[Flask Security] when authentication fails to develop Jump
Flask Security This plugin can be very good control of user rights.
Three model achieved through:
the User, to store user data
Role, role data stored
User_Role store user roles.
user_datastore = SQLAlchemyUserDatastore (db, User, Role)
can find a user by user_datastore, role, and giving or delete user roles and so on. Details, see: http: //pythonhosted.org/Flask-Security/api.html
For example, we create a new view:
@app.route('/')
@login_required
def home():
return render_template('index.html')
This requirement landing, security will automatically generate a landing page, of course, you can also override the built-in template
is filled out correctly, you can see the content.
So how to use the authority to control it.
@app.route('/dashboard')
@roles_required('admin', 'editor')
def dashboard(): return "dashboard"
This uses @roles_required () decorator to achieve this, you need to log in users to have admin and editor of two roles. A corresponding additional decoration is @roles_accepted (), as long as there is one character that can pass.
So if the condition is not satisfied, it will jump to other places.
We take a look at its source code:
def wrapper(fn):
@wraps(fn) def decorated_view(*args, **kwargs): perms = [Permission(RoleNeed(role)) for role in roles] for perm in perms: if not perm.can(): if _security._unauthorized_callback: return _security._unauthorized_callback() else: return _get_unauthorized_view() return fn(*args, **kwargs) return decorated_view return wrapper
If you do not see, you will see by the certification authority if there _unauthorized_callback this method. If you have to call
if not, it will call _get_unauthorized_view () method.
Then continue to look at its code:
def _get_unauthorized_view():
cv = utils.get_url(utils.config_value('UNAUTHORIZED_VIEW')) utils.do_flash(*utils.get_message('UNAUTHORIZED')) return redirect(cv or request.referrer or '/')
We can see the look of the 'UNAUTHORIZED_VIEW' this configuration.
Enter config_value, we found that it calls the following method to find the configuration:
def get_config(app):
"""Conveniently get the security configuration for the specified application without the annoying 'SECURITY_' prefix. :param app: The application to inspect """ items = app.config.items() prefix = 'SECURITY_' def strip_prefix(tup): return (tup[0].replace('SECURITY_', ''), tup[1]) return dict([strip_prefix(i) for i in items if i[0].startswith(prefix)])
Note that we in the configuration app when you want to add a 'SECURITY_' prefix for the job!
So long as we are disposed app:
the app.config [ 'SECURITY_UNAUTHORIZED_VIEW'] = '/ UNAUTH'
and add a view:
@app.route('/unauth')
def unauth(): return "unauth"
When the authentication fails, this will jump to the page.
Of course, there is a more flexible configuration method is to write a decorator to accept a url
def set_unauth_view(url):
def wrapper(fn): def decorator(*args, **kwargs): current_app.config['SECURITY_UNAUTHORIZED_VIEW'] = url return fn(*args, **kwargs) return decorator return wrapper
then:
@app.route('/dashboard')
@set_unauth_view('/unauth')
@roles_required('admin', 'editor')
def dashboard(): return "dashboard"
So that you can specify the jump page for a particular view.
Flask Security This plugin can be very good control of user rights.
Three model achieved through:
the User, to store user data
Role, role data stored
User_Role store user roles.
user_datastore = SQLAlchemyUserDatastore (db, User, Role)
can find a user by user_datastore, role, and giving or delete user roles and so on. Details, see: http: //pythonhosted.org/Flask-Security/api.html
For example, we create a new view:
@app.route('/')
@login_required
def home():
return render_template('index.html')
This requirement landing, security will automatically generate a landing page, of course, you can also override the built-in template
is filled out correctly, you can see the content.
So how to use the authority to control it.
@app.route('/dashboard')
@roles_required('admin', 'editor')
def dashboard(): return "dashboard"
This uses @roles_required () decorator to achieve this, you need to log in users to have admin and editor of two roles. A corresponding additional decoration is @roles_accepted (), as long as there is one character that can pass.
So if the condition is not satisfied, it will jump to other places.
We take a look at its source code:
def wrapper(fn):
@wraps(fn) def decorated_view(*args, **kwargs): perms = [Permission(RoleNeed(role)) for role in roles] for perm in perms: if not perm.can(): if _security._unauthorized_callback: return _security._unauthorized_callback() else: return _get_unauthorized_view() return fn(*args, **kwargs) return decorated_view return wrapper
If you do not see, you will see by the certification authority if there _unauthorized_callback this method. If you have to call
if not, it will call _get_unauthorized_view () method.
Then continue to look at its code:
def _get_unauthorized_view():
cv = utils.get_url(utils.config_value('UNAUTHORIZED_VIEW')) utils.do_flash(*utils.get_message('UNAUTHORIZED')) return redirect(cv or request.referrer or '/')
We can see the look of the 'UNAUTHORIZED_VIEW' this configuration.
Enter config_value, we found that it calls the following method to find the configuration:
def get_config(app):
"""Conveniently get the security configuration for the specified application without the annoying 'SECURITY_' prefix. :param app: The application to inspect """ items = app.config.items() prefix = 'SECURITY_' def strip_prefix(tup): return (tup[0].replace('SECURITY_', ''), tup[1]) return dict([strip_prefix(i) for i in items if i[0].startswith(prefix)])
Note that we in the configuration app when you want to add a 'SECURITY_' prefix for the job!
So long as we are disposed app:
the app.config [ 'SECURITY_UNAUTHORIZED_VIEW'] = '/ UNAUTH'
and add a view:
@app.route('/unauth')
def unauth(): return "unauth"
When the authentication fails, this will jump to the page.
Of course, there is a more flexible configuration method is to write a decorator to accept a url
def set_unauth_view(url):
def wrapper(fn): def decorator(*args, **kwargs): current_app.config['SECURITY_UNAUTHORIZED_VIEW'] = url return fn(*args, **kwargs) return decorator return wrapper
then:
@app.route('/dashboard')
@set_unauth_view('/unauth')
@roles_required('admin', 'editor')
def dashboard(): return "dashboard"
So that you can specify the jump page for a particular view.