3

Using flask-security, I want my flow to be similar to as follows:

  1. admin creates user
  2. admin sends user notification email they've been created
  3. user uses link in notification email to set password

I tried using the forgot_password view from the admin account for step 2, but https://github.com/jwag956/flask-security/blob/743be9c979b558b4ecfb177dc8117c0bf55e38ed/flask_security/views.py#L464 requires anonymous user and therefore redirects.

I see https://stackoverflow.com/a/31228170/799921 but it's a bit vague. Is this the best solution?

Lou K
  • 1,128
  • 2
  • 12
  • 31
  • I see in the SO reference you have a solution. I don't understand why forgot_password would be an issue - the user in fact isn't logged in so that should work? Can you provide some details? – jwag Jan 05 '20 at 02:18
  • Sorry I wasn't clear. The issue with forgot_password is that I was trying to use the forgot_password form from the logged in admin account. I saw a redirect to the SECURITY_POST_LOGIN_VIEW view. Debugging this I determined/inferred that anonymous_user_required wrapped around views.reset_password was causing the redirect. – Lou K Jan 05 '20 at 10:29
  • Calling send_reset_password_instructions from my admin create user view also makes the administrative task of creating a user a single step rather than two steps as I mentioned in the OP. – Lou K Jan 05 '20 at 10:38

1 Answers1

2

I was looking through flask-security-too, and think I found an answer. I'm not sure if the function I used is intended to be part of an open api, but it works for my needs.

I created an admin create user view which adds the user email (and name, etc) to the database. As part of creating the user, the view calls the function normally called when the user clicks on "forgot password", i.e., send_reset_password_instructions. So now as part of the admin's create user process, the user is sent an email with a link at which the user can set their own password.

from flask_security.recoverable import send_reset_password_instructions

# my code is maintains self.created_id after creating the user record
# this is due to some complex class involved which handles my crudapi stuff
# your code may vary
user = User.query.filter_by(id=self.created_id).one()
send_reset_password_instructions(user)
Lou K
  • 1,128
  • 2
  • 12
  • 31