I am using Flask-Security, which in turn uses Flask-Login. I have a site which requires that a user both confirm their email address AND subsequently be approved by an admin. Without both of these things, I don't want the user to be able to use the site.
I've turned on SECURITY_CONFIRMABLE
and the email with the confirmation token is being sent correctly. I've set SECURITY_POST_CONFIRM_VIEW
, and the user is directed to the right view once they click the confirmation link in the email. However, the user is logged in as part of the confirmation process. I don't want the user to have access until they are approved by an admin. (Interestingly, this line is not present in the develop
branch.)
I can think of four ways to get around this, and none are particularly appealing:
Allow the user to log in after confirmation, but decorate every
login_required
view with a function which checks the user's permissions and sends them to an error page if they aren't allowed. I already have 2 of these, and I'd prefer to avoid adding a third to every view. Plus, it feels wrong to allow login when the user can't use the site until they're approved.Turn off
SECURITY_CONFIRMABLE
and email/confirm the token myself. This will require copying a lot of code and the chances of an error are higher than I would like. And are there perhaps other ways a user can login which would get around this check? Say through the password reset flow? Or if a future admin turned on passwordless login with tokens?Monkey patch Flask-Security's
login_user
or Flask-Login'slogin_user
to do my check. Seems quite hacky, and I don't know how to ensure that my patch is installed before any other code connects to the original function.Fork one of these libraries and insert a callback which I can implement in my code. Sledgehammer, meet nut. Plus maintainability issues. Unless perhaps I managed to get a PR accepted.
I hope there is another answer I'm overlooking. This can't be that uncommon a setup!