+ +

+

API¶

+

This part of the documentation covers all the interfaces of Flask. For +parts where Flask depends on external libraries, we document the most +important right here and provide links to the canonical documentation.

+

Application Object¶

+

+class flask.Flask(import_name, static_path=None, static_url_path=None, static_folder='static', template_folder='templates', instance_path=None, instance_relative_config=False)¶

The flask object implements a WSGI application and acts as the central +object. It is passed the name of the module or package of the +application. Once it is created it will act as a central registry for +the view functions, the URL rules, template configuration and much more.

+

The name of the package is used to resolve resources from inside the +package or the folder the module is contained in depending on if the +package parameter resolves to an actual python package (a folder with +an __init__.py file inside) or a standard module (just a .py file).

+

For more information about resource loading, see open_resource().

+

Usually you create a Flask instance in your main module or +in the __init__.py file of your package like this:

+

from flask import Flask
+app = Flask(__name__)
+

+

+

About the First Parameter

+

The idea of the first parameter is to give Flask an idea what +belongs to your application. This name is used to find resources +on the file system, can be used by extensions to improve debugging +information and a lot more.

+

So it’s important what you provide there. If you are using a single +module, __name__ is always the correct value. If you however are +using a package, it’s usually recommended to hardcode the name of +your package there.

+

For example if your application is defined in yourapplication/app.py +you should create it with one of the two versions below:

+

app = Flask('yourapplication')
+app = Flask(__name__.split('.')[0])
+

+

+

Why is that? The application will work even with __name__, thanks +to how resources are looked up. However it will make debugging more +painful. Certain extensions can make assumptions based on the +import name of your application. For example the Flask-SQLAlchemy +extension will look for the code in your application that triggered +an SQL query in debug mode. If the import name is not properly set +up, that debugging information is lost. (For example it would only +pick up SQL queries in yourapplication.app and not +yourapplication.views.frontend)

+

+New in version 0.7: The static_url_path, static_folder, and template_folder +parameters were added.

+

+New in version 0.8: The instance_path and instance_relative_config parameters were +added.

+ +++ + + + +

Parameters:

import_name – the name of the application package
static_url_path – can be used to specify a different path for the +static files on the web. Defaults to the name +of the static_folder folder.
static_folder – the folder with static files that should be served +at static_url_path. Defaults to the 'static' +folder in the root path of the application.
template_folder – the folder that contains the templates that should +be used by the application. Defaults to +'templates' folder in the root path of the +application.
instance_path – An alternative instance path for the application. +By default the folder 'instance' next to the +package or module is assumed to be the instance +path.
instance_relative_config – if set to True relative filenames +for loading the config are assumed to +be relative to the instance path instead +of the application root.

+

+add_url_rule(*args, **kwargs)¶

Connects a URL rule. Works exactly like the route() +decorator. If a view_func is provided it will be registered with the +endpoint.

+

Basically this example:

+

@app.route('/')
+def index():
+    pass
+

+

+

Is equivalent to the following:

+

def index():
+    pass
+app.add_url_rule('/', 'index', index)
+

+

+

If the view_func is not provided you will need to connect the endpoint +to a view function like so:

+

app.view_functions['index'] = index
+

+

+

Internally route() invokes add_url_rule() so if you want +to customize the behavior via subclassing you only need to change +this method.

+

For more information refer to URL Route Registrations.

+

+Changed in version 0.2: view_func parameter added.

+

+Changed in version 0.6: OPTIONS is added automatically as method.

+ +++ + + + +

Parameters:

rule – the URL rule as string
endpoint – the endpoint for the registered URL rule. Flask +itself assumes the name of the view function as +endpoint
view_func – the function to call when serving a request to the +provided endpoint
options – the options to be forwarded to the underlying +Rule object. A change +to Werkzeug is handling of method options. methods +is a list of methods this rule should be limited +to (GET, POST etc.). By default a rule +just listens for GET (and implicitly HEAD). +Starting with Flask 0.6, OPTIONS is implicitly +added and handled by the standard request handling.

+

+ +

+after_request(*args, **kwargs)¶

Register a function to be run after each request. Your function +must take one parameter, a response_class object and return +a new response object or the same (see process_response()).

+

As of Flask 0.7 this function might not be executed at the end of the +request in case an unhandled exception ocurred.

+

+ +

+after_request_funcs = None¶: A dictionary with lists of functions that should be called after +each request. The key of the dictionary is the name of the blueprint +this function is active for, None for all requests. This can for +example be used to open database connections or getting hold of the +currently logged in user. To register a function here, use the +after_request() decorator.
+

+ +

+auto_find_instance_path()¶

Tries to locate the instance path if it was not provided to the +constructor of the application class. It will basically calculate +the path to a folder named instance next to your main file or +the package.

+

+New in version 0.8.

+

+ +

+before_first_request(*args, **kwargs)¶

Registers a function to be run before the first request to this +instance of the application.

+

+New in version 0.8.

+

+ +

+before_first_request_funcs = None¶

A lists of functions that should be called at the beginning of the +first request to this instance. To register a function here, use +the before_first_request() decorator.

+

+New in version 0.8.

+

+ +

+before_request(*args, **kwargs)¶: Registers a function to run before each request.
+

+ +

+before_request_funcs = None¶: A dictionary with lists of functions that should be called at the +beginning of the request. The key of the dictionary is the name of +the blueprint this function is active for, None for all requests. +This can for example be used to open database connections or +getting hold of the currently logged in user. To register a +function here, use the before_request() decorator.
+

+ +

+blueprints = None¶

all the attached blueprints in a directory by name. Blueprints +can be attached multiple times so this dictionary does not tell +you how often they got attached.

+

+New in version 0.7.

+

+ +

+config = None¶: The configuration dictionary as Config. This behaves +exactly like a regular dictionary but supports additional methods +to load a config from files.
+

+ +

+context_processor(*args, **kwargs)¶: Registers a template context processor function.
+

+ +

+create_global_jinja_loader()¶

Creates the loader for the Jinja2 environment. Can be used to +override just the loader and keeping the rest unchanged. It’s +discouraged to override this function. Instead one should override +the jinja_loader() function instead.

+

The global loader dispatches between the loaders of the application +and the individual blueprints.

+

+New in version 0.7.

+

+ +

+create_jinja_environment()¶

Creates the Jinja2 environment based on jinja_options +and select_jinja_autoescape(). Since 0.7 this also adds +the Jinja2 globals and filters after initialization. Override +this function to customize the behavior.

+

+New in version 0.5.

+

+ +

+create_url_adapter(request)¶

Creates a URL adapter for the given request. The URL adapter +is created at a point where the request context is not yet set up +so the request is passed explicitly.

+

+New in version 0.6.

+

+ +

+debug¶

The debug flag. Set this to True to enable debugging of the +application. In debug mode the debugger will kick in when an unhandled +exception ocurrs and the integrated server will automatically reload +the application if changes in the code are detected.

+

This attribute can also be configured from the config with the DEBUG +configuration key. Defaults to False.

+

+ +

+debug_log_format = '--------------------------------------------------------------------------------\n%(levelname)s in %(module)s [%(pathname)s:%(lineno)d]:\n%(message)s\n--------------------------------------------------------------------------------'¶

The logging format used for the debug logger. This is only used when +the application is in debug mode, otherwise the attached logging +handler does the formatting.

+

+New in version 0.3.

+

+ +

+default_config = ImmutableDict({'USE_X_SENDFILE': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_DOMAIN': None, 'SESSION_COOKIE_NAME': 'session', 'LOGGER_NAME': None, 'DEBUG': False, 'SECRET_KEY': None, 'MAX_CONTENT_LENGTH': None, 'APPLICATION_ROOT': None, 'SERVER_NAME': None, 'TESTING': False, 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'PROPAGATE_EXCEPTIONS': None, 'TRAP_BAD_REQUEST_ERRORS': False, 'TRAP_HTTP_EXCEPTIONS': False, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_HTTPONLY': True})¶: Default configuration parameters.
+

+ +

+dispatch_request()¶

Does the request dispatching. Matches the URL and returns the +return value of the view or error handler. This does not have to +be a response object. In order to convert the return value to a +proper response object, call make_response().

+

+Changed in version 0.7: This no longer does the exception handling, this code was +moved to the new full_dispatch_request().

+

+ +

+do_teardown_request()¶: Called after the actual request dispatching and will +call every as teardown_request() decorated function. This is +not actually called by the Flask object itself but is always +triggered when the request context is popped. That way we have a +tighter control over certain resources under testing environments.
+

+ +

+enable_modules = True¶: Enable the deprecated module support? This is active by default +in 0.7 but will be changed to False in 0.8. With Flask 1.0 modules +will be removed in favor of Blueprints
+

+ +

+endpoint(*args, **kwargs)¶

A decorator to register a function as an endpoint. +Example:

+

@app.endpoint('example.endpoint')
+def example():
+    return "example"
+

+

+ +++ + + + +

Parameters:	endpoint – the name of the endpoint

+

+ +

+error_handler_spec = None¶

A dictionary of all registered error handlers. The key is None +for error handlers active on the application, otherwise the key is +the name of the blueprint. Each key points to another dictionary +where they key is the status code of the http exception. The +special key None points to a list of tuples where the first item +is the class for the instance check and the second the error handler +function.

