wassname/flask-security
1
0
Fork 0
mirror of https://github.com/wassname/flask-security.git synced 2026-06-27 16:10:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Do not expose user info in /reset responses. Fixes #249

Browse Source
This commit is contained in:
Matt Wright
2014-06-10 12:24:19 -04:00
parent a6b5d3053c
commit 76cf3eaf6a
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flask_security/views.py
+7 -5
View File
@@ -34,7 +34,7 @@ _security = LocalProxy(lambda: current_app.extensions['security'])
_datastore = LocalProxy(lambda: _security.datastore)
def _render_json(form, include_auth_token=False):
def _render_json(form, include_user=True, include_auth_token=False):
has_errors = len(form.errors) > 0
if has_errors:
@@ -42,7 +42,9 @@ def _render_json(form, include_auth_token=False):
response = dict(errors=form.errors)
else:
code = 200
response = dict(user=dict(id=str(form.user.id)))
response = dict()
if include_user:
response['user'] = dict(id=str(form.user.id))
if include_auth_token:
token = form.user.get_auth_token()
response['user']['authentication_token'] = token
@@ -78,7 +80,7 @@ def login():
return redirect(get_post_login_redirect(form.next.data))
if request.json:
return _render_json(form, True)
return _render_json(form, include_auth_token=True)
return _security.render_template(config_value('LOGIN_USER_TEMPLATE'),
login_user_form=form,
@@ -121,7 +123,7 @@ def register():
if not request.json:
return redirect(get_post_register_redirect())
return _render_json(form, True)
return _render_json(form, include_auth_token=True)
if request.json:
return _render_json(form)
@@ -247,7 +249,7 @@ def forgot_password():
do_flash(*get_message('PASSWORD_RESET_REQUEST', email=form.user.email))
if request.json:
return _render_json(form)
return _render_json(form, include_user=False)
return _security.render_template(config_value('FORGOT_PASSWORD_TEMPLATE'),
forgot_password_form=form,
tests/test_recoverable.py
+1 -1
View File
@@ -71,7 +71,7 @@ def test_recoverable_flag(app, client, get_message):
'Content-Type': 'application/json'
})
assert response.headers['Content-Type'] == 'application/json'
assert 'user' in response.jdata['response']
assert 'user' not in response.jdata['response']
logout(client)