A quick and dirty solution to my problem:
1. Create a generic function to verify ownership in the ModelView class
def is_owned(self, id):
model = db.session.query(self.model).filter(self.model.id == id).all()
if len(model) == 0:
return False
else:
model = model[0]
if model.user_id == current_user.id:
return True
return False
2. Override the ModelView methods on_model_change, on_form_prefill, on_model_delete, get_query and get_count_query to verify ownership (user_id = current_user.id):
def on_model_change(self, form, model, is_created):
if not self.is_owned(model.id):
abort(403)
def on_form_prefill(self, form, id):
if not self.is_owned(id):
abort(403)
def on_model_delete(self, model):
if not self.is_owned(model.id):
abort(403)
def get_query(self):
return super(Tables, self).get_query().filter(self.model.user_id == current_user.id)
def get_count_query(self):
return super(Tables,self).get_count_query().filter(self.model.user_id == current_user.id)