+

To register a error handler, use the errorhandler() +decorator.

+

+ +

+errorhandler(*args, **kwargs)¶

A decorator that is used to register a function give a given +error code. Example:

+

@app.errorhandler(404)
+def page_not_found(error):
+    return 'This page does not exist', 404
+

+

+

You can also register handlers for arbitrary exceptions:

+

@app.errorhandler(DatabaseError)
+def special_exception_handler(error):
+    return 'Database connection failed', 500
+

+

+

You can also register a function as error handler without using +the errorhandler() decorator. The following example is +equivalent to the one above:

+

def page_not_found(error):
+    return 'This page does not exist', 404
+app.error_handler_spec[None][404] = page_not_found
+

+

+

Setting error handlers via assignments to error_handler_spec +however is discouraged as it requires fidling with nested dictionaries +and the special case for arbitrary exception types.

+

The first None refers to the active blueprint. If the error +handler should be application wide None shall be used.

+

+New in version 0.7: One can now additionally also register custom exception types +that do not necessarily have to be a subclass of the +HTTPException class.

+ +++ + + + +

Parameters:	code – the code as integer for the handler

+

+ +

+extensions = None¶

a place where extensions can store application specific state. For +example this is where an extension could store database engines and +similar things. For backwards compatibility extensions should register +themselves like this:

+

if not hasattr(app, 'extensions'):
+    app.extensions = {}
+app.extensions['extensionname'] = SomeObject()
+

+

+

The key must match the name of the flaskext module. For example in +case of a “Flask-Foo” extension in flaskext.foo, the key would be +'foo'.

+

+New in version 0.7.

+

+ +

+full_dispatch_request()¶

Dispatches the request and on top of that performs request +pre and postprocessing as well as HTTP exception catching and +error handling.

+

+New in version 0.7.

+

+ +

+got_first_request¶

This attribute is set to True if the application started +handling the first request.

+

+New in version 0.8.

+

+ +

+handle_exception(e)¶: Default exception handling that kicks in when an exception +occours that is not caught. In debug mode the exception will +be re-raised immediately, otherwise it is logged and the handler +for a 500 internal server error is used. If no such handler +exists, a default 500 internal server error message is displayed.
+

+ +

+handle_http_exception(e)¶: Handles an HTTP exception. By default this will invoke the +registered error handlers and fall back to returning the +exception as response.
+

+ +

+handle_user_exception(e)¶

This method is called whenever an exception occurs that should be +handled. A special case are +HTTPExceptions which are forwarded by +this function to the handle_http_exception() method. This +function will either return a response value or reraise the +exception with the same traceback.

+

+New in version 0.7.

+

+ +

+has_static_folder¶

This is True if the package bound object’s container has a +folder named 'static'.

+

+New in version 0.5.

+

+ +

+init_jinja_globals()¶

Deprecated. Used to initialize the Jinja2 globals.

+

+New in version 0.5.

+

+Changed in version 0.7: This method is deprecated with 0.7. Override +create_jinja_environment() instead.

+

+ +

+inject_url_defaults(endpoint, values)¶

Injects the URL defaults for the given endpoint directly into +the values dictionary passed. This is used internally and +automatically called on URL building.

+

+New in version 0.7.

+

+ +

+instance_path = None¶

Holds the path to the instance folder.

+

+New in version 0.8.

+

+ +

+jinja_env¶: The Jinja2 environment used to load templates.
+

+ +

+jinja_loader¶

The Jinja loader for this package bound object.

+

+New in version 0.5.

+

+ +

+jinja_options = ImmutableDict({'extensions': ['jinja2.ext.autoescape', 'jinja2.ext.with_']})¶: Options that are passed directly to the Jinja2 environment.
+

+ +

+log_exception(exc_info)¶

Logs an exception. This is called by handle_exception() +if debugging is disabled and right before the handler is called. +The default implementation logs the exception as error on the +logger.

+

+New in version 0.8.

+

+ +

+logger¶

A logging.Logger object for this application. The +default configuration is to log to stderr if the application is +in debug mode. This logger can be used to (surprise) log messages. +Here some examples:

+

app.logger.debug('A value for debugging')
+app.logger.warning('A warning ocurred (%d apples)', 42)
+app.logger.error('An error occoured')
+

+

+

+New in version 0.3.

+

+ +

+logger_name¶

The name of the logger to use. By default the logger name is the +package name passed to the constructor.

+

+New in version 0.4.

+

+ +

+make_config(instance_relative=False)¶

Used to create the config attribute by the Flask constructor. +The instance_relative parameter is passed in from the constructor +of Flask (there named instance_relative_config) and indicates if +the config should be relative to the instance path or the root path +of the application.

+

+New in version 0.8.

+

+ +

+make_default_options_response()¶

This method is called to create the default OPTIONS response. +This can be changed through subclassing to change the default +behaviour of OPTIONS responses.

+

+New in version 0.7.

+

+ +

+make_null_session()¶

Creates a new instance of a missing session. Instead of overriding +this method we recommend replacing the session_interface.

+

+New in version 0.7.

+

+ +

+make_response(rv)¶

Converts the return value from a view function to a real +response object that is an instance of response_class.

+

The following types are allowed for rv:

+ ++++ + + + + + + + + + + + + + + + + + +

`response_class`	the object is returned unchanged
`str`	a response object is created with the +string as body
`unicode`	a response object is created with the +string encoded to utf-8 as body
`tuple`	the response object is created with the +contents of the tuple as arguments
a WSGI function	the function is called as WSGI application +and buffered as response object

+ +++ + + + +

Parameters:	rv – the return value from the view function

+

+ +

+name¶

The name of the application. This is usually the import name +with the difference that it’s guessed from the run file if the +import name is main. This name is used as a display name when +Flask needs the name of the application. It can be set and overriden +to change the value.

+

+New in version 0.8.

+

+ +

+open_instance_resource(resource, mode='rb')¶

Opens a resource from the application’s instance folder +(instance_path). Otherwise works like +open_resource(). Instance resources can also be opened for +writing.

+ +++ + + + +

Parameters:	resource – the name of the resource. To access resources within +subfolders use forward slashes as separator.

+

+ +

+open_resource(resource, mode='rb')¶

Opens a resource from the application’s resource folder. To see +how this works, consider the following folder structure:

+

/myapplication.py
+/schema.sql
+/static
+    /style.css
+/templates
+    /layout.html
+    /index.html

+

If you want to open the schema.sql file you would do the +following:

+

with app.open_resource('schema.sql') as f:
+    contents = f.read()
+    do_something_with(contents)
+

+

+ +++ + + + +

Parameters:	resource – the name of the resource. To access resources within +subfolders use forward slashes as separator.

+

+ +

+open_session(request)¶

Creates or opens a new session. Default implementation stores all +session data in a signed cookie. This requires that the +secret_key is set. Instead of overriding this method +we recommend replacing the session_interface.

+ +++ + + + +

Parameters:	request – an instance of `request_class`.

+

+ +

+permanent_session_lifetime¶

A timedelta which is used to set the expiration +date of a permanent session. The default is 31 days which makes a +permanent session survive for roughly one month.

+

This attribute can also be configured from the config with the +PERMANENT_SESSION_LIFETIME configuration key. Defaults to +timedelta(days=31)

+

+ +

+preprocess_request()¶

Called before the actual request dispatching and will +call every as before_request() decorated function. +If any of these function returns a value it’s handled as +if it was the return value from the view and further +request handling is stopped.

+

This also triggers the url_value_processor() functions before +the actualy before_request() functions are called.

+

+ +

+preserve_context_on_exception¶

Returns the value of the PRESERVE_CONTEXT_ON_EXCEPTION +configuration value in case it’s set, otherwise a sensible default +is returned.

+

+New in version 0.7.

+

+ +

+process_response(response)¶

Can be overridden in order to modify the response object +before it’s sent to the WSGI server. By default this will +call all the after_request() decorated functions.

+

+Changed in version 0.5: As of Flask 0.5 the functions registered for after request +execution are called in reverse order of registration.

+ +++ + + + + + +

Parameters:	response – a `response_class` object.
Returns:	a new response object or the same, has to be an +instance of `response_class`.

+

+ +

+propagate_exceptions¶

Returns the value of the PROPAGATE_EXCEPTIONS configuration +value in case it’s set, otherwise a sensible default is returned.

+

+New in version 0.7.

+

+ +

+register_blueprint(*args, **kwargs)¶

Registers a blueprint on the application.

+

+New in version 0.7.

+

+ +

+register_error_handler(code_or_exception, f)¶

Alternative error attach function to the errorhandler() +decorator that is more straightforward to use for non decorator +usage.

+

+New in version 0.7.

+

+ +

+register_module(module, **options)¶

Registers a module with this application. The keyword argument +of this function are the same as the ones for the constructor of the +Module class and will override the values of the module if +provided.

