.. Flask-Security documentation master file, created by sphinx-quickstart on Mon Mar 12 15:35:21 2012. You can adapt this file completely to your liking, but it should at least contain the root `toctree` directive. Flask-Security ============== .. module:: flask_security Simple security for Flask applications combining `Flask-Login `_, `Flask-Principal `_, `Flask-WTF `_, `passlib `_, and your choice of datastore. Currently `SQLAlchemy `_ via `Flask-SQLAlchemy `_ and `MongoEngine `_ via `Flask-MongoEngine `_ are supported out of the box. You will need to install the necessary Flask extensions that you'll be using on your own. Additionally, you may need to install an encryption library such as `py-bcrypt `_ (if you plan to use bcrypt) for your desired encryption method. Contents ========= * :ref:`overview` * :ref:`installation` * :ref:`getting-started` * :ref:`additional-user-fields` * :ref:`flask-script-commands` * :ref:`api` * :doc:`Changelog ` .. _overview: Overview ======== Flask-Security does a few things that Flask-Login and Flask-Principal don't provide out of the box. They are: 1. Setting up login and logout endpoints 2. Authenticating users based on username or email 3. Limiting access based on user 'roles' 4. User and role creation 5. Password encryption That being said, you can still hook into things such as the Flask-Login and Flask-Principal signals if need be. .. _installation: Installation ============ First, install Flask-Security:: $ mkvirtualenv app-name $ pip install Flask-Security Then install your datastore requirement. **SQLAlchemy**:: $ pip install Flask-SQLAlchemy **MongoEngine**:: $ pip install https://github.com/sbook/flask-mongoengine/tarball/master .. _getting-started: Getting Started =============== The following code samples will illustrate how to get started using SQLAlchemy. First thing you'll want to do is setup your application and datastore:: from flask import Flask, render_template from flask.ext.sqlalchemy import SQLAlchemy from flask.ext.security import (User, Security, LoginForm, login_required, roles_accepted, user_datastore) from flask.ext.security.datastore.sqlalchemy import SQLAlchemyUserDatastore app = Flask(__name__) app.config['SECRET_KEY'] = 'secret' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:' db = SQLAlchemy(app) Security(app, SQLAlchemyUserDatastore(db)) You'll probably want to at least one user to the database to test this out. There are many ways to do this, but this is a quick and dirty way to do it:: @app.before_first_request def before_first_request(): user_datastore.create_role(name='admin') user_datastore.create_user(username='matt', email='matt@something.com', password='password', roles=['admin']) Next you'll want to setup your login screen. Setup your view:: @app.route("/login") def login(): return render_template('login.html', form=LoginForm()) And corresponding template::
{{ form.hidden_tag() }} {{ form.username.label }} {{ form.username }}
{{ form.password.label }} {{ form.password }}
{{ form.remember.label }} {{ form.remember }}
{{ form.submit }}
By default, Flask-Security will redirect a user to `/profile` after logging in. You can set this page up yourself or set the `SECURITY_POST_LOGIN` config value to change this behavior. Regardless, setup a protected view as such:: @app.route('/profile') @login_required def profile(): return render_template('profile.html') Now you have an application with basic authentication. If you run the local development server you can visit `http://localhost:5000/login `_ to login. The last thing you'll want to do is add a logout link to your templates. This can be achieved with:: Logout Now, for instance, say you want to protect an admin area to users that are administrators. You can use the `roles_accepted` decorator to prevent access. The corresponding view would look like such:: @app.route('/admin') @roles_accepted('admin') def admin(): return render_template('admin/index.html') And lastly, maybe you only want to show something in a template if a user has a specific role:: {% if current_user.has_role('admin') %} Admin Panel {$ endif %} .. _additional-user-fields: Additional User Fields ---------------------- If you'd like to add additional fields to the user model you can use a mixin class that specifies your additional fields. The following is an example of how you might do this:: db = SQLAlchemy(app) class UserAccountMixin(): first_name = db.Column(db.String(120)) last_name = db.Column(db.String(120)) Security(app, SQLAlchemyUserDatastore(db, UserAccountMixin)) .. _flask-script-commands: Flask-Script Commands --------------------- Flask-Security comes packed with a few Flask-Script commands. They are: * :class:`flask.ext.security.script.CreateUserCommand` * :class:`flask.ext.security.script.CreateRoleCommand` * :class:`flask.ext.security.script.AddRoleCommand` * :class:`flask.ext.security.script.RemoveRoleCommand` * :class:`flask.ext.security.script.DeactivateUserCommand` * :class:`flask.ext.security.script.ActivateUserCommand` Register these on your script manager for pure convenience. .. _configuration: Configuration Values ==================== * :attr:`SECURITY_URL_PREFIX`: Specifies the URL prefix for the Security blueprint * :attr:`SECURITY_AUTH_PROVIDER`: Specifies the class to use as the authentication provider. Such as `flask.ext.security.AuthenticationProvider` * :attr:`SECURITY_PASSWORD_HASH`: Specifies the encryption method to use. e.g.: plaintext, bcrypt, etc * :attr:`SECURITY_USER_DATASTORE`: Specifies the property name to use for the user datastore on the application instance * :attr:`SECURITY_LOGIN_FORM`: Specifies the form class to use when processing an authentication request * :attr:`SECURITY_AUTH_URL`: Specifies the URL to to handle authentication * :attr:`SECURITY_LOGOUT_URL`: Specifies the URL to process a logout request * :attr:`SECURITY_LOGIN_VIEW`: Specifies the URL to redirect to when authentication is required * :attr:`SECURITY_POST_LOGIN`: Specifies the URL to redirect to after a user is authenticated * :attr:`SECURITY_POST_LOGOUT`: Specifies the URL to redirect to after a user logs out * :attr:`SECURITY_FLASH_MESSAGES`: Specifies wether or not to flash messages during authentication request .. _api: API === .. autoclass:: flask_security.Security :members: .. data:: flask_security.current_user A proxy for the current user. Protecting Views ---------------- .. autofunction:: flask_security.login_required .. autofunction:: flask_security.roles_required .. autofunction:: flask_security.roles_accepted User Object Helpers ------------------- .. autoclass:: flask_security.UserMixin :members: .. autoclass:: flask_security.RoleMixin :members: .. autoclass:: flask_security.AnonymousUser :members: Datastores ---------- .. autoclass:: flask_security.datastore.UserDatastore :members: .. autoclass:: flask_security.datastore.sqlalchemy.SQLAlchemyUserDatastore :members: :inherited-members: .. autoclass:: flask_security.datastore.mongoengine.MongoEngineUserDatastore :members: :inherited-members: Models ------ .. autoclass:: flask_security.User .. attribute:: id User ID .. attribute:: username Username .. attribute:: email Email address .. attribute:: password Password .. attribute:: active Active state .. attribute:: roles User roles .. attribute:: created_at Created date .. attribute:: modified_at Modified date .. autoclass:: flask_security.Role .. attribute:: id Role ID .. attribute:: name Role name .. attribute:: description Role description Exceptions ---------- .. autoexception:: flask_security.BadCredentialsError .. autoexception:: flask_security.AuthenticationError .. autoexception:: flask_security.UserNotFoundError .. autoexception:: flask_security.RoleNotFoundError .. autoexception:: flask_security.UserIdNotFoundError .. autoexception:: flask_security.UserDatastoreError .. autoexception:: flask_security.UserCreationError .. autoexception:: flask_security.RoleCreationError Signals ------- See the documentation for the signals provided by the Flask-Login and Flask-Principal extensions. Flask-Security does not provide any additional signals. Changelog ========= .. toctree:: :maxdepth: 2 changelog