From a57c55f49fd2db040c44bb6841cdff36452f3ba9 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Fri, 28 Jul 2017 20:29:07 +0100 Subject: [PATCH 1/5] #444 firstname/lastname returned as bytes instead of str --- flask_appbuilder/security/manager.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py index 4214622b4..7f3c5a630 100644 --- a/flask_appbuilder/security/manager.py +++ b/flask_appbuilder/security/manager.py @@ -593,6 +593,11 @@ def _bind_ldap(self, ldap, con, username, password): except ldap.INVALID_CREDENTIALS: return False + @staticmethod + def ldap_extract(ldap_dict, field, fallback): + if not ldap_dict.get(field): + return fallback + return ldap_dict[field][0].decode('utf-8') or fallback def auth_user_ldap(self, username, password): """ @@ -644,12 +649,12 @@ def auth_user_ldap(self, username, password): ldap_user_info = new_user[0][1] if self.auth_user_registration and user is None: user = self.add_user( - username=username, - first_name=ldap_user_info.get(self.auth_ldap_firstname_field, [username])[0], - last_name=ldap_user_info.get(self.auth_ldap_lastname_field, [username])[0], - email=ldap_user_info.get(self.auth_ldap_email_field, [username + '@email.notfound'])[0], - role=self.find_role(self.auth_user_registration_role) - ) + username=username, + first_name=self.ldap_extract(ldap_user_info, self.auth_ldap_firstname_field, username), + last_name=self.ldap_extract(ldap_user_info, self.auth_ldap_lastname_field, username), + email=self.ldap_extract(ldap_user_info, self.auth_ldap_email_field, username + '@email.notfound'), + role=self.find_role(self.auth_user_registration_role) + ) self.update_user_auth_stat(user) return user From 48c6ea1c906408e431409322c8c9021e30ac6d48 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Sun, 30 Jul 2017 17:38:58 +0100 Subject: [PATCH 2/5] Fix version conflict with flask-babel --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b363b4a80..5d1eeb966 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,5 +5,5 @@ Flask-Login>=0.2.11,<0.2.99 Flask-SQLAlchemy>=2.0,<2.1.99 Flask-OpenID>=1.2.5,<1.2.99 Flask-WTF>=0.14.2,<0.14.99 -Flask-Babel>=0.11.2,<0.11.99 +Flask-Babel==0.11.1 From 12eccb0e8b4f2686995a839b596f5c21d2a5bcdc Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Sun, 30 Jul 2017 17:49:10 +0100 Subject: [PATCH 3/5] Fix divergence on versions between setup and requirements, pinned version --- requirements.txt | 10 +++++----- setup.py | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/requirements.txt b/requirements.txt index 5d1eeb966..1624c8867 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,9 +1,9 @@ -colorama>=0.3.9,<0.3.99 -click>=6.7,<6.99 +colorama==0.3.9 +click==6.7 Flask>=0.12.1,<0.12.99 Flask-Login>=0.2.11,<0.2.99 -Flask-SQLAlchemy>=2.0,<2.1.99 -Flask-OpenID>=1.2.5,<1.2.99 -Flask-WTF>=0.14.2,<0.14.99 +Flask-SQLAlchemy==2.1 +Flask-OpenID==1.2.5 +Flask-WTF==0.14.2 Flask-Babel==0.11.1 diff --git a/setup.py b/setup.py index 25525c01f..3d2c77461 100644 --- a/setup.py +++ b/setup.py @@ -34,14 +34,14 @@ def desc(): zip_safe=False, platforms='any', install_requires=[ - 'colorama>=0.3', - 'click>=3.0', - 'Flask>=0.10', + 'colorama==0.3.9', + 'click==6.7', + 'Flask>=0.12.1,<0.12.99', 'Flask-Babel==0.11.1', # known issues with 0.11.2 'Flask-Login==0.2.11', - 'Flask-OpenID>=1.1.0', - 'Flask-SQLAlchemy>=2.0,<2.1.99', - 'Flask-WTF>=0.12', + 'Flask-OpenID==1.2.5', + 'Flask-SQLAlchemy==2.1', + 'Flask-WTF==0.14.2', ], tests_require=[ 'nose>=1.0', From 41920fce9ea9b9b95ce90a81d85977ec3411fa0f Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Sun, 30 Jul 2017 18:00:10 +0100 Subject: [PATCH 4/5] Updated change log --- docs/versions.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/versions.rst b/docs/versions.rst index 4a086ed27..6b92c34ac 100644 --- a/docs/versions.rst +++ b/docs/versions.rst @@ -1,6 +1,13 @@ Versions ======== +- Fix, #544 for possible sql injection on order by clauses +- Fix, #550 check whether `session_form_edit_pk` still exist in db, on CompactCRUDMixin. +- Fix, #553 for AttributeError when edit_columns on a view in related_views does not include relationship +- New, #562 Bump flask-babel version to 0.11.1, and pin. +- Fix, #444 Create LDAP user firstname/lastname may return as bytes instead of str +- Fix, Fix divergence on versions between setup and requirements, pinned versions + Improvements and Bug fixes on 1.9.2 ----------------------------------- From 0ebf5c8b5e1214bc4fcefb2d3af229c436f9f19f Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Sun, 30 Jul 2017 18:04:54 +0100 Subject: [PATCH 5/5] Bumped version to 1.9.3 --- README.rst | 2 +- docs/versions.rst | 3 +++ flask_appbuilder/version.py | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index 022cb1ed0..fda021cc5 100644 --- a/README.rst +++ b/README.rst @@ -24,7 +24,7 @@ Lots of `examples