+

+Changed in version 0.7: The module system was deprecated in favor for the blueprint +system.

+

+ +

+request_class¶

The class that is used for request objects. See Request +for more information.

+

alias of Request

+

+ +

+request_context(environ)¶

Creates a RequestContext from the given +environment and binds it to the current context. This must be used in +combination with the with statement because the request is only bound +to the current context for the duration of the with block.

+

Example usage:

+

with app.request_context(environ):
+    do_something_with(request)
+

+

+

The object returned can also be used without the with statement +which is useful for working in the shell. The example above is +doing exactly the same as this code:

+

ctx = app.request_context(environ)
+ctx.push()
+try:
+    do_something_with(request)
+finally:
+    ctx.pop()
+

+

+

+Changed in version 0.3: Added support for non-with statement usage and with statement +is now passed the ctx object.

+ +++ + + + +

Parameters:	environ – a WSGI environment

+

+ +

+response_class¶

The class that is used for response objects. See +Response for more information.

+

alias of Response

+

+ +

+route(rule, **options)¶

A decorator that is used to register a view function for a +given URL rule. This does the same thing as add_url_rule() +but is intended for decorator usage:

+

@app.route('/')
+def index():
+    return 'Hello World'
+

+

+

For more information refer to URL Route Registrations.

+ +++ + + + +

Parameters:

rule – the URL rule as string
endpoint – the endpoint for the registered URL rule. Flask +itself assumes the name of the view function as +endpoint
view_func – the function to call when serving a request to the +provided endpoint
options – the options to be forwarded to the underlying +Rule object. A change +to Werkzeug is handling of method options. methods +is a list of methods this rule should be limited +to (GET, POST etc.). By default a rule +just listens for GET (and implicitly HEAD). +Starting with Flask 0.6, OPTIONS is implicitly +added and handled by the standard request handling.

+

+ +

+run(host='127.0.0.1', port=5000, debug=None, **options)¶

Runs the application on a local development server. If the +debug flag is set the server will automatically reload +for code changes and show a debugger in case an exception happened.

+

If you want to run the application in debug mode, but disable the +code execution on the interactive debugger, you can pass +use_evalex=False as parameter. This will keep the debugger’s +traceback screen active, but disable code execution.

+

Keep in Mind

+

Flask will suppress any server error with a generic error page +unless it is in debug mode. As such to enable just the +interactive debugger without the code reloading, you have to +invoke run() with debug=True and use_reloader=False. +Setting use_debugger to True without being in debug mode +won’t catch any exceptions because there won’t be any to +catch.

+

+ +++ + + + +

Parameters:	+ host – the hostname to listen on. set this to `'0.0.0.0'` +to have the server available externally as well. + port – the port of the webserver + debug – if given, enable or disable debug mode. +See `debug`. + options – the options to be forwarded to the underlying +Werkzeug server. See +`werkzeug.serving.run_simple()` for more +information. + +

+

+ +

+save_session(session, response)¶

Saves the session if it needs updates. For the default +implementation, check open_session(). Instead of overriding this +method we recommend replacing the session_interface.

+ +++ + + + +

Parameters:	+ session – the session to be saved (a +`SecureCookie` +object) + response – an instance of `response_class` + +

+

+ +

+secret_key¶

If a secret key is set, cryptographic components can use this to +sign cookies and other things. Set this to a complex random value +when you want to use the secure cookie for instance.

+

This attribute can also be configured from the config with the +SECRET_KEY configuration key. Defaults to None.

+

+ +

+select_jinja_autoescape(filename)¶

Returns True if autoescaping should be active for the given +template name.

+

+New in version 0.5.

+

+ +

+send_static_file(filename)¶

Function used internally to send static files from the static +folder to the browser.

+

+New in version 0.5.

+

+ +

+session_cookie_name¶

The secure cookie uses this for the name of the session cookie.

+

This attribute can also be configured from the config with the +SESSION_COOKIE_NAME configuration key. Defaults to 'session'

+

+ +

+session_interface = <flask.sessions.SecureCookieSessionInterface object at 0x103dc8090>¶

the session interface to use. By default an instance of +SecureCookieSessionInterface is used here.

+

+New in version 0.8.

+

+ +

+teardown_request(*args, **kwargs)¶

Register a function to be run at the end of each request, +regardless of whether there was an exception or not. These functions +are executed when the request context is popped, even if not an +actual request was performed.

+

Example:

+

ctx = app.test_request_context()
+ctx.push()
+...
+ctx.pop()
+

+

+

When ctx.pop() is executed in the above example, the teardown +functions are called just before the request context moves from the +stack of active contexts. This becomes relevant if you are using +such constructs in tests.

+

Generally teardown functions must take every necesary step to avoid +that they will fail. If they do execute code that might fail they +will have to surround the execution of these code by try/except +statements and log ocurring errors.

+

+ +

+teardown_request_funcs = None¶

A dictionary with lists of functions that are called after +each request, even if an exception has occurred. The key of the +dictionary is the name of the blueprint this function is active for, +None for all requests. These functions are not allowed to modify +the request, and their return values are ignored. If an exception +occurred while processing the request, it gets passed to each +teardown_request function. To register a function here, use the +teardown_request() decorator.

+

+New in version 0.7.

+

+ +

+template_context_processors = None¶: A dictionary with list of functions that are called without argument +to populate the template context. The key of the dictionary is the +name of the blueprint this function is active for, None for all +requests. Each returns a dictionary that the template context is +updated with. To register a function here, use the +context_processor() decorator.
+

+ +

+template_filter(*args, **kwargs)¶

A decorator that is used to register custom template filter. +You can specify a name for the filter, otherwise the function +name will be used. Example:

+

@app.template_filter()
+def reverse(s):
+    return s[::-1]
+

+

+ +++ + + + +

Parameters:	name – the optional name of the filter, otherwise the +function name will be used.

+

+ +

+test_client(use_cookies=True)¶

Creates a test client for this application. For information +about unit testing head over to Testing Flask Applications.

+

The test client can be used in a with block to defer the closing down +of the context until the end of the with block. This is useful if +you want to access the context locals for testing:

+

with app.test_client() as c:
+    rv = c.get('/?vodka=42')
+    assert request.args['vodka'] == '42'
+

+

+

See FlaskClient for more information.

+

+Changed in version 0.4: added support for with block usage for the client.

+

+New in version 0.7: The use_cookies parameter was added as well as the ability +to override the client to be used by setting the +test_client_class attribute.

+

+ +

+test_client_class = None¶

the test client that is used with when test_client is used.

+

+New in version 0.7.

+

+ +

+test_request_context(*args, **kwargs)¶: Creates a WSGI environment from the given values (see +werkzeug.test.EnvironBuilder() for more information, this +function accepts the same arguments).
+

+ +

+testing¶

The testing flag. Set this to True to enable the test mode of +Flask extensions (and in the future probably also Flask itself). +For example this might activate unittest helpers that have an +additional runtime cost which should not be enabled by default.

+

If this is enabled and PROPAGATE_EXCEPTIONS is not changed from the +default it’s implicitly enabled.

+

This attribute can also be configured from the config with the +TESTING configuration key. Defaults to False.

+

+ +

+trap_http_exception(e)¶

Checks if an HTTP exception should be trapped or not. By default +this will return False for all exceptions except for a bad request +key error if TRAP_BAD_REQUEST_ERRORS is set to True. It +also returns True if TRAP_HTTP_EXCEPTIONS is set to True.

+

This is called for all HTTP exceptions raised by a view function. +If it returns True for any exception the error handler for this +exception is not called and it shows up as regular exception in the +traceback. This is helpful for debugging implicitly raised HTTP +exceptions.

+

+New in version 0.8.

+

+ +

+update_template_context(context)¶

Update the template context with some commonly used variables. +This injects request, session, config and g into the template +context as well as everything template context processors want +to inject. Note that the as of Flask 0.6, the original values +in the context will not be overriden if a context processor +decides to return a value with the same key.

+ +++ + + + +

Parameters:	context – the context as a dictionary that is updated in place +to add extra variables.

+

+ +

+url_default_functions = None¶

A dictionary with lists of functions that can be used as URL value +preprocessors. The key None here is used for application wide +callbacks, otherwise the key is the name of the blueprint. +Each of these functions has the chance to modify the dictionary +of URL values before they are used as the keyword arguments of the +view function. For each function registered this one should also +provide a url_defaults() function that adds the parameters +automatically again that were removed that way.

+

+New in version 0.7.

+

+ +

+url_defaults(*args, **kwargs)¶: Callback function for URL defaults for all view functions of the +application. It’s called with the endpoint and values and should +update the values passed in place.
+

+ +

+url_map = None¶

The Map for this instance. You can use +this to change the routing converters after the class was created +but before any routes are connected. Example:

+

from werkzeug.routing import BaseConverter
+
+class ListConverter(BaseConverter):
+    def to_python(self, value):
+        return value.split(',')
+    def to_url(self, values):
+        return ','.join(BaseConverter.to_url(value)
+                        for value in values)
+
+app = Flask(__name__)
+app.url_map.converters['list'] = ListConverter
+

+

+

+ +

+url_rule_class¶

The rule object to use for URL rules created. This is used by +add_url_rule(). Defaults to werkzeug.routing.Rule.

