Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Admin(only) registration of users, Flask-Security

Tags:

python

flask

flask-wtforms

flask-login

flask-security

I'm currently building a login for a webapp using Flask-Security (which includes Flask-WTForms, Flask-SQLalchemy and Flask-Login). I've been able to fairly painlessly set up the majority of my login flow, including forgotten password; however I want to make it so that the only way users can be registered is through a page only accessible to the admins. I've managed to configure Roles (Admin, User) and set up the following view:

@app.route('/adminregister')
@roles_accepted('admin')
def adminregister():
    return render_template('*')

This creates the portal that is successfully limited to accounts with an Admin role. I'm unsure how to proceed for here however, as Flask-security has no built in means to enable what I'm trying to do.

I've overridden RegisterForm already to enforce password rules through a regexp:

# fixed register form
class ExtendedRegisterForm(RegisterForm):
password = TextField('Password', [validators.Required(), validators.Regexp(r'(?=.*?[0-9])(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[$-/:-?{-~!"^_`\[\]])')])

Basically I want a form, located at /adminregister, that when visited by an admin allows for the entry of an email address, at which point first the user is created in the database with a random and secure password, and then a similar process to a forgotten password happens and a 1 time password code is created to reset the password.

Useful things I've looked at:

  1. Within flask-security/views.py there is the forgotten passsword code:

    def forgot_password():
"""View function that handles a forgotten password request."""

form_class = _security.forgot_password_form

if request.json:
    form = form_class(MultiDict(request.json))
else:
    form = form_class()

if form.validate_on_submit():
    send_reset_password_instructions(form.user)
    if request.json is None:
        do_flash(*get_message('PASSWORD_RESET_REQUEST', email=form.user.email))

if request.json:
    return _render_json(form, include_user=False)

return _security.render_template(config_value('FORGOT_PASSWORD_TEMPLATE'),
                             forgot_password_form=form,
                             **_ctx('forgot_password'))

  2. Within flask_security/registerable.py there is the code for register_user

    def register_user(**kwargs):
confirmation_link, token = None, None
kwargs['password'] = encrypt_password(kwargs['password'])
user = _datastore.create_user(**kwargs)
_datastore.commit()

if _security.confirmable:
    confirmation_link, token = generate_confirmation_link(user)
    do_flash(*get_message('CONFIRM_REGISTRATION', email=user.email))

user_registered.send(app._get_current_object(),
                     user=user, confirm_token=token)

if config_value('SEND_REGISTER_EMAIL'):
    send_mail(config_value('EMAIL_SUBJECT_REGISTER'), user.email, 'welcome',
              user=user, confirmation_link=confirmation_link)

return user

I want to somehow combine these two, so that upon submission of a form with the sole field "Email" at '/adminregister' the email is added with a secure, random password in the database and the email address is sent an email with a link to change there password (and ideally a message explaining). I'm not even sure where I would add such code, as there is nothing to specifically override, especially as I can't find a way to override RegisterForm to have FEWER fields and the same functionality.

The structure of my code is in line with the flask-security documentation's quickstart.

Thank you in advance for any guidance you can offer.

like image 761
RamiMac Avatar asked Oct 14 '25 09:10

RamiMac

1 Answers

I ended up using a work around as follows:

  1. I enabled registration but limited registration view to users with an admin role.

  2. I used del form.password in views -> register to no longer send the form with a password field.

  3. I did the following in .registerable, generating a random password to fill the table.

    kwargs['password'] = encrypt_password(os.urandom(24))

  4. Upon admin entry of an email in the registration form, I had confimable enabled. This means the user would immediatly get an email to confirm their account and explaining they'd been registered. Upon confirmation they are redirected to the forgotten password page and asked to change their password (which is limited based on security).

If anyone comes up with a more direct way I'd appreciate it. I'm leaving this here in case anyone has the same problem.

like image 72
RamiMac Avatar answered Oct 16 '25 21:10

RamiMac
Sign in to Comment

Related questions

Ports with python sockets, are they random?
Compare a Python list to SQLite table and get difference
How to use SQL databases in python without writing SQL?
python - printing something in a for loop every n seconds
Using while or if as a condition for recursion leads to different results
Is there any way to get class instance attributes without creating class instance?
How to load second .ui into self with PyQt4.uic.loadUi?
PyTest: test which function was called in the if statement
Python ctypesgen/ctypes: How to write struct fields to file in single byte alignment
Matplotlib density plot in polar coordinates?
How do I get the css for a pygments formatter?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!