0

Recently, flask-security had been breaking due to an upgrade to Flask-Login 0.3. the problem lies from a method definition to a property definition of is_active() and is_authenticated() to is_active and is_authenticated respectively. This change is breaking my Flask app for registering, logging in.

On this project url Correct Flask-Security code I need this version because if you look at the decorators.py file the is_authenticated() method that previously broke is correctly changed to is_authenticated.

However, whenever I invodepip install flask-security I get a version that has the incorrect code. The version in my site-packages directory specifies 1.7.4 which should be the correct version. So why does this break.

I resolved this with easy_install flask-security but I'm confused as why pip install didn't work. Does anyone else have this problem?

Dan Rubio
  • 4,709
  • 10
  • 49
  • 106

1 Answers1

0

I'd just recommend using the older version of Flask-Login until Flask-Security updates their version on PyPi. In your requirements.txt file just specify the old version. For example your requirements.txt might look like:

flask
flask-login==0.2.11
flask-security
flask-wtf

Then you can install it with pip install -r requirements.txt and you should be good to go.

To explain a little further, even in 1.7.4 the decorator code here is treating user.is_authenticated() as a callable, not a boolean as it now is (in Flask-Login 0.3) and because Flask-Security is telling pip "Grab me the latest version of Flask-Login please!" pip's grabbing 0.3 and the problem appears.

If you instead look at the code in the development branch here you can see it's been corrected to now treat it as a boolean, but that development version isn't stable/pushed to PyPi yet.

To reduce the problem in the future, you can see that in the development branch's requirements.txt they've now got Flask-Login specified as Flask-Login>=0.3.0,<0.4 which makes the assumption that Flask-Login's developers aren't going to make any breaking changes during their minor revisions on the way to 0.4.

Doobeh
  • 9,280
  • 39
  • 32
  • You're right. I forgot that PyPi is the official package repository for pip. Thanks for clarifying. – Dan Rubio Nov 25 '15 at 22:01
  • And considering the Flask-Login folks aren't already using semantic versioning, it's hard to say that they won't make an API change again. I would suggest that Dan pin all of his dependencies (including transitive ones). Also, https://github.com/pypa/pip/issues/988. – sholsapp Nov 25 '15 at 22:06