Home Articles Categories Series
Pythonise Just now

MBAC - Method based access control

Using HTTP request methods as the primary means of access control

Article Posted on by in Python
Julian Nash · 2 years ago in Python

MBAC - Method based access control

MBAC is a design pattern that I've been experimenting with, following the HTTP request method verbs as a means of access control.

The 3 key components of MBAC:

  • subject - The subject wanting to act on a resource
  • method - The access method
  • resource - The resource the subject wants to act the method upon

The HTTP methods used in MBAC can be mapped to the following actions:

HTTP Method Act
GET Read
POST Create
PUT Update
PATCH Update

TODO: Make a distinction between PUT and PATCH or remove PUT as an access method

The MBAC model:

class MBAC(Document):

    meta = {
        "indexes": ["subject", "resource"]

    subject = DynamicField(required=True)
    methods = List(required=True, choices=["GET", "POST", "PUT", "PATCH", "DELETE"])
    resource = DynamicField(required=True, unique_with="subject")

Checking access:

def check_access(subject, methods, resource):
    """ Check if a subject can perform specific methods against a resource

        subject: The subject
        methods (list): Methods to chack
        resource: The resource
        bool: True if the subject has access, else False
    if MBAC.objects(subject=subject, methods=methods, resource=resource):
        return True
    return False
  • The subject can be anything, a string, a database reference, a user id
  • The resource can also be anything - A database reference, a string, an ID, an endpoint

The MBAc model can be used to control access to endpoints, as well as database objects:

subject = get_user(id="12345")
methods = ["GET", "PATCH", "DELETE"]
resource = f"/api/users/{subject.id}"  # /api/users/12345

TODO: Update this article after more experimentation

Did you find this article useful?
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License