Bug in flask-login example #22
Comments
|
Right on. Thanks for catching this! |
Version 0.2.9-dev ----------------- Released on December 28th, 2013 - Fixes anonymous user assignment. - Fixes localization in Python 3. Version 0.2.8 ------------- Released on December 21st 2013 - Support login via authorization header. This allows login via Basic Auth, for example. Useful in an API presentation context. - Ability to override user ID method name. This is useful if the ID getter is named differently than the default. - Session data is now only read when the user is requested. This can be beneficial for cookie and caching control when differenting between requests that use user information for rendering and ones where all users (including anonymous) get the same result (e.g. static pages) - BREAKING: User *must* always be accessed through the ``current_user`` local. This breaks any previous direct access to ``_request_ctx.top.user``. This is because user is not loaded until current_user is accessed. - Fixes unnecessary access to the session when the user is anonymous and session protection is active. see maxcountryman/flask-login#120 - Fixes issue where order dependency of applying the login manager before dependent applications was required. see pallets-eco/flask-principal#22 - Fixes Python 3 ``UserMixin`` hashing. - Fixes incorrect documentation.
Version 0.2.9-dev ----------------- Released on December 28th, 2013 - Fixes anonymous user assignment. - Fixes localization in Python 3. Version 0.2.8 ------------- Released on December 21st 2013 - Support login via authorization header. This allows login via Basic Auth, for example. Useful in an API presentation context. - Ability to override user ID method name. This is useful if the ID getter is named differently than the default. - Session data is now only read when the user is requested. This can be beneficial for cookie and caching control when differenting between requests that use user information for rendering and ones where all users (including anonymous) get the same result (e.g. static pages) - BREAKING: User *must* always be accessed through the ``current_user`` local. This breaks any previous direct access to ``_request_ctx.top.user``. This is because user is not loaded until current_user is accessed. - Fixes unnecessary access to the session when the user is anonymous and session protection is active. see maxcountryman/flask-login#120 - Fixes issue where order dependency of applying the login manager before dependent applications was required. see pallets-eco/flask-principal#22 - Fixes Python 3 ``UserMixin`` hashing. - Fixes incorrect documentation.
|
Thanks for addressing my comment, however I'm a little surprised (and stumped) at the fix. I expected a simple change to the documentation, but instead it looks like you tried to make the order of flask plugins not matter. I'm still digesting what exactly changed here (and I noticed this issue on a test server, so I haven't had time to look at it on a dev server yet), but Flask-Login 0.2.9 is creating an infinite loop: You can see that load_user() ends up calling... load_user(). On my test server, this repeats until I get a This is a new test server, so it took me quite a while to figure out what was going on. (I thought I had botched some step of the deployment process.) Eventually I tried using pip to remove Flask-Login 0.2.9 and replace it with 0.2.7 instead. Boom, problem fixed. I will post back when I have more details, but my gut reaction is that the documentation still doesn't match the reality of what Flask-Login is actually doing. |
Version 0.2.9-dev ----------------- Released on December 28th, 2013 - Fixes anonymous user assignment. - Fixes localization in Python 3. Version 0.2.8 ------------- Released on December 21st 2013 - Support login via authorization header. This allows login via Basic Auth, for example. Useful in an API presentation context. - Ability to override user ID method name. This is useful if the ID getter is named differently than the default. - Session data is now only read when the user is requested. This can be beneficial for cookie and caching control when differenting between requests that use user information for rendering and ones where all users (including anonymous) get the same result (e.g. static pages) - BREAKING: User *must* always be accessed through the ``current_user`` local. This breaks any previous direct access to ``_request_ctx.top.user``. This is because user is not loaded until current_user is accessed. - Fixes unnecessary access to the session when the user is anonymous and session protection is active. see maxcountryman/flask-login#120 - Fixes issue where order dependency of applying the login manager before dependent applications was required. see pallets-eco/flask-principal#22 - Fixes Python 3 ``UserMixin`` hashing. - Fixes incorrect documentation.
Version 0.2.9-dev ----------------- Released on December 28th, 2013 - Fixes anonymous user assignment. - Fixes localization in Python 3. Version 0.2.8 ------------- Released on December 21st 2013 - Support login via authorization header. This allows login via Basic Auth, for example. Useful in an API presentation context. - Ability to override user ID method name. This is useful if the ID getter is named differently than the default. - Session data is now only read when the user is requested. This can be beneficial for cookie and caching control when differenting between requests that use user information for rendering and ones where all users (including anonymous) get the same result (e.g. static pages) - BREAKING: User *must* always be accessed through the ``current_user`` local. This breaks any previous direct access to ``_request_ctx.top.user``. This is because user is not loaded until current_user is accessed. - Fixes unnecessary access to the session when the user is anonymous and session protection is active. see maxcountryman/flask-login#120 - Fixes issue where order dependency of applying the login manager before dependent applications was required. see pallets-eco/flask-principal#22 - Fixes Python 3 ``UserMixin`` hashing. - Fixes incorrect documentation.
|
I was having trouble with this for a while as well. Because I don't want to use the session for user login in a REST api, I can't call @login_manager.request_loader
def load_user_from_request(request):
user = get_user(request)
return user
@user_loaded_from_request.connect
def on_user_loaded_from_request(sender, user):
principal.set_identity(Identity(user.id))
@identity_loaded.connect
def on_identity_loaded(sender, identity):
identity.user = current_user
identity.provides.add(UserNeed(current_user.id))
# Etc...It would be nice if there was a way to configure Flask-Login to not use the session at all. |
|
Thanks @joshfriend for your example. I've been trying to tie Flask-Login/Flask-Principal together for a REST API yet I couldn't get the |
Yes. You cannot use |
The flask-login example in the documentation is extremely helpful (common use case, I would think) but it has a significant bug in it!
The sample code shows Flask-Principal being registered before Flask-Login, but if you do this, then flask principal will send the
identity_loadedmessage before Flask-Login has had a chance to load the current_user proxy. Therefore, theidentity_loadedhandler will always return the anonymous user!I realize it's not meant to be a complete example, but it tripped me up as well as at least one person on Stack Overflow: http://stackoverflow.com/questions/18190067/flask-login-and-principal-current-user-is-anonymous-even-though-im-logged-in/18935921
It can be fixed simply by reversing the order of
Principal(app)andlogin_manager = LoginManager(app).The text was updated successfully, but these errors were encountered: