Merge v0.6 branch onto master.

docs/source/api.rst

@@ -114,6 +114,7 @@ UserManager()
             login_manager                   = LoginManager(),
             password_crypt_context          = None,
             send_email_function             = emails.send_email,
+            make_safe_url_function          = views.make_safe_url,
             token_manager                   = tokens.TokenManager(),
             )
 

docs/source/authorization.rst

@@ -41,7 +41,7 @@ In the example below the current user is required to have the 'admin' role::
 Note: Comparison of role names is case sensitive, so 'Member' will NOT match 'member'.
 
 Multiple string arguments -- the AND operation
-~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The @roles_required decorator accepts multiple strings if the current_user is required to have
 **ALL** of these roles.
@@ -54,7 +54,7 @@ In the example below the current user is required to have the **ALL** of these r
 Multiple string arguments represent the 'AND' operation.
 
 Array arguments -- the OR operation
-~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The @roles_required decorator accepts an array (or a tuple) of roles.
 
@@ -65,7 +65,7 @@ In the example below the current user is required to have **One or more** of the
     # Array arguments require at least ONE of these roles.
 
 AND/OR operations
-~~~~~~~~
+~~~~~~~~~~~~~~~~~
 The potentially confusing syntax described above allows us to construct
 complex AND/OR operations.
 
@@ -83,7 +83,7 @@ Note: The nesting level only goes as deep as this example shows.
 
 
 Required Tables
---------------
+---------------
 
 For @login_required only the User model is required
 

docs/source/basic_app.rst

@@ -61,7 +61,7 @@ Highlighted lines shows the lines added to a basic Flask application.
 .. literalinclude:: includes/basic_app.py
    :language: python
    :linenos:
-   :emphasize-lines: 5, 39-55, 60-62, 79
+   :emphasize-lines: 5, 39-55, 59-61, 78
 
 
 Run the Basic App

docs/source/data_models.rst

@@ -27,7 +27,6 @@ If you'd like to store all user information in one DataModel, use the following:
         # User Authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, default='')
 
         # User Email information
         email = db.Column(db.String(255), nullable=False, unique=True)
@@ -76,7 +75,6 @@ If you'd like to store User Authentication information separate from User inform
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, default='')
 
         # Relationships
         user = db.relationship('User', uselist=False, foreign_keys=user_id)

docs/source/flask_user_starter_app.rst

@@ -14,7 +14,7 @@ Files of interest:
 
 * app/startup/init_app.py
 * app/models/user.py
-* app/templates/flask_user/*.html
+* app/templates/flask_user/\*.html
 * app/templates/users/user_profile_page.html
 
 Up Next

docs/source/index.rst

@@ -1,5 +1,5 @@
 Flask-User |release|
-==========
+====================
 
 .. image:: https://img.shields.io/pypi/v/Flask-User.svg
     :target: https://pypi.python.org/pypi/Flask-User
@@ -112,6 +112,7 @@ Documentation
 
 Revision History
 ----------------
+* v0.6.11 Added make_safe_url() to prevent cross-domain redirections.
 * v0.6.10 Added Spanish translation.
 * v0.6.9 Added support for Flask-Login v0.4+.
     Replaced pycrypto with pycryptodome.

docs/source/internationalization.rst

@@ -22,7 +22,7 @@ Flask-User ships with the following languages:
 
 
 REQUIRED: Installing Flask-Babel
---------
+--------------------------------
 Flask-User relies on the Flask-Babel package to translate the account management forms.
 Without Flask-Babel installed, these forms WILL NOT BE translated.
 
@@ -34,7 +34,7 @@ Install Flask-Babel with
 
 
 REQUIRED: Initializing Flask-Babel
---------
+----------------------------------
 
 Flask-Babel must be initialized just after the Flask application has been initialized
 and after the application configuration has been read:
@@ -211,7 +211,7 @@ Point your browser to your app and your translated messages should appear.
 
