded login system and Auth decorators. But before we get to that, a few words about roles.

Lgui recognizes four levels of access:

• Not-logged in - In frontend you can only to the logging screen. If you manage to request a valid route on the backend, that route will respond with success only in case it does not use the Auth decorator.
• Guest - You will get to lgui home screen and you will have access to all data with generally unspecified access level (it uses the decorator, but either without any argument or with Guest role).
• User - User should see 100% of data provided with lgui modules, probably will not have access to actions that can affect state of the modules.
• Admin - Speaks for itself, admin has full access to everything.

You might have noticed a word or two about Auth decorator. Simply put, if you from liberouterapi import auth, then you can decorate your view methods for Flask routes with the following:

@auth.required()
def myFoo():
    pass

This tells the Flask to only accept requests with valid user credentials, but does not specify the level of access. In other words, this allows Guests, Users and Admins access your route.

But you can also from liberouterapi import role.Role and then you can pass arguments to @auth.required(). Valid arguments are:

• Role.guest
• Role.user
• Role.admin

Example:

@auth.required(Role.user)
def myUserRequiredFoo():
    pass

NOTE: Higher levels of access obviously have also all capabilities of lower levels. User can access routes Guest can. Admin can access routes of both User and Guest.