Matt Wright
bbe99b5436
Fixes #98
2013-03-07 15:38:34 -05:00
Luca Invernizzi
48dd3fa5bf
NextFormMixin security bug fixed: open redirect
...
NextFormMixin was missing validations check on redirection [1]. Only internal redirections
are now allowed.
Attack Example: http://127.0.0.1:5000/login?next=http://google.com (it should not redirect to google.com)
wq
[1] https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
2013-03-05 21:20:45 +00:00
Matt Wright
38a1dfa336
Merge pull request #85 from chrishaines/template_list
...
Template paths can be specified in config
2013-03-03 18:38:35 -08:00
rumori
ae64370478
added option to disable register email
2013-02-20 17:04:47 +01:00
Artem Andreev
8085e0031e
Password should be encoded as 'utf-8' before creating hmac to support passwords with non-latin symbols
2013-02-03 22:14:32 +04:00
Chris Haines
4f414cf70f
Merge branch 'develop' of git://github.com/mattupstate/flask-security into template_list
...
Conflicts:
requirements.txt
2013-02-01 19:40:01 -05:00
Matt Wright
adb2680289
Add change password endpoint
2013-02-01 18:21:43 -05:00
Matt Wright
f1f621d178
Merge pull request #78 from eskil/change_password_form
...
Change password form
2013-02-01 15:16:45 -08:00
Matt Wright
840f72a589
Merge pull request #82 from maebert/flask-peewee
...
Flask-Peewee support
2013-02-01 14:44:52 -08:00
Matt Wright
c49d9b57ed
Make login form messages configurable
2013-02-01 17:32:54 -05:00
Matt Wright
34b3bf9e80
Fix CSRF functionality for LoginForm
...
The login form was not respecting csrf validation. I've adjusted the tests as well to always send a CSRF token along. This now requires all requests to pass a csrf token. If performing plain AJAX requests the token will have to be extracted from the form in some way. Fixes #86
2013-02-01 17:23:18 -05:00
Chris Haines
02c49ee423
Paths for templates are now configurable
2013-01-29 22:24:11 -05:00
Manuel Ebert
51e06bdbb0
Fixes typo in find_or_create_role
2013-01-29 15:46:59 -08:00
Manuel Ebert
462fb1ae7e
Convenience method for finding or creating a role
...
`datastore. find_or_create_role("admin")` will now always return a role
with the name admin; useful for initialisation,
2013-01-28 18:58:11 -08:00
Manuel Ebert
aea5b91649
Method stub parameters and docs for find_role didn't match implementations.
2013-01-28 18:57:19 -08:00
Manuel Ebert
5687f2f5a9
Adds support for flask-peewee
2013-01-25 16:52:50 -08:00
Matt Wright
84759b5dbd
Merge pull request #73 from apahomov/multiple-auth-mechanisms
...
Multiple auth mechanisms
2013-01-16 19:37:55 -08:00
apahomov
3f9ca423bd
Calling auth methods
2013-01-14 16:11:09 +04:00
apahomov
bbed019ca5
Add auth_required decorator that allows multiple auth mechanisms
2013-01-14 15:45:18 +04:00
Eskil Heyn Olsen
3081d76787
Fix passing category to login required message
2013-01-13 23:25:16 -08:00
apahomov
1a0ddff82b
Get auth token from JSON request.
2013-01-14 10:54:48 +04:00
Matt Wright
e9b40a12c8
Fix for Python 2.6
2013-01-14 00:26:46 -05:00
Eskil Heyn Olsen
3adb4afd60
Minor wording fix
2013-01-12 23:58:47 -08:00
Eskil Heyn Olsen
cca9298e74
Fix and test redir to configurable view post change
2013-01-12 19:56:50 -08:00
Eskil Heyn Olsen
4f9e23e0bc
Fix email forms to have externally available links
2013-01-12 19:34:53 -08:00
Eskil Heyn Olsen
ded62a556b
Add a password-changed signal
2013-01-12 19:03:02 -08:00
Eskil Heyn Olsen
508f4d1b52
Fix change password form
2013-01-12 15:57:52 -08:00
Eskil Heyn Olsen
050ccb847a
Forgot to add form
2013-01-12 14:55:30 -08:00
Eskil Heyn Olsen
b67e61d625
Change password form
2013-01-12 14:40:42 -08:00
Eskil Heyn Olsen
9a47ec1ed9
Working on change password form
2013-01-11 22:35:54 -08:00
Eskil Heyn Olsen
c5c27768f2
First pieces of change password form
2013-01-11 19:07:07 -08:00
Matt Wright
6adc26a897
Get rid of strftime in favor of total_seconds. Fixes #67
2013-01-09 14:02:42 -05:00
Matt Wright
f566f41fb3
Merge pull request #58 from eskil/registerform
...
Configurable forms
2013-01-08 07:10:14 -08:00
Eskil Heyn Olsen
e4190a0315
Add kwargs for configurable forms.
...
Specifically list out the kwargs so we'll get an interpreter error
on a bad name.
2013-01-07 21:43:33 -08:00
Christophe Simonis
a89b76d648
do not break API. add a new function to verify and update password
2013-01-08 01:01:02 +01:00
Christophe Simonis
d0497fc886
update password automatically
2013-01-08 00:49:20 +01:00
Christophe Simonis
a1c007599f
allow change of hash scheme
2013-01-08 00:15:21 +01:00
Eskil Heyn Olsen
81040a57a6
Views get forms from _security
2013-01-06 20:20:06 -08:00
Matt Wright
d760aa41c5
Merge branch 'master' into develop
2013-01-06 21:01:53 -05:00
Matt Wright
53576c6013
Set Flask-Login messages
2013-01-06 21:01:35 -05:00
Matt Wright
029466830d
Bump version number to 1.5.4
2013-01-06 20:43:02 -05:00
Matt Wright
2a0b582911
Change csrf_enabled parameter in forms to check for incoming JSON data. Fix #63
2013-01-06 20:41:01 -05:00
Eskil Heyn Olsen
675b29b4fe
Minor style fixes
2013-01-06 14:40:09 -08:00
Eskil Heyn Olsen
ae6f3b6753
Document and unit-test the signals.
...
Adds description of signals to docmentation. Adds unit-tests of
signal behaviour and tests parameters.
2013-01-06 14:12:18 -08:00
Eskil Heyn Olsen
1a87a4cd0c
Fix to RegisterForm.to_dict.
...
Only add fields that are also attributes on the
datastorage.user_model.
2013-01-03 23:29:50 -08:00
Eskil Heyn Olsen
f83092865b
Configurable forms, issue:49
2013-01-03 22:00:29 -08:00
Eskil Heyn Olsen
b15736accd
RegisterFormMixin can now to_dict all fields.
...
It adds a to_dict function that uses inspect to add all wtf Field
to the returned dict. This allows extensions to the register form
to easily add fields that will be passed to the datastore's
create_user function.
2013-01-03 19:07:00 -08:00
Eskil Heyn Olsen
7f43acc167
Fix query for find_user
2013-01-01 11:28:31 -08:00
Matt Wright
f8fbd6cec8
Bump version number to 1.5.3
2012-12-23 16:47:20 -05:00
Matt Wright
3a5a1b4f52
Bump version number to 1.5.2
2012-12-11 15:15:01 -05:00