|
|
|
|
.. _tutorial-views:
|
|
|
|
|
|
|
|
|
|
Step 5: The View Functions
|
|
|
|
|
==========================
|
|
|
|
|
|
|
|
|
|
Now that the database connections are working, we can start writing the
|
|
|
|
|
view functions. We will need four of them:
|
|
|
|
|
|
|
|
|
|
Show Entries
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
This view shows all the entries stored in the database. It listens on the
|
|
|
|
|
root of the application and will select title and text from the database.
|
|
|
|
|
The one with the highest id (the newest entry) will be on top. The rows
|
|
|
|
|
returned from the cursor look a bit like dictionaries because we are using
|
|
|
|
|
the :class:`sqlite3.Row` row factory.
|
|
|
|
|
|
|
|
|
|
The view function will pass the entries to the :file:`show_entries.html`
|
|
|
|
|
template and return the rendered one::
|
|
|
|
|
|
|
|
|
|
@app.route('/')
|
|
|
|
|
def show_entries():
|
|
|
|
|
db = get_db()
|
|
|
|
|
cur = db.execute('select title, text from entries order by id desc')
|
|
|
|
|
entries = cur.fetchall()
|
|
|
|
|
return render_template('show_entries.html', entries=entries)
|
|
|
|
|
|
|
|
|
|
Add New Entry
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
This view lets the user add new entries if they are logged in. This only
|
|
|
|
|
responds to ``POST`` requests; the actual form is shown on the
|
|
|
|
|
`show_entries` page. If everything worked out well, we will
|
|
|
|
|
:func:`~flask.flash` an information message to the next request and
|
|
|
|
|
redirect back to the `show_entries` page::
|
|
|
|
|
|
|
|
|
|
@app.route('/add', methods=['POST'])
|
|
|
|
|
def add_entry():
|
|
|
|
|
if not session.get('logged_in'):
|
|
|
|
|
abort(401)
|
|
|
|
|
db = get_db()
|
|
|
|
|
db.execute('insert into entries (title, text) values (?, ?)',
|
|
|
|
|
[request.form['title'], request.form['text']])
|
|
|
|
|
db.commit()
|
|
|
|
|
flash('New entry was successfully posted')
|
|
|
|
|
return redirect(url_for('show_entries'))
|
|
|
|
|
|
|
|
|
|
Note that we check that the user is logged in here (the `logged_in` key is
|
|
|
|
|
present in the session and ``True``).
|
|
|
|
|
|
|
|
|
|
.. admonition:: Security Note
|
|
|
|
|
|
|
|
|
|
Be sure to use question marks when building SQL statements, as done in the
|
|
|
|
|
example above. Otherwise, your app will be vulnerable to SQL injection when
|
|
|
|
|
you use string formatting to build SQL statements.
|
|
|
|
|
See :ref:`sqlite3` for more.
|
|
|
|
|
|
|
|
|
|
Login and Logout
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
These functions are used to sign the user in and out. Login checks the
|
|
|
|
|
username and password against the ones from the configuration and sets the
|
|
|
|
|
`logged_in` key for the session. If the user logged in successfully, that
|
|
|
|
|
key is set to ``True``, and the user is redirected back to the `show_entries`
|
|
|
|
|
page. In addition, a message is flashed that informs the user that he or
|
|
|
|
|
she was logged in successfully. If an error occurred, the template is
|
|
|
|
|
notified about that, and the user is asked again::
|
|
|
|
|
|
|
|
|
|
@app.route('/login', methods=['GET', 'POST'])
|
|
|
|
|
def login():
|
|
|
|
|
error = None
|
|
|
|
|
if request.method == 'POST':
|
|
|
|
|
if request.form['username'] != app.config['USERNAME']:
|
|
|
|
|
error = 'Invalid username'
|
|
|
|
|
elif request.form['password'] != app.config['PASSWORD']:
|
|
|
|
|
error = 'Invalid password'
|
|
|
|
|
else:
|
|
|
|
|
session['logged_in'] = True
|
|
|
|
|
flash('You were logged in')
|
|
|
|
|
return redirect(url_for('show_entries'))
|
|
|
|
|
return render_template('login.html', error=error)
|
|
|
|
|
|
|
|
|
|
The `logout` function, on the other hand, removes that key from the session
|
|
|
|
|
again. We use a neat trick here: if you use the :meth:`~dict.pop` method
|
|
|
|
|
of the dict and pass a second parameter to it (the default), the method
|
|
|
|
|
will delete the key from the dictionary if present or do nothing when that
|
|
|
|
|
key is not in there. This is helpful because now we don't have to check
|
|
|
|
|
if the user was logged in.
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
@app.route('/logout')
|
|
|
|
|
def logout():
|
|
|
|
|
session.pop('logged_in', None)
|
|
|
|
|
flash('You were logged out')
|
|
|
|
|
return redirect(url_for('show_entries'))
|
|
|
|
|
|
|
|
|
|
Note that it is not a good idea to store passwords in plain text. You want to
|
|
|
|
|
protect login credentials if someone happens to have access to your database.
|
|
|
|
|
One way to do this is to use Security Helpers from Werkzeug to hash the
|
|
|
|
|
password. However, the emphasis of this tutorial is to demonstrate the basics
|
|
|
|
|
of Flask and plain text passwords are used for simplicity.
|
|
|
|
|
|
|
|
|
|
Continue with :ref:`tutorial-templates`.
|