+

+New in version 0.7.

+

alias of Rule

+

+ +

+url_value_preprocessor(*args, **kwargs)¶: Registers a function as URL value preprocessor for all view +functions of the application. It’s called before the view functions +are called and can modify the url values provided.
+

+ +

+url_value_preprocessors = None¶

A dictionary with lists of functions that can be used as URL +value processor functions. Whenever a URL is built these functions +are called to modify the dictionary of values in place. The key +None here is used for application wide +callbacks, otherwise the key is the name of the blueprint. +Each of these functions has the chance to modify the dictionary

+

+New in version 0.7.

+

+ +

+use_x_sendfile¶

Enable this if you want to use the X-Sendfile feature. Keep in +mind that the server has to support this. This only affects files +sent with the send_file() method.

+

+New in version 0.2.

+

This attribute can also be configured from the config with the +USE_X_SENDFILE configuration key. Defaults to False.

+

+ +

+view_functions = None¶: A dictionary of all view functions registered. The keys will +be function names which are also used to generate URLs and +the values are the function objects themselves. +To register a view function, use the route() decorator.
+

+ +

+wsgi_app(environ, start_response)¶

The actual WSGI application. This is not implemented in +__call__ so that middlewares can be applied without losing a +reference to the class. So instead of doing this:

+

app = MyMiddleware(app)
+

+

+

It’s a better idea to do this instead:

+

app.wsgi_app = MyMiddleware(app.wsgi_app)
+

+

+

Then you still have the original application object around and +can continue to call methods on it.

+

+Changed in version 0.7: The behavior of the before and after request callbacks was changed +under error conditions and a new callback was added that will +always execute at the end of the request, independent on if an +error ocurred or not. See Callbacks and Errors.

+ +++ + + + +

Parameters:	+ environ – a WSGI environment + start_response – a callable accepting a status code, +a list of headers and an optional +exception context to start the response + +

+

+ +

+

Blueprint Objects¶

+

+class flask.Blueprint(name, import_name, static_folder=None, static_url_path=None, template_folder=None, url_prefix=None, subdomain=None, url_defaults=None)¶

Represents a blueprint. A blueprint is an object that records +functions that will be called with the +BlueprintSetupState later to register functions +or other things on the main application. See Modular Applications with Blueprints for more +information.

+

+New in version 0.7.

+

+add_url_rule(rule, endpoint=None, view_func=None, **options)¶: Like Flask.add_url_rule() but for a blueprint. The endpoint for +the url_for() function is prefixed with the name of the blueprint.
+

+ +

+after_app_request(f)¶: Like Flask.after_request() but for a blueprint. Such a function +is executed after each request, even if outside of the blueprint.
+

+ +

+after_request(f)¶: Like Flask.after_request() but for a blueprint. This function +is only executed after each request that is handled by a function of +that blueprint.
+

+ +

+app_context_processor(f)¶: Like Flask.context_processor() but for a blueprint. Such a +function is executed each request, even if outside of the blueprint.
+

+ +

+app_errorhandler(code)¶: Like Flask.errorhandler() but for a blueprint. This +handler is used for all requests, even if outside of the blueprint.
+

+ +

+app_url_defaults(f)¶: Same as url_defaults() but application wide.
+

+ +

+app_url_value_preprocessor(f)¶: Same as url_value_preprocessor() but application wide.
+

+ +

+before_app_first_request(f)¶: Like Flask.before_first_request(). Such a function is +executed before the first request to the application.
+

+ +

+before_app_request(f)¶: Like Flask.before_request(). Such a function is executed +before each request, even if outside of a blueprint.
+

+ +

+before_request(f)¶: Like Flask.before_request() but for a blueprint. This function +is only executed before each request that is handled by a function of +that blueprint.
+

+ +

+context_processor(f)¶: Like Flask.context_processor() but for a blueprint. This +function is only executed for requests handled by a blueprint.
+

+ +

+endpoint(endpoint)¶: Like Flask.endpoint() but for a blueprint. This does not +prefix the endpoint with the blueprint name, this has to be done +explicitly by the user of this method. If the endpoint is prefixed +with a . it will be registered to the current blueprint, otherwise +it’s an application independent endpoint.
+

+ +

+errorhandler(code_or_exception)¶

Registers an error handler that becomes active for this blueprint +only. Please be aware that routing does not happen local to a +blueprint so an error handler for 404 usually is not handled by +a blueprint unless it is caused inside a view function. Another +special case is the 500 internal server error which is always looked +up from the application.

+

Otherwise works as the errorhandler() decorator +of the Flask object.

+

+ +

+has_static_folder¶

This is True if the package bound object’s container has a +folder named 'static'.

+

+New in version 0.5.

+

+ +

+jinja_loader¶

The Jinja loader for this package bound object.

+

+New in version 0.5.

+

+ +

+make_setup_state(app, options, first_registration=False)¶: Creates an instance of BlueprintSetupState() +object that is later passed to the register callback functions. +Subclasses can override this to return a subclass of the setup state.
+

+ +

+open_resource(resource, mode='rb')¶

Opens a resource from the application’s resource folder. To see +how this works, consider the following folder structure:

+

/myapplication.py
+/schema.sql
+/static
+    /style.css
+/templates
+    /layout.html
+    /index.html

+

If you want to open the schema.sql file you would do the +following:

+

with app.open_resource('schema.sql') as f:
+    contents = f.read()
+    do_something_with(contents)
+

+

+ +++ + + + +

Parameters:	resource – the name of the resource. To access resources within +subfolders use forward slashes as separator.

+

+ +

+record(func)¶: Registers a function that is called when the blueprint is +registered on the application. This function is called with the +state as argument as returned by the make_setup_state() +method.
+

+ +

+record_once(func)¶: Works like record() but wraps the function in another +function that will ensure the function is only called once. If the +blueprint is registered a second time on the application, the +function passed is not called.
+

+ +

+register(app, options, first_registration=False)¶: Called by Flask.register_blueprint() to register a blueprint +on the application. This can be overridden to customize the register +behavior. Keyword arguments from +register_blueprint() are directly forwarded to this +method in the options dictionary.
+

+ +

+route(rule, **options)¶: Like Flask.route() but for a blueprint. The endpoint for the +url_for() function is prefixed with the name of the blueprint.
+

+ +

+send_static_file(filename)¶

Function used internally to send static files from the static +folder to the browser.

+

+New in version 0.5.

+

+ +

+teardown_app_request(f)¶: Like Flask.teardown_request() but for a blueprint. Such a +function is executed when tearing down each request, even if outside of +the blueprint.
+

+ +

+teardown_request(f)¶: Like Flask.teardown_request() but for a blueprint. This +function is only executed when tearing down requests handled by a +function of that blueprint. Teardown request functions are executed +when the request context is popped, even when no actual request was +performed.
+

+ +

+url_defaults(f)¶: Callback function for URL defaults for this blueprint. It’s called +with the endpoint and values and should update the values passed +in place.
+

+ +

+url_value_preprocessor(f)¶: Registers a function as URL value preprocessor for this +blueprint. It’s called before the view functions are called and +can modify the url values provided.
+

+ +

+

Incoming Request Data¶

+

+class flask.Request(environ, populate_request=True, shallow=False)¶

The request object used by default in Flask. Remembers the +matched endpoint and view arguments.

+

It is what ends up as request. If you want to replace +the request object used you can subclass this and set +request_class to your subclass.

+

The request object is a Request subclass and +provides all of the attributes Werkzeug defines plus a few Flask +specific ones.

