Example @login_required decorator confusing #313

Closed
dag opened this Issue Sep 5, 2011 · 1 comment

Projects

None yet

4 participants

@dag
dag commented Sep 5, 2011

Several people on IRC have failed to use this decorator correctly. The problem is they forget to pass the "next" value along in their POST of the login form. The situation could be improved with a note in the docs for view decorators.

The confusion typically is that they think they have a "next" value in request.args, because they do in the GET request to their login view, and then suddenly for no apparent reason it's not there - because it's a new request, the POST request of the login credentials. The solution is to add a hidden input with the value of the next URL:

<input type=hidden name=next value="{{ request.values.next }}">

and then use either request.values or request.form instead of request.args in the login view where the POST request is handled.

17:05 <flipmoe> Is there something to pay attention to if you try to access request args using blueprints and an app factory? I get 'None' although there is a next parameter in the url. Thx
17:07 <donri> flipmoe: from where are you doing this?
17:07 <flipmoe> donri: from my login view
17:08 <donri> paste code paste.pocoo.org
17:13 <flipmoe> donri: http://paste.pocoo.org/show/470727/ 
17:14 <donri> and the code that redirects to login?
17:15 <DasIch> donri: line 32
17:15 <donri> nope
17:16 <flipmoe> donri: you mean the login_required decorator?
17:16 <donri> probably
17:16 <flipmoe> donri: ok
17:17 <flipmoe> donri: http://paste.pocoo.org/show/470731/ 
17:26 <donri> flipmoe: ah i see it
17:26 <donri> flipmoe: your redirect results in the GET which renders the template, where i assume you have a form that POST to login
17:26 <donri> flipmoe: but you're probably not passing along the 'next' from the GET
17:27 <donri> flipmoe: add an input hidden to the form and use request.values
17:28 <donri> remember that your login view handles two different forms of requests (get and post)
17:28 <donri> and validate_on_submit checks that the request method is POST
17:29 <flipmoe> donri: ok thx, do you have an example for that hidden input?
17:29 <donri> <input type=hidden name=next value="{{ request.values.next }}">
17:29 <donri> request.values is just a combined dict of the request.form and request.args
17:30 <flipmoe> donri: ok thank you!
17:30 <donri> then make sure to use request.values in the login view too
17:30 <flipmoe> donri: jep
17:31 <donri> may need to do something more to make the form valid against LoginForm with "next" in the form dict
17:32 <donri> (you could just pass it in form action=login?next=... but mitsuhiko seems to think that's bad for some reason i forgot)
17:33 <flipmoe> ok
@untitaker untitaker added the docs label Oct 19, 2014
@pingihu

looking at this for a PyCon 2016 sprint

@pingihu pingihu pushed a commit to pingihu/flask that referenced this issue Jun 2, 2016
Ping Hu Add clarification for login_required decorator ref #313 3b1f084
@davidism davidism closed this Jun 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment