我完全是一个学习Flask的新手,我正在尝试用Pyrebase4实现登录和注销系统。我有以下疑问,我如何防止用户在没有身份验证的情况下访问URL?以下程序允许用户登录和注销,但并不阻止用户通过访问URL访问需要登录的信息。请帮忙。我想要的是,如果用户没有经过身份验证,他就无法访问"任务"会话。
app.py
from flask import Flask, session, render_template, request, redirect, url_for
import pyrebase
app = Flask(__name__)
config = {
'apiKey': "here",
'authDomain': "here",
'projectId': "here",
'storageBucket': "here",
'messagingSenderId': "here",
'appId': "here",
'measurementId': "here",
'databaseURL':""
}
firebase = pyrebase.initialize_app(config)
auth = firebase.auth()
app.secret_key='hufrhhfhrjfbrekjfberufureye4674656486435hjjjfhhkjsh'
texto = ""
@app.route('/', methods=['POST', 'GET'])
def index():
#if ('user' in session):
#return 'Hi, {}'.format(session['user'])
if request.method == 'POST':
email = request.form.get('email')
password = request.form.get('password')
try:
user = auth.sign_in_with_email_and_password(email, password)
session['user'] = email
except:
return 'Password or login incorrect'
return redirect(url_for("tasks"))
return render_template('home.html')
@app.route('/tasks', methods=['POST', 'GET'])
def tasks():
if request.method == 'POST':
global texto
texto = request.form['texto']
texto = len(texto)
return render_template('tasks.html', texto=texto)
@app.route('/logout')
def logout():
session.pop('user')
return redirect('/')
if __name__=='__main__':
app.run(debug=True)
"模板"文件夹
home.html
<!DOCTYPE html>
<html lang="en">
<head>
<title></title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<form action='/' method='POST'>
Email: <input type="text" name="email"><br>
Password: <input type="password" name="password">
<input type='submit'>
</form>
</body>
</html>
tasks.html
<h1>
Welcome to tasks!!!!
</h1>
<form action="{{ url_for('tasks')}}" method='POST' enctype="multipart/form-data">
Text: <input type="text", name='texto'><br>
<input type='submit'>
</form>
{{texto}}
<a href="{{url_for('logout')}}">LogOut</a>
除了@Adam上面提到的flask_login库之外,您还可以使用functools中的包装为您的路由创建自定义装饰器。自定义意味着,你可以创建任何你想要的逻辑条件,比如你有一个名为"超级管理员"的用户角色,你可以像这样创建一个装饰器->
from functools import wraps
from flask import flash, redirect, url_for
from flask_login import current_user
def super_admin_required(f):
@wraps(f)
def wrap(*args, **kwargs):
if current_user.role == "Super Admin":
return f(*args, **kwargs)
else:
flash("You need to be an Admin to view this page.")
return redirect(url_for('account'))
return wrap
然后导入到路由文件并用作给定类的装饰器,也可以为给定路由使用任意数量的装饰器。例如->
from flask_login import login_required
from projectroot.decorators import super_admin_required
@app.route("/super_admin_panel", methods=['GET', 'POST'])
@login_required
@super_admin_required
def super_admin_panel():
# interesting things here
请务必阅读有关如何正确使用flask_login模块的文档。从本质上讲,它将要求您使用特定的列名来设置User表,并在类声明中包含UserMixin作为参数;例如->
from flask_login import UserMixin
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(120), unique=True, nullable=False)
email = db.Column(db.String(120), unique=True, nullable=False)
password = db.Column(db.String(120), nullable=False)
etc...