+

+form¶: A MultiDict with the parsed form data from POST +or PUT requests. Please keep in mind that file uploads will not +end up here, but instead in the files attribute.
+

+ +

+args¶: A MultiDict with the parsed contents of the query +string. (The part in the URL after the question mark).
+

+ +

+values¶: A CombinedMultiDict with the contents of both +form and args.
+

+ +

+cookies¶: A dict with the contents of all cookies transmitted with +the request.
+

+ +

+stream¶: If the incoming form data was not encoded with a known mimetype +the data is stored unmodified in this stream for consumption. Most +of the time it is a better idea to use data which will give +you that data as a string. The stream only returns the data once.
+

+ +

+headers¶: The incoming request headers as a dictionary like object.
+

+ +

+data¶: Contains the incoming request data as string in case it came with +a mimetype Flask does not handle.
+

+ +

+files¶: A MultiDict with files uploaded as part of a +POST or PUT request. Each file is stored as +FileStorage object. It basically behaves like a +standard file object you know from Python, with the difference that +it also has a save() function that can +store the file on the filesystem.
+

+ +

+environ¶: The underlying WSGI environment.
+

+ +

+method¶: The current request method (POST, GET etc.)
+

+ +

+path¶

+ +

+script_root¶

+ +

+url¶

+ +

+base_url¶

+ +

+url_root¶

Provides different ways to look at the current URL. Imagine your +application is listening on the following URL:

+

http://www.example.com/myapplication

+

And a user requests the following URL:

+

http://www.example.com/myapplication/page.html?x=y

+

In this case the values of the above mentioned attributes would be +the following:

+ ++++ + + + + + + + + + + + + + + + + + +

path	`/page.html`
script_root	`/myapplication`
base_url	`http://www.example.com/myapplication/page.html`
url	`http://www.example.com/myapplication/page.html?x=y`
url_root	`http://www.example.com/myapplication/`

+

+ +

+is_xhr¶: True if the request was triggered via a JavaScript +XMLHttpRequest. This only works with libraries that support the +X-Requested-With header and set it to XMLHttpRequest. +Libraries that do that are prototype, jQuery and Mochikit and +probably some more.
+

+ +

+blueprint¶: The name of the current blueprint
+

+ +

+endpoint¶: The endpoint that matched the request. This in combination with +view_args can be used to reconstruct the same or a +modified URL. If an exception happened when matching, this will +be None.
+

+ +

+json¶

If the mimetype is application/json this will contain the +parsed JSON data. Otherwise this will be None.

+

This requires Python 2.6 or an installed version of simplejson.

+

+ +

+max_content_length¶: Read-only view of the MAX_CONTENT_LENGTH config key.
+

+ +

+module¶: The name of the current module if the request was dispatched +to an actual module. This is deprecated functionality, use blueprints +instead.
+

+ +

+on_json_loading_failed(e)¶

Called if decoding of the JSON data failed. The return value of +this method is used by json when an error ocurred. The +default implementation raises a BadRequest.

+

+New in version 0.8.

+

+ +

+routing_exception = None¶: if matching the URL failed, this is the exception that will be +raised / was raised as part of the request handling. This is +usually a NotFound exception or +something similar.
+

+ +

+url_rule = None¶

the internal URL rule that matched the request. This can be +useful to inspect which methods are allowed for the URL from +a before/after handler (request.url_rule.methods) etc.

+

+New in version 0.6.

+

+ +

+view_args = None¶: a dict of view arguments that matched the request. If an exception +happened when matching, this will be None.
+

+ +

+class flask.request¶

To access incoming request data, you can use the global request +object. Flask parses incoming request data for you and gives you +access to it through that global object. Internally Flask makes +sure that you always get the correct data for the active thread if you +are in a multithreaded environment.

+

This is a proxy. See Notes On Proxies for more information.

+

The request object is an instance of a Request +subclass and provides all of the attributes Werkzeug defines. This +just shows a quick overview of the most important ones.

+

+ +

+

Response Objects¶

+

+class flask.Response(response=None, status=None, headers=None, mimetype=None, content_type=None, direct_passthrough=False)¶

The response object that is used by default in Flask. Works like the +response object from Werkzeug but is set to have an HTML mimetype by +default. Quite often you don’t have to create this object yourself because +make_response() will take care of that for you.

+

If you want to replace the response object used you can subclass this and +set response_class to your subclass.

+

+headers¶: A Headers object representing the response headers.
+

+ +

+status_code¶: The response status as integer.
+

+ +

+set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)¶

Sets a cookie. The parameters are the same as in the cookie Morsel +object in the Python standard library but it accepts unicode data, too.

+ +++ + + + +

Parameters:

key – the key (name) of the cookie to be set.
value – the value of the cookie.
max_age – should be a number of seconds, or None (default) if +the cookie should last only as long as the client’s +browser session.
expires – should be a datetime object or UNIX timestamp.
domain – if you want to set a cross-domain cookie. For example, +domain=".example.com" will set a cookie that is +readable by the domain www.example.com, +foo.example.com etc. Otherwise, a cookie will only +be readable by the domain that set it.
path – limits the cookie to a given path, per default it will +span the whole domain.

+

+ +

+data¶

The string representation of the request body. Whenever you access +this property the request iterable is encoded and flattened. This +can lead to unwanted behavior if you stream big data.

+

This behavior can be disabled by setting +implicit_sequence_conversion to False.

+

+ +

+mimetype¶: The mimetype (content type without charset etc.)
+

+ +

+

Sessions¶

+

If you have the Flask.secret_key set you can use sessions in Flask +applications. A session basically makes it possible to remember +information from one request to another. The way Flask does this is by +using a signed cookie. So the user can look at the session contents, but +not modify it unless they know the secret key, so make sure to set that +to something complex and unguessable.

+

To access the current session you can use the session object:

+

+class flask.session¶

The session object works pretty much like an ordinary dict, with the +difference that it keeps track on modifications.

+

This is a proxy. See Notes On Proxies for more information.

+

The following attributes are interesting:

+

+new¶: True if the session is new, False otherwise.
+

+ +

+modified¶

True if the session object detected a modification. Be advised +that modifications on mutable structures are not picked up +automatically, in that situation you have to explicitly set the +attribute to True yourself. Here an example:

+

# this change is not picked up because a mutable object (here
+# a list) is changed.
+session['objects'].append(42)
+# so mark it as modified yourself
+session.modified = True
+

+

+

+ +

+permanent¶: If set to True the session lives for +permanent_session_lifetime seconds. The +default is 31 days. If set to False (which is the default) the +session will be deleted when the user closes the browser.
+

+ +

+

Session Interface¶

+

+New in version 0.8.

+

The session interface provides a simple way to replace the session +implementation that Flask is using.

+

+class flask.sessions.SessionInterface¶

The basic interface you have to implement in order to replace the +default session interface which uses werkzeug’s securecookie +implementation. The only methods you have to implement are +open_session() and save_session(), the others have +useful defaults which you don’t need to change.

+

The session object returned by the open_session() method has to +provide a dictionary like interface plus the properties and methods +from the SessionMixin. We recommend just subclassing a dict +and adding that mixin:

+

class Session(dict, SessionMixin):
+    pass
+

+

+

If open_session() returns None Flask will call into +make_null_session() to create a session that acts as replacement +if the session support cannot work because some requirement is not +fulfilled. The default NullSession class that is created +will complain that the secret key was not set.

+

To replace the session interface on an application all you have to do +is to assign flask.Flask.session_interface:

+

app = Flask(__name__)
+app.session_interface = MySessionInterface()
+

+

+

+New in version 0.8.

+

+get_cookie_domain(app)¶: Helpful helper method that returns the cookie domain that should +be used for the session cookie if session cookies are used.
+

+ +

+get_cookie_httponly(app)¶: Returns True if the session cookie should be httponly. This +currently just returns the value of the SESSION_COOKIE_HTTPONLY +config var.
+

+ +

+get_cookie_path(app)¶: Returns the path for which the cookie should be valid. The +default implementation uses the value from the SESSION_COOKIE_PATH`` +config var if it’s set, and falls back to APPLICATION_ROOT or +uses / if it’s None.
+

+ +

+get_cookie_secure(app)¶: Returns True if the cookie should be secure. This currently +just returns the value of the SESSION_COOKIE_SECURE setting.
+

+ +

+get_expiration_time(app, session)¶: A helper method that returns an expiration date for the session +or None if the session is linked to the browser session. The +default implementation returns now + the permanent session +lifetime configured on the application.
+

+ +

+is_null_session(obj)¶

Checks if a given object is a null session. Null sessions are +not asked to be saved.

+

This checks if the object is an instance of null_session_class +by default.

+

+ +

+make_null_session(app)¶

Creates a null session which acts as a replacement object if the +real session support could not be loaded due to a configuration +error. This mainly aids the user experience because the job of the +null session is to still support lookup without complaining but +modifications are answered with a helpful error message of what +failed.

+

This creates an instance of null_session_class by default.

+

+ +

+null_session_class¶

make_null_session() will look here for the class that should +be created when a null session is requested. Likewise the +is_null_session() method will perform a typecheck against +this type.

+

alias of NullSession

+

+ +

+open_session(app, request)¶: This method has to be implemented and must either return None +in case the loading failed because of a configuration error or an +instance of a session object which implements a dictionary like +interface + the methods and attributes on SessionMixin.
+

+ +

+save_session(app, session, response)¶: This is called for actual sessions returned by open_session() +at the end of the request. This is still called during a request +context so if you absolutely need access to the request you can do +that.
+

+ +

+class flask.sessions.SecureCookieSessionInterface¶

The cookie session interface that uses the Werkzeug securecookie +as client side session backend.

+

+session_class¶: alias of SecureCookieSession
+

+ +

+class flask.sessions.NullSession(data=None, secret_key=None, new=True)¶: Class used to generate nicer error messages if sessions are not +available. Will still allow read-only access to the empty session +but fail on setting.
+

+ +

+class flask.sessions.SessionMixin¶

Expands a basic dictionary with an accessors that are expected +by Flask extensions and users for the session.

