From 46865c4485d6ce0f2bf316902ad7a7fe0947c884 Mon Sep 17 00:00:00 2001 From: Tomaz Date: Thu, 4 Feb 2016 17:35:59 -0500 Subject: [PATCH 1/3] Both 'token' and 'session' auth enabled for change_password Previously, only @login_required was used, therefore token authentication could not be used to change the user password. --- flask_security/views.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flask_security/views.py b/flask_security/views.py index 25807fbf..cdd66deb 100644 --- a/flask_security/views.py +++ b/flask_security/views.py @@ -18,16 +18,16 @@ from .changeable import change_user_password from .confirmable import confirm_email_token_status, confirm_user, \ send_confirmation_instructions -from .decorators import anonymous_user_required, login_required +from .decorators import anonymous_user_required, auth_required from .passwordless import login_token_status, send_login_instructions from .recoverable import reset_password_token_status, \ send_reset_password_instructions, update_password from .registerable import register_user -from .utils import url_for_security as url_for from .utils import config_value, do_flash, get_message, \ get_post_login_redirect, get_post_logout_redirect, \ get_post_register_redirect, get_url, login_user, logout_user, \ slash_url_suffix +from .utils import url_for_security as url_for # Convenient references _security = LocalProxy(lambda: current_app.extensions['security']) @@ -303,7 +303,7 @@ def reset_password(token): ) -@login_required +@auth_required('token', 'session') def change_password(): """View function which handles a change password request.""" From 4d40cff6f62b5c4b31218ceff6d1f514c130dbf7 Mon Sep 17 00:00:00 2001 From: Tomaz Date: Thu, 4 Feb 2016 17:38:49 -0500 Subject: [PATCH 2/3] Include auth token in change_password response This enables updating saved token upon changing password without having to (log out and) log in again in order to get new auth token. --- flask_security/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flask_security/views.py b/flask_security/views.py index cdd66deb..345ccb85 100644 --- a/flask_security/views.py +++ b/flask_security/views.py @@ -325,7 +325,7 @@ def change_password(): if request.is_json: form.user = current_user - return _render_json(form) + return _render_json(form, include_auth_token=True) return _security.render_template( config_value('CHANGE_PASSWORD_TEMPLATE'), From 03aa526c0cb48ea5b272c86d0290ac75d595a3df Mon Sep 17 00:00:00 2001 From: David Aguilar Date: Sun, 27 Dec 2015 20:43:09 -0800 Subject: [PATCH 3/3] views: allow token authentication for change_password Allow token authentication for the change_password endpoint. This makes it possible change passwords from a json request. Related-to: #421 Signed-off-by: David Aguilar --- flask_security/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flask_security/views.py b/flask_security/views.py index 345ccb85..93441603 100644 --- a/flask_security/views.py +++ b/flask_security/views.py @@ -303,7 +303,7 @@ def reset_password(token): ) -@auth_required('token', 'session') +@auth_required('session', 'token', 'basic') def change_password(): """View function which handles a change password request."""