Invalid Login logic in Flask Python -
i'm using flask sqlalchemy , flask-login.
i can login , logout registered user.
what find confusing when enter incorrect password on login page, i'm returned login page flash message of "welcome user@email.com", have thought, based on code, appear if logged in.
@app.route('/login', methods=['get', 'post']) def login(): form = loginform() user = user.query.filter_by(email=form.email.data).first() if form.validate_on_submit(): if user , check_password_hash(user.password, form.password.data): session['user_id'] = user.id flash('welcome %s' % user.email) return redirect(url_for('dashboard')) else: flash('wrong email or password') return render_template("login.html", form=form) flash('the email or password wrong.') return render_template("login.html", form=form) edit: tigra, ended with.
in views.py
@app.route('/login', methods=['get', 'post']) def login(): form = loginform() user = user.query.filter_by(email=form.email.data).first() if request.method == "post": if form.validate(): # session can't modified it's signed, # it's safe place store user session['user_id'] = user.id flash('welcome %s' % user.email) return redirect(url_for('dashboard')) else: flash('wrong email or password') return render_template("login.html", form=form) return render_template("login.html", form=form) in forms.py
from models import user werkzeug import check_password_hash class loginform(form): email = textfield('email', validators = [required(), email()]) password = passwordfield('password', validators = [required()]) remember_me = booleanfield('remember_me', default = false) def __init__(self, *args, **kwargs): form.__init__(self, *args, **kwargs) self.user = none def validate(self): rv = form.validate(self) if not rv: return false user = user.query.filter_by(email=self.email.data).first() if user none: self.email.errors.append('unknown username') return false if not check_password_hash(user.password,self.password.data): self.password.errors.append('invalid password') return false self.user = user return true
you have 2 problems:
1) should not make such check (login/password) after form validation. should defined inside form itself, read custom validators wtforms
2) also, make sure, formatting presented actual one, becouse have @ least mistake in presented formatting:
form = loginform() user = user.query.filter_by(email=form.email.data).first() so can't sure there not more.
also, passcheck function werzkeug.security?
as form custom validation there 1 example:
approach actual validation fails, not additional check
class loginform(safeform): email=textfield(__("e-mail"),validators=[required()]) password=passwordfield(__("password"),validators=[required()]) submit=submitfield(__("login")) def __init__(self,*k,**kk): self._user=none #for internal user storing super(loginform,self).__init__(*k,**kk) def validate(self): self._user=user.query.filter(user.email==self.email.data).first() return super(loginform,self).validate() def validate_email(self,field): if self._user none: raise validationerror(_("e-mail not recognized")) def validate_password(self,field): if self._user none: raise validationerror() #just sure if not self._user.validate_password(self.password.data): #passcheck embedded user model raise validationerror(_("password incorrect"))
Comments
Post a Comment