+

+modified = True¶: for some backends this will always be True, but some backends will +default this to false and detect changes in the dictionary for as +long as changes do not happen on mutable structures in the session. +The default mixin implementation just hardcodes True in.
+

+ +

+new = False¶: some session backends can tell you if a session is new, but that is +not necessarily guaranteed. Use with caution. The default mixin +implementation just hardcodes False in.
+

+ +

+permanent¶: this reflects the '_permanent' key in the dict.
+

+ +

+

Notice

+

The PERMANENT_SESSION_LIFETIME config key can also be an integer +starting with Flask 0.8. Either catch this down yourself or use +the permanent_session_lifetime attribute on the +app which converts the result to an integer automatically.

+

Test Client¶

+

+class flask.testing.FlaskClient(application, response_wrapper=None, use_cookies=True, allow_subdomain_redirects=False)¶

Works like a regular Werkzeug test client but has some knowledge about +how Flask works to defer the cleanup of the request context stack to the +end of a with body when used in a with statement. For general information +about how to use this class refer to werkzeug.test.Client.

+

Basic usage is outlined in the Testing Flask Applications chapter.

+

+session_transaction(*args, **kwds)¶

When used in combination with a with statement this opens a +session transaction. This can be used to modify the session that +the test client uses. Once the with block is left the session is +stored back.

+

+
+
with client.session_transaction() as session:
+
session[‘value’] = 42
+
+

+

Internally this is implemented by going through a temporary test +request context and since session handling could depend on +request variables this function accepts the same arguments as +test_request_context() which are directly +passed through.

+

+ +

+

Application Globals¶

+

To share data that is valid for one request only from one function to +another, a global variable is not good enough because it would break in +threaded environments. Flask provides you with a special object that +ensures it is only valid for the active request and that will return +different values for each request. In a nutshell: it does the right +thing, like it does for request and session.

+

+flask.g¶

Just store on this whatever you want. For example a database +connection or the user that is currently logged in.

+

This is a proxy. See Notes On Proxies for more information.

+

+ +

+

Useful Functions and Classes¶

+

+flask.current_app¶

Points to the application handling the request. This is useful for +extensions that want to support multiple applications running side +by side.

+

This is a proxy. See Notes On Proxies for more information.

+

+ +

+flask.has_request_context()¶

If you have code that wants to test if a request context is there or +not this function can be used. For instance if you want to take advantage +of request information is it’s available but fail silently if the request +object is unavailable.

+

class User(db.Model):
+
+    def __init__(self, username, remote_addr=None):
+        self.username = username
+        if remote_addr is None and has_request_context():
+            remote_addr = request.remote_addr
+        self.remote_addr = remote_addr
+

+

+

Alternatively you can also just test any of the context bound objects +(such as request or g for truthness):

+

class User(db.Model):
+
+    def __init__(self, username, remote_addr=None):
+        self.username = username
+        if remote_addr is None and request:
+            remote_addr = request.remote_addr
+        self.remote_addr = remote_addr
+

+

+

+New in version 0.7.

+

+ +

+flask.url_for(endpoint, **values)¶

Generates a URL to the given endpoint with the method provided.

+

Variable arguments that are unknown to the target endpoint are appended +to the generated URL as query arguments. If the value of a query argument +is None, the whole pair is skipped. In case blueprints are active +you can shortcut references to the same blueprint by prefixing the +local endpoint with a dot (.).

+

This will reference the index function local to the current blueprint:

+

url_for('.index')
+

+

+

For more information, head over to the Quickstart.

+ +++ + + + +

Parameters:	+ endpoint – the endpoint of the URL (name of the function) + values – the variable arguments of the URL rule + _external – if set to True, an absolute URL is generated. + +

+

+ +

+flask.abort(code)¶

Raises an HTTPException for the given +status code. For example to abort request handling with a page not +found exception, you would call abort(404).

+ +++ + + + +

Parameters:	code – the HTTP error code.

+

+ +

+flask.redirect(location, code=302)¶

Return a response object (a WSGI application) that, if called, +redirects the client to the target location. Supported codes are 301, +302, 303, 305, and 307. 300 is not supported because it’s not a real +redirect and 304 because it’s the answer for a request with a request +with defined If-Modified-Since headers.

+

+New in version 0.6: The location can now be a unicode string that is encoded using +the iri_to_uri() function.

+ +++ + + + +

Parameters:	+ location – the location the response should redirect to. + code – the redirect status code. defaults to 302. + +

+

+ +

+flask.make_response(*args)¶

Sometimes it is necessary to set additional headers in a view. Because +views do not have to return response objects but can return a value that +is converted into a response object by Flask itself, it becomes tricky to +add headers to it. This function can be called instead of using a return +and you will get a response object which you can use to attach headers.

+

If view looked like this and you want to add a new header:

+

def index():
+    return render_template('index.html', foo=42)
+

+

+

You can now do something like this:

+

def index():
+    response = make_response(render_template('index.html', foo=42))
+    response.headers['X-Parachutes'] = 'parachutes are cool'
+    return response
+

+

+

This function accepts the very same arguments you can return from a +view function. This for example creates a response with a 404 error +code:

+

response = make_response(render_template('not_found.html'), 404)
+

+

+

The other use case of this function is to force the return value of a +view function into a response which is helpful with view +decorators:

+

response = make_response(view_function())
+response.headers['X-Parachutes'] = 'parachutes are cool'
+

+

+

Internally this function does the following things:

+

if no arguments are passed, it creates a new response argument
if one argument is passed, flask.Flask.make_response() +is invoked with it.
if more than one argument is passed, the arguments are passed +to the flask.Flask.make_response() function as tuple.

+

+New in version 0.6.

+

+ +

+flask.send_file(filename_or_fp, mimetype=None, as_attachment=False, attachment_filename=None, add_etags=True, cache_timeout=43200, conditional=False)¶

Sends the contents of a file to the client. This will use the +most efficient method available and configured. By default it will +try to use the WSGI server’s file_wrapper support. Alternatively +you can set the application’s use_x_sendfile attribute +to True to directly emit an X-Sendfile header. This however +requires support of the underlying webserver for X-Sendfile.

+

By default it will try to guess the mimetype for you, but you can +also explicitly provide one. For extra security you probably want +to send certain files as attachment (HTML for instance). The mimetype +guessing requires a filename or an attachment_filename to be +provided.

+

Please never pass filenames to this function from user sources without +checking them first. Something like this is usually sufficient to +avoid security problems:

+

if '..' in filename or filename.startswith('/'):
+    abort(404)
+

+

+

+New in version 0.2.

+

+New in version 0.5: The add_etags, cache_timeout and conditional parameters were +added. The default behaviour is now to attach etags.

+

+Changed in version 0.7: mimetype guessing and etag support for file objects was +deprecated because it was unreliable. Pass a filename if you are +able to, otherwise attach an etag yourself. This functionality +will be removed in Flask 1.0

+ +++ + + + +

Parameters:

filename_or_fp – the filename of the file to send. This is +relative to the root_path if a +relative path is specified. +Alternatively a file object might be provided +in which case X-Sendfile might not work and +fall back to the traditional method. Make sure +that the file pointer is positioned at the start +of data to send before calling send_file().
mimetype – the mimetype of the file if provided, otherwise +auto detection happens.
as_attachment – set to True if you want to send this file with +a Content-Disposition: attachment header.
attachment_filename – the filename for the attachment if it +differs from the file’s filename.
add_etags – set to False to disable attaching of etags.
conditional – set to True to enable conditional responses.
cache_timeout – the timeout in seconds for the headers.

+

+ +

+flask.send_from_directory(directory, filename, **options)¶

Send a file from a given directory with send_file(). This +is a secure way to quickly expose static files from an upload folder +or something similar.

+

Example usage:

+

@app.route('/uploads/<path:filename>')
+def download_file(filename):
+    return send_from_directory(app.config['UPLOAD_FOLDER'],
+                               filename, as_attachment=True)
+

+

+

Sending files and Performance

+

It is strongly recommended to activate either X-Sendfile support in +your webserver or (if no authentication happens) to tell the webserver +to serve files for the given path on its own without calling into the +web application for improved performance.

+

+New in version 0.5.

+ +++ + + + +

Parameters:	+ directory – the directory where all the files are stored. + filename – the filename relative to that directory to +download. + options – optional keyword arguments that are directly +forwarded to `send_file()`. + +

+

+ +

+flask.safe_join(directory, filename)¶

Safely join directory and filename.

+

Example usage:

+

@app.route('/wiki/<path:filename>')
+def wiki_page(filename):
+    filename = safe_join(app.config['WIKI_FOLDER'], filename)
+    with open(filename, 'rb') as fd:
+        content = fd.read() # Read and process the file content...
+

+

+ +++ + + + + + +

Parameters:	+ directory – the base directory. + filename – the untrusted filename relative to that directory. + +
Raises :	`NotFound` if the resulting path +would fall out of directory. +

+

+ +

+flask.escape(s) → markup¶: Convert the characters &, <, >, ‘, and ” in string s to HTML-safe +sequences. Use this if you need to display text that might contain +such characters in HTML. Marks return value as markup string.
+

+ +

+class flask.Markup¶

Marks a string as being safe for inclusion in HTML/XML output without +needing to be escaped. This implements the __html__ interface a couple +of frameworks and web applications use. Markup is a direct +subclass of unicode and provides all the methods of unicode just that +it escapes arguments passed and always returns Markup.

