Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY_CONFIRMABLE config mixup between confirm password and confirm email #23

Closed
sdiepend opened this issue Mar 12, 2017 · 2 comments
Closed

SECURITY_CONFIRMABLE config mixup between confirm password and confirm email #23

sdiepend opened this issue Mar 12, 2017 · 2 comments

Comments

@sdiepend
Copy link

I think there is some weird behaviour when using SECURITY_CONFIRMABLE.

The documentation states the following, so this is a flag to enable confirmation of an email address.

SECURITY_CONFIRMABLE
Specifies if users are required to confirm their email address when registering a new account. If this value is True, Flask-Security creates an endpoint to handle confirmations and requests to resend confirmation instructions. The URL for this endpoint is specified by the SECURITY_CONFIRM_URL configuration option. Defaults to False.

But when set to True it also removes the retype password field, so I think this is mixing up email confirimation and "password confirmation".

register_user.html

{% if register_user_form.password_confirm %}
    {{ render_field_with_errors(register_user_form.password_confirm) }}
  {% endif %}

I think it has to do with the following two forms:
forms.py

class ConfirmRegisterForm(Form, RegisterFormMixin,
                          UniqueEmailFormMixin, NewPasswordFormMixin):
    pass


class RegisterForm(ConfirmRegisterForm, PasswordConfirmFormMixin,
                   NextFormMixin):
    def __init__(self, *args, **kwargs):
        super(RegisterForm, self).__init__(*args, **kwargs)
        if not self.next.data:
            self.next.data = request.args.get('next', '')

views.py

def register():
    """View function which handles a registration request."""

    if _security.confirmable or request.json:
        form_class = _security.confirm_register_form
    else:
        form_class = _security.register_form
@sdiepend sdiepend changed the title SECURITY_CONFIRMABLE config lixup between confirm password and confirm email SECURITY_CONFIRMABLE config mixup between confirm password and confirm email Mar 12, 2017
@dappiu
Copy link

dappiu commented Apr 2, 2017
edited
Loading

I can confirm that this bug interferes even with the overriding of the default RegisterForm (I haven't tried the others) that -when the SECURITY_CONFIRMABLE option is set to True- won't be overridden when calling init_app passing the register_form parameter

security.init_app(
        app,
        user_datastore,
        register_form=ExtendedRegisterForm
        )

The form passed to the view is the default form, and the __init__ method of ExtendedRegisterForm is never been called.
When setting SECURITY_CONFIRMABLE to False, everything is fine.

@jirikuncar
Copy link
Member

@dappiu can you create a test case which shows described behavior?

lnielsen pushed a commit that referenced this issue Feb 7, 2022
@jwag956
docs: fix anchor links and typos (#23)
ab293d9 
* Fix sphinx link issues in quickstart.rst.
  (closes pallets-eco#700)
@lnielsen lnielsen closed this as completed Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jirikuncar @sdiepend @lnielsen @dappiu