As you may have noticed while testing the new admin website, it does not do any sort of authentication. In order to protect our admin site from anonymous users (or even certain logged-in users), we will add a new column to the User model to indicate that a user can access the admin website. Then we will use a hook provided by Flask-Admin to ensure that the requesting user has permissions.

The first step is to add a new column to our User model. Add the admin column to the User model as follows:

class User(db.Model): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(64), unique=True) password_hash = db.Column(db.String(255)) name = db.Column(db.String(64)) slug = db.Column(db.String(64), unique=True) ...