 
 Troubleshooting
---------
+---------------
 If the code looks right, but the account management forms are not being translated:
 
 * Check to see if the 'Flask-Babel' package has been installed (try using ``pip freeze``).

docs/source/limitations.rst

@@ -51,9 +51,9 @@ Required Data model field names:
 ::
 
     # User authentication information
+    User.id
     User.username              or  UserAuth.username
     User.password              or  UserAuth.password
-    User.reset_password_token  or  UserAuth.reset_password_token
                                    UserAuth.user_id
 
     # User email information

docs/source/roles_required_app.rst

@@ -64,7 +64,7 @@ Highlighted lines shows the lines added to the Basic App.
 .. literalinclude:: includes/roles_required_app.py
    :language: python
    :linenos:
-   :emphasize-lines: 6, 64-66, 71-80, 89-96, 108, 123, 127-140
+   :emphasize-lines: 6, 63-76, 85-92, 125
 
 Run the Roles Required App
 --------------------------

example_apps/basic_app.py

@@ -43,7 +43,6 @@ class User(db.Model, UserMixin):
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # User email information
         email = db.Column(db.String(255), nullable=False, unique=True)

example_apps/invite_app.py

@@ -60,7 +60,6 @@ class User(db.Model, UserMixin):
         # User authentication information
         username = db.Column(db.String(50), nullable=True, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # User email information
         email = db.Column(db.String(255), nullable=False, unique=True)

example_apps/multi_email_app.py

@@ -44,7 +44,6 @@ class User(db.Model, UserMixin):
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # User information
         active = db.Column('is_active', db.Boolean(), nullable=False, server_default='0')

example_apps/roles_required_app.py

@@ -50,7 +50,6 @@ class User(db.Model, UserMixin):
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # User email information
         email = db.Column(db.String(255), nullable=False, unique=True)

example_apps/test_app.py

@@ -61,7 +61,6 @@ class User(db.Model, UserMixin):
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # User email information
         email = db.Column(db.String(255), nullable=False, unique=True)

example_apps/user_auth_app.py

@@ -69,7 +69,6 @@ class UserAuth(db.Model):
         # User authentication information
         username = db.Column(db.String(50), nullable=False, unique=True)
         password = db.Column(db.String(255), nullable=False, server_default='')
-        reset_password_token = db.Column(db.String(100), nullable=False, server_default='')
 
         # Relationships
         user = db.relationship('User', uselist=False)

fabfile.py

@@ -43,5 +43,6 @@ def rebuild_docs():
 
 @task
 def upload_to_pypi():
+    local('rm dist/*.tar.gz')
     local('python setup.py sdist')
     local('twine upload dist/*')

flask_user/__init__.py

@@ -28,7 +28,7 @@
 from .signals import *
 
 
-__version__ = '0.6.10'
+__version__ = '0.6.11'
 
 
 def _call_or_get(function_or_property):
@@ -89,6 +89,7 @@ def init_app(self, app, db_adapter=None,
                 login_manager=LoginManager(),
                 password_crypt_context=None,
                 send_email_function = emails.send_email,
+                make_safe_url_function = views.make_safe_url,
                 token_manager=tokens.TokenManager(),
                 legacy_check_password_hash=None
                 ):
@@ -132,6 +133,7 @@ def init_app(self, app, db_adapter=None,
         self.token_manager = token_manager
         self.password_crypt_context = password_crypt_context
         self.send_email_function = send_email_function
+        self.make_safe_url_function = make_safe_url_function
         self.legacy_check_password_hash = legacy_check_password_hash
 
         """ Initialize app.user_manager."""

flask_user/forms.py

@@ -334,7 +334,7 @@ def validate(self):
 
 class InviteForm(FlaskForm):
     email = StringField(_('Email'), validators=[
-        validators.Required(_('Email is required')),
+        validators.DataRequired(_('Email is required')),
         validators.Email(_('Invalid Email'))])
     next = HiddenField()
     submit = SubmitField(_('Invite!'))

flask_user/tests/test_invalid_forms.py

@@ -375,8 +375,7 @@ def test_invalid_reset_password(client):
     # Set default values
     new_password = 'Password5'
     # Simulate a valid forgot password form
-    user1.reset_password_token = um.generate_token(user1.id)
-    token = user1.reset_password_token
+    token = um.generate_token(user1.id)
 
     # Test invalid token
     url = url_for('user.reset_password', token='InvalidToken')