+

The escape function returns markup objects so that double escaping can’t +happen.

+

The constructor of the Markup class can be used for three +different things: When passed an unicode object it’s assumed to be safe, +when passed an object with an HTML representation (has an __html__ +method) that representation is used, otherwise the object passed is +converted into a unicode string and then assumed to be safe:

+

>>> Markup("Hello <em>World</em>!")
+Markup(u'Hello <em>World</em>!')
+>>> class Foo(object):
+...  def __html__(self):
+...   return '<a href="#">foo</a>'
+... 
+>>> Markup(Foo())
+Markup(u'<a href="#">foo</a>')
+

+

+

If you want object passed being always treated as unsafe you can use the +escape() classmethod to create a Markup object:

+

>>> Markup.escape("Hello <em>World</em>!")
+Markup(u'Hello &lt;em&gt;World&lt;/em&gt;!')
+

+

+

Operations on a markup string are markup aware which means that all +arguments are passed through the escape() function:

+

>>> em = Markup("<em>%s</em>")
+>>> em % "foo & bar"
+Markup(u'<em>foo &amp; bar</em>')
+>>> strong = Markup("<strong>%(text)s</strong>")
+>>> strong % {'text': '<blink>hacker here</blink>'}
+Markup(u'<strong>&lt;blink&gt;hacker here&lt;/blink&gt;</strong>')
+>>> Markup("<em>Hello</em> ") + "<foo>"
+Markup(u'<em>Hello</em> &lt;foo&gt;')
+

+

+

+classmethod escape(s)¶: Escape the string. Works like escape() with the difference +that for subclasses of Markup this function would return the +correct subclass.
+

+ +

+unescape()¶

Unescape markup again into an unicode string. This also resolves +known HTML4 and XHTML entities:

+

>>> Markup("Main &raquo; <em>About</em>").unescape()
+u'Main \xbb <em>About</em>'
+

+

+

+ +

+striptags()¶

Unescape markup into an unicode string and strip all tags. This +also resolves known HTML4 and XHTML entities. Whitespace is +normalized to one:

+

>>> Markup("Main &raquo;  <em>About</em>").striptags()
+u'Main \xbb About'
+

+

+

+ +

+

Message Flashing¶

+

+flask.flash(message, category='message')¶

Flashes a message to the next request. In order to remove the +flashed message from the session and to display it to the user, +the template has to call get_flashed_messages().

+ +++ + + + +

Parameters:	+ message – the message to be flashed. + category – the category for the message. The following values +are recommended: `'message'` for any kind of message, +`'error'` for errors, `'info'` for information +messages and `'warning'` for warnings. However any +kind of string can be used as category. + +

+

+ +

+flask.get_flashed_messages(with_categories=False)¶

Pulls all flashed messages from the session and returns them. +Further calls in the same request to the function will return +the same messages. By default just the messages are returned, +but when with_categories is set to True, the return value will +be a list of tuples in the form (category, message) instead.

+

Example usage:

+

{% for category, msg in get_flashed_messages(with_categories=true) %}
+  <p class=flash-{{ category }}>{{ msg }}
+{% endfor %}
+

+

+

+Changed in version 0.3: with_categories parameter added.

+ +++ + + + +

Parameters:	with_categories – set to True to also receive categories.

+

+ +

+

Returning JSON¶

+

+flask.jsonify(*args, **kwargs)¶

Creates a Response with the JSON representation of +the given arguments with an application/json mimetype. The arguments +to this function are the same as to the dict constructor.

+

Example usage:

+

@app.route('/_get_current_user')
+def get_current_user():
+    return jsonify(username=g.user.username,
+                   email=g.user.email,
+                   id=g.user.id)
+

+

+

This will send a JSON response like this to the browser:

+

{
+    "username": "admin",
+    "email": "admin@localhost",
+    "id": 42
+}
+

+

+

This requires Python 2.6 or an installed version of simplejson. For +security reasons only objects are supported toplevel. For more +information about this, have a look at JSON Security.

+

+New in version 0.2.

+

+ +

+flask.json¶

If JSON support is picked up, this will be the module that Flask is +using to parse and serialize JSON. So instead of doing this yourself:

+

try:
+    import simplejson as json
+except ImportError:
+    import json
+

+

+

You can instead just do this:

+

from flask import json
+

+

+

For usage examples, read the json documentation.

+

The dumps() function of this json module is also available +as filter called |tojson in Jinja2. Note that inside script +tags no escaping must take place, so make sure to disable escaping +with |safe if you intend to use it inside script tags:

+

<script type=text/javascript>
+    doSomethingWith({{ user.username|tojson|safe }});
+</script>
+

+

+

Note that the |tojson filter escapes forward slashes properly.

+

+ +

+

Template Rendering¶

+

+flask.render_template(template_name, **context)¶

Renders a template from the template folder with the given +context.

+ +++ + + + +

Parameters:	+ template_name – the name of the template to be rendered + context – the variables that should be available in the +context of the template. + +

+

+ +

+flask.render_template_string(source, **context)¶

Renders a template from the given template source string +with the given context.

+ +++ + + + +

Parameters:	+ template_name – the sourcecode of the template to be +rendered + context – the variables that should be available in the +context of the template. + +

+

+ +

+flask.get_template_attribute(template_name, attribute)¶

Loads a macro (or variable) a template exports. This can be used to +invoke a macro from within Python code. If you for example have a +template named _cider.html with the following contents:

+

{% macro hello(name) %}Hello {{ name }}!{% endmacro %}
+

+

+

You can access this from Python code like this:

+

hello = get_template_attribute('_cider.html', 'hello')
+return hello('World')
+

+

+

+New in version 0.2.

+ +++ + + + +

Parameters:	+ template_name – the name of the template + attribute – the name of the variable of macro to acccess + +

+

+ +

+

Configuration¶

+

+class flask.Config(root_path, defaults=None)¶

Works exactly like a dict but provides ways to fill it from files +or special dictionaries. There are two common patterns to populate the +config.

+

Either you can fill the config from a config file:

+

app.config.from_pyfile('yourconfig.cfg')
+

+

+

Or alternatively you can define the configuration options in the +module that calls from_object() or provide an import path to +a module that should be loaded. It is also possible to tell it to +use the same module and with that provide the configuration values +just before the call:

+

DEBUG = True
+SECRET_KEY = 'development key'
+app.config.from_object(__name__)
+

+

+

In both cases (loading from any Python file or loading from modules), +only uppercase keys are added to the config. This makes it possible to use +lowercase values in the config file for temporary values that are not added +to the config or to define the config keys in the same file that implements +the application.

+

Probably the most interesting way to load configurations is from an +environment variable pointing to a file:

+

app.config.from_envvar('YOURAPPLICATION_SETTINGS')
+

+

+

In this case before launching the application you have to set this +environment variable to the file you want to use. On Linux and OS X +use the export statement:

+

export YOURAPPLICATION_SETTINGS='/path/to/config/file'

+

On windows use set instead.

+ +++ + + + +

Parameters:	+ root_path – path to which files are read relative from. When the +config object is created by the application, this is +the application’s `root_path`. + defaults – an optional dictionary of default values + +

+

+from_envvar(variable_name, silent=False)¶

Loads a configuration from an environment variable pointing to +a configuration file. This is basically just a shortcut with nicer +error messages for this line of code:

+

app.config.from_pyfile(os.environ['YOURAPPLICATION_SETTINGS'])
+

+

+ +++ + + + + + +

Parameters:	+ variable_name – name of the environment variable + silent – set to True if you want silent failure for missing +files. + +
Returns:	bool. True if able to load config, False otherwise. +

+

+ +

+from_object(obj)¶

Updates the values from the given object. An object can be of one +of the following two types:

+

a string: in this case the object with that name will be imported
an actual object reference: that object is used directly

+

Objects are usually either modules or classes.

+

Just the uppercase variables in that object are stored in the config. +Example usage:

+

app.config.from_object('yourapplication.default_config')
+from yourapplication import default_config
+app.config.from_object(default_config)
+

+

+

You should not use this function to load the actual configuration but +rather configuration defaults. The actual config should be loaded +with from_pyfile() and ideally from a location not within the +package because the package might be installed system wide.

+ +++ + + + +

Parameters:	obj – an import name or object

+

+ +

+from_pyfile(filename, silent=False)¶

Updates the values in the config from a Python file. This function +behaves as if the file was imported as module with the +from_object() function.

+ +++ + + + +

Parameters:	+ filename – the filename of the config. This can either be an +absolute filename or a filename relative to the +root path. + silent – set to True if you want silent failure for missing +files. + +

+

+New in version 0.7: silent parameter.

+

+ +

+

Extensions¶

+

+flask.ext¶

This module acts as redirect import module to Flask extensions. It was +added in 0.8 as the canonical way to import Flask extensions and makes +it possible for us to have more flexibility in how we distribute +extensions.

