SECURITY_UNAUTHORIZED_VIEW did not redirect to login page

2
votes

I am using flask security for authentication what i want is when user access to a specific url without login/access then it redirects to login page but it redirects to home page. I know if i add

@login_required

decorator then it will redirect to login page but how to do without that decorator.

i.e 

@app.route('/result')
@roles_accepted('admin')
def result():
 //some code

I read from flask documentation to add this in app config file.

SECURITY_UNAUTHORIZED_VIEW = '/login'

but again it does not redirect to login page. Can anyone guide me what i am doing wrong here.

2
pythonflaskflask-security

2 Answers

0
votes

Flask-Security integrates a number of other extensions into a neat package, so it is possible to utilize those packages independently of Flask-Security if necessary.

If you've installed Flask-Security, you should also have Flask-Login installed as a dependency. You can use the current_user class from Flask-Login to check for authentication and redirect manually:

from flask import redirect
from flask_login import current_user

@app.route('/result')
@roles_accepted('/admin')
def result():
    if not current_user.is_authenticated:
        return redirect(url_for('.login'))
    else:
        some code....

I'm not sure how this will play with @roles_accepted, but based on the source code it looks like this decorator will intervene prior to the result function if an inappropriate role is used and handle it with the security_unauthorized_callback.

This actually seems to be similar to what @login_required does, i.e. call the security_unauthorized_callback function when the specified conditions are not met, in this case, the proper roles.

If I understand the @roles_required decorator correctly, the above solution should prevent any authenticated users of the improper role from accessing the results page, then manually redirect any unauthenticated users who make it past that check, without using the @login_required decorator.

0
votes

What is happening is correct. 

SECURITY_UNAUTHORIZED_VIEW = '/login'

Redirects the user to the login view, however, what appears to be happening is you have an authenticated user who is not authorized to access the view. When you redirect to the login page, since the user is already authenticated, another redirect happens to the SECURITY_POST_LOGIN_VIEW which in your case is home page.

I have two suggestions.

1) If unauthorized user attempts to access the protected view, log them out and add a flash message that they need to login as authorized users (that is assuming your SECURITY_POST_LOGOUT_VIEW is /login). In this case, your configuration becomes

SECURITY_UNAUTHORIZED_VIEW = '/logout'

and will achieve your objective of having the user redirected to the login page. This happens even if the current user is not authenticated (ie is anonymous/ not logged in)

2) Instead of logging out the user, retain the redirect to home page and add a flash message asking the user to login as an authorized user to access the resource