Commit Graph

257 Commits

Author SHA1 Message Date
Matt Wright bbe99b5436 Fixes #98 2013-03-07 15:38:34 -05:00
Luca Invernizzi 48dd3fa5bf NextFormMixin security bug fixed: open redirect
NextFormMixin was missing validations check on redirection [1]. Only internal redirections
are now allowed.
Attack Example: http://127.0.0.1:5000/login?next=http://google.com (it should not redirect to google.com)
wq
[1] https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
2013-03-05 21:20:45 +00:00
Matt Wright 38a1dfa336 Merge pull request #85 from chrishaines/template_list
Template paths can be specified in config
2013-03-03 18:38:35 -08:00
rumori ae64370478 added option to disable register email 2013-02-20 17:04:47 +01:00
Artem Andreev 8085e0031e Password should be encoded as 'utf-8' before creating hmac to support passwords with non-latin symbols 2013-02-03 22:14:32 +04:00
Chris Haines 4f414cf70f Merge branch 'develop' of git://github.com/mattupstate/flask-security into template_list
Conflicts:
	requirements.txt
2013-02-01 19:40:01 -05:00
Matt Wright adb2680289 Add change password endpoint 2013-02-01 18:21:43 -05:00
Matt Wright f1f621d178 Merge pull request #78 from eskil/change_password_form
Change password form
2013-02-01 15:16:45 -08:00
Matt Wright 840f72a589 Merge pull request #82 from maebert/flask-peewee
Flask-Peewee support
2013-02-01 14:44:52 -08:00
Matt Wright c49d9b57ed Make login form messages configurable 2013-02-01 17:32:54 -05:00
Matt Wright 34b3bf9e80 Fix CSRF functionality for LoginForm
The login form was not respecting csrf validation. I've adjusted the tests as well to always send a CSRF token along. This now requires all requests to pass a csrf token. If performing plain AJAX requests the token will have to be extracted from the form in some way. Fixes #86
2013-02-01 17:23:18 -05:00
Chris Haines 02c49ee423 Paths for templates are now configurable 2013-01-29 22:24:11 -05:00
Manuel Ebert 51e06bdbb0 Fixes typo in find_or_create_role 2013-01-29 15:46:59 -08:00
Manuel Ebert 462fb1ae7e Convenience method for finding or creating a role
`datastore. find_or_create_role("admin")` will now always return a role
with the name admin; useful for initialisation,
2013-01-28 18:58:11 -08:00
Manuel Ebert aea5b91649 Method stub parameters and docs for find_role didn't match implementations. 2013-01-28 18:57:19 -08:00
Manuel Ebert 5687f2f5a9 Adds support for flask-peewee 2013-01-25 16:52:50 -08:00
Matt Wright 84759b5dbd Merge pull request #73 from apahomov/multiple-auth-mechanisms
Multiple auth mechanisms
2013-01-16 19:37:55 -08:00
apahomov 3f9ca423bd Calling auth methods 2013-01-14 16:11:09 +04:00
apahomov bbed019ca5 Add auth_required decorator that allows multiple auth mechanisms 2013-01-14 15:45:18 +04:00
Eskil Heyn Olsen 3081d76787 Fix passing category to login required message 2013-01-13 23:25:16 -08:00
apahomov 1a0ddff82b Get auth token from JSON request. 2013-01-14 10:54:48 +04:00
Matt Wright e9b40a12c8 Fix for Python 2.6 2013-01-14 00:26:46 -05:00
Eskil Heyn Olsen 3adb4afd60 Minor wording fix 2013-01-12 23:58:47 -08:00
Eskil Heyn Olsen cca9298e74 Fix and test redir to configurable view post change 2013-01-12 19:56:50 -08:00
Eskil Heyn Olsen 4f9e23e0bc Fix email forms to have externally available links 2013-01-12 19:34:53 -08:00
Eskil Heyn Olsen ded62a556b Add a password-changed signal 2013-01-12 19:03:02 -08:00
Eskil Heyn Olsen 508f4d1b52 Fix change password form 2013-01-12 15:57:52 -08:00
Eskil Heyn Olsen 050ccb847a Forgot to add form 2013-01-12 14:55:30 -08:00
Eskil Heyn Olsen b67e61d625 Change password form 2013-01-12 14:40:42 -08:00
Eskil Heyn Olsen 9a47ec1ed9 Working on change password form 2013-01-11 22:35:54 -08:00
Eskil Heyn Olsen c5c27768f2 First pieces of change password form 2013-01-11 19:07:07 -08:00
Matt Wright 6adc26a897 Get rid of strftime in favor of total_seconds. Fixes #67 2013-01-09 14:02:42 -05:00
Matt Wright f566f41fb3 Merge pull request #58 from eskil/registerform
Configurable forms
2013-01-08 07:10:14 -08:00
Eskil Heyn Olsen e4190a0315 Add kwargs for configurable forms.
Specifically list out the kwargs so we'll get an interpreter error
on a bad name.
2013-01-07 21:43:33 -08:00
Christophe Simonis a89b76d648 do not break API. add a new function to verify and update password 2013-01-08 01:01:02 +01:00
Christophe Simonis d0497fc886 update password automatically 2013-01-08 00:49:20 +01:00
Christophe Simonis a1c007599f allow change of hash scheme 2013-01-08 00:15:21 +01:00
Eskil Heyn Olsen 81040a57a6 Views get forms from _security 2013-01-06 20:20:06 -08:00
Matt Wright d760aa41c5 Merge branch 'master' into develop 2013-01-06 21:01:53 -05:00
Matt Wright 53576c6013 Set Flask-Login messages 2013-01-06 21:01:35 -05:00
Matt Wright 029466830d Bump version number to 1.5.4 2013-01-06 20:43:02 -05:00
Matt Wright 2a0b582911 Change csrf_enabled parameter in forms to check for incoming JSON data. Fix #63 2013-01-06 20:41:01 -05:00
Eskil Heyn Olsen 675b29b4fe Minor style fixes 2013-01-06 14:40:09 -08:00
Eskil Heyn Olsen ae6f3b6753 Document and unit-test the signals.
Adds description of signals to docmentation. Adds unit-tests of
signal behaviour and tests parameters.
2013-01-06 14:12:18 -08:00
Eskil Heyn Olsen 1a87a4cd0c Fix to RegisterForm.to_dict.
Only add fields that are also attributes on the
datastorage.user_model.
2013-01-03 23:29:50 -08:00
Eskil Heyn Olsen f83092865b Configurable forms, issue:49 2013-01-03 22:00:29 -08:00
Eskil Heyn Olsen b15736accd RegisterFormMixin can now to_dict all fields.
It adds a to_dict function that uses inspect to add all wtf Field
to the returned dict. This allows extensions to the register form
to easily add fields that will be passed to the datastore's
create_user function.
2013-01-03 19:07:00 -08:00
Eskil Heyn Olsen 7f43acc167 Fix query for find_user 2013-01-01 11:28:31 -08:00
Matt Wright f8fbd6cec8 Bump version number to 1.5.3 2012-12-23 16:47:20 -05:00
Matt Wright 3a5a1b4f52 Bump version number to 1.5.2 2012-12-11 15:15:01 -05:00