You can use the Flask-Login module to do access control. It provides user session management for Flask: logging in, logging out, and remembering session.
The module stores the user ID, restricts views to logged in users, protects cookies and has many other features.
The Flask-Login uses the Flask-MongoEngine of the previous article. So we still need to bind with the server at the beginning:
1 2 3
from flask.ext.login import LoginManager login_manager = LoginManager() login_manager.init_app(app)
This will bind the Flask-Login to the server. However, this does not seem to have any effect.
First, what is the URL of the landing?
This does not have a default login URL in the Flask-Login, so we need to specify:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
from flask.ext.login import login_user login_manager.login_view = 'login'
@app.route('/login', methods=['POST']) deflogin(): info = json.loads(request.data) username = info.get('username', 'guest') password = info.get('password', '') user = User.objects(name=username, password=password).first() if user: login_user(user) return jsonify(user.to_json()) else: return jsonify({"status": 401, "reason": "Username or Password Error"})
There are actually two things:
with the code logic of login_view written 'login',
define login_view: tell Flask the URL of the landing that we are dealing with
1
login_manager.login_view = 'login'
Here we define the login_view ‘login’.
How did Flask find the location of our login logic based on the login?
We defined it:
1
def login(self, xxx)
This function, and then it’s where we deal with the login logic code.
So what is the code for user login? It’s this:
1
login_user(user)
This statement sets the status of the current user to be logged in. There is no in-depth explanation here, you just need to know that when the function is called, the state of the user is the login state.
We can see that there are two additional approaches here, which are:
is_authenticated: The current user is authorized because we can operate when we log on, so the default is the authorized
is_anonymous: it is obvious that if the current user is anonymous, it must not be
is_active: for judging whether the current user has been activated, the activated user can log on to
get_id: returns the id. But we still cannot know who the current login user is, so we also need to tell Flask-Login how to obtain the user’s method through an id:
By specifying user_loader, we can query who the current login user is.In this way, we will judge whether the user can login or not.
We need to take control of landing page rights. We set up the REST API to increase, delete and modify to use for the login. Only the API of the query can be easily visible.
The method for controlling landing urls is simple,add one decorator with @login_required. So:
Here, a logout_user() method was called from logout().
You should check if the user was logged in, in the first place:
1 2 3 4 5 6 7 8 9 10
from flask.ext.login import current_user @app.route('/user_info', methods=['POST']) defuser_info(): if current_user.is_authenticated: resp = {"result": 200, "data": current_user.to_json()} else: resp = {"result": 401, "data": {"message": "user no login"}} return jsonify(**resp)
If you log on, then current_user is the object of User, then the to_json method can return the user information of the current login user, so that we can write an API for obtaining user information.