+

If you want to use an extension named “Flask-Foo” you would import it +from ext as follows:

+

from flask.ext import foo
+

+

+

+New in version 0.8.

+

+ +

+

Useful Internals¶

+

+class flask.ctx.RequestContext(app, environ)¶

The request context contains all request relevant information. It is +created at the beginning of the request and pushed to the +_request_ctx_stack and removed at the end of it. It will create the +URL adapter and request object for the WSGI environment provided.

+

Do not attempt to use this class directly, instead use +test_request_context() and +request_context() to create this object.

+

When the request context is popped, it will evaluate all the +functions registered on the application for teardown execution +(teardown_request()).

+

The request context is automatically popped at the end of the request +for you. In debug mode the request context is kept around if +exceptions happen so that interactive debuggers have a chance to +introspect the data. With 0.4 this can also be forced for requests +that did not fail and outside of DEBUG mode. By setting +'flask._preserve_context' to True on the WSGI environment the +context will not pop itself at the end of the request. This is used by +the test_client() for example to implement the +deferred cleanup functionality.

+

You might find this helpful for unittests where you need the +information from the context local around for a little longer. Make +sure to properly pop() the stack yourself in +that situation, otherwise your unittests will leak memory.

+

+match_request()¶: Can be overridden by a subclass to hook into the matching +of the request.
+

+ +

+pop()¶: Pops the request context and unbinds it by doing that. This will +also trigger the execution of functions registered by the +teardown_request() decorator.
+

+ +

+push()¶: Binds the request context to the current context.
+

+ +

+flask._request_ctx_stack¶

The internal LocalStack that is used to implement +all the context local objects used in Flask. This is a documented +instance and can be used by extensions and application code but the +use is discouraged in general.

+

The following attributes are always present on each layer of the +stack:

+

app: the active Flask application.
url_adapter: the URL adapter that was used to match the request.
request: the current request object.
session: the active session object.
g: an object with all the attributes of the flask.g object.
flashes: an internal cache for the flashed messages.

+

Example usage:

+

from flask import _request_ctx_stack
+
+def get_session():
+    ctx = _request_ctx_stack.top
+    if ctx is not None:
+        return ctx.session
+

+

+

+ +

+class flask.blueprints.BlueprintSetupState(blueprint, app, options, first_registration)¶

Temporary holder object for registering a blueprint with the +application. An instance of this class is created by the +make_setup_state() method and later passed +to all register callback functions.

+

+add_url_rule(rule, endpoint=None, view_func=None, **options)¶: A helper method to register a rule (and optionally a view function) +to the application. The endpoint is automatically prefixed with the +blueprint’s name.
+

+ +

+app = None¶: a reference to the current application
+

+ +

+blueprint = None¶: a reference to the blurprint that created this setup state.
+

+ +

+first_registration = None¶: as blueprints can be registered multiple times with the +application and not everything wants to be registered +multiple times on it, this attribute can be used to figure +out if the blueprint was registered in the past already.
+

+ +

+options = None¶: a dictionary with all options that were passed to the +register_blueprint() method.
+

+ +

+subdomain = None¶: The subdomain that the blueprint should be active for, None +otherwise.
+

+ +

+url_defaults = None¶: A dictionary with URL defaults that is added to each and every +URL that was defined with the blueprint.
+

+ +

+url_prefix = None¶: The prefix that should be used for all URLs defined on the +blueprint.
+

+ +

+

Signals¶

+

+New in version 0.6.

+

+flask.signals_available¶: True if the signalling system is available. This is the case +when blinker is installed.
+

+ +

+flask.template_rendered¶: This signal is sent when a template was successfully rendered. The +signal is invoked with the instance of the template as template +and the context as dictionary (named context).
+

+ +

+flask.request_started¶: This signal is sent before any request processing started but when the +request context was set up. Because the request context is already +bound, the subscriber can access the request with the standard global +proxies such as request.
+

+ +

+flask.request_finished¶: This signal is sent right before the response is sent to the client. +It is passed the response to be sent named response.
+

+ +

+flask.got_request_exception¶: This signal is sent when an exception happens during request processing. +It is sent before the standard exception handling kicks in and even +in debug mode, where no exception handling happens. The exception +itself is passed to the subscriber as exception.
+

+ +

+flask.request_tearing_down¶: This signal is sent when the application is tearing down the request. +This is always called, even if an error happened. No arguments are +provided.
+

+ +

+class flask.signals.Namespace¶

An alias for blinker.base.Namespace if blinker is available, +otherwise a dummy class that creates fake signals. This class is +available for Flask extensions that want to provide the same fallback +system as Flask itself.

+

+signal(name, doc=None)¶: Creates a new signal for this namespace if blinker is available, +otherwise returns a fake signal that has a send method that will +do nothing but will fail with a RuntimeError for all other +operations, including connecting.
+

+ +

+

Class Based Views¶

+

+New in version 0.7.

+

+class flask.views.View¶

Alternative way to use view functions. A subclass has to implement +dispatch_request() which is called with the view arguments from +the URL routing system. If methods is provided the methods +do not have to be passed to the add_url_rule() +method explicitly:

+

class MyView(View):
+    methods = ['GET']
+
+    def dispatch_request(self, name):
+        return 'Hello %s!' % name
+
+app.add_url_rule('/hello/<name>', view_func=MyView.as_view('myview'))
+

+

+

When you want to decorate a pluggable view you will have to either do that +when the view function is created (by wrapping the return value of +as_view()) or you can use the decorators attribute:

+

class SecretView(View):
+    methods = ['GET']
+    decorators = [superuser_required]
+
+    def dispatch_request(self):
+        ...
+

+

+

The decorators stored in the decorators list are applied one after another +when the view function is created. Note that you can not use the class +based decorators since those would decorate the view class and not the +generated view function!

+

+classmethod as_view(name, *class_args, **class_kwargs)¶

Converts the class into an actual view function that can be +used with the routing system. What it does internally is generating +a function on the fly that will instanciate the View +on each request and call the dispatch_request() method on it.

+

The arguments passed to as_view() are forwarded to the +constructor of the class.

+

+ +

+decorators = []¶

The canonical way to decorate class based views is to decorate the +return value of as_view(). However since this moves parts of the +logic from the class declaration to the place where it’s hooked +into the routing system.

+

You can place one or more decorators in this list and whenever the +view function is created the result is automatically decorated.

+

+New in version 0.8.

+

+ +

+dispatch_request()¶: Subclasses have to override this method to implement the +actual view function code. This method is called with all +the arguments from the URL rule.
+

+ +

+methods = None¶: A for which methods this pluggable view can handle.
+

+ +

+class flask.views.MethodView¶

Like a regular class based view but that dispatches requests to +particular methods. For instance if you implement a method called +get() it means you will response to 'GET' requests and +the dispatch_request() implementation will automatically +forward your request to that. Also options is set for you +automatically:

+

class CounterAPI(MethodView):
+
+    def get(self):
+        return session.get('counter', 0)
+
+    def post(self):
+        session['counter'] = session.get('counter', 0) + 1
+        return 'OK'
+
+app.add_url_rule('/counter', view_func=CounterAPI.as_view('counter'))
+

+

+

+ +

+

URL Route Registrations¶

+

Generally there are three ways to define rules for the routing system:

+

You can use the flask.Flask.route() decorator.
You can use the flask.Flask.add_url_rule() function.
You can directly access the underlying Werkzeug routing system +which is exposed as flask.Flask.url_map.

+

Variable parts in the route can be specified with angular brackets +(/user/<username>). By default a variable part in the URL accepts any +string without a slash however a different converter can be specified as +well by using <converter:name>.

+

Variable parts are passed to the view function as keyword arguments.

+

The following converters are available:

+ ++++ + + + + + + + + + + + + + + +

unicode	accepts any text without a slash (the default)
int	accepts integers
float	like int but for floating point values
path	like the default but also accepts slashes

+

Here are some examples:

+

@app.route('/')
+def index():
+    pass
+
+@app.route('/<username>')
+def show_user(username):
+    pass
+
+@app.route('/post/<int:post_id>')
+def show_post(post_id):
+    pass
+

+

+

An important detail to keep in mind is how Flask deals with trailing +slashes. The idea is to keep each URL unique so the following rules +apply:

+

If a rule ends with a slash and is requested without a slash by the +user, the user is automatically redirected to the same page with a +trailing slash attached.
If a rule does not end with a trailing slash and the user requests the +page with a trailing slash, a 404 not found is raised.

+

This is consistent with how web servers deal with static files. This +also makes it possible to use relative link targets safely.

+

You can also define multiple rules for the same function. They have to be +unique however. Defaults can also be specified. Here for example is a +definition for a URL that accepts an optional page:

+

@app.route('/users/', defaults={'page': 1})
+@app.route('/users/page/<int:page>')
+def show_users(page):
+    pass
+

+

+

This specifies that /users/ will be the URL for page one and +/users/page/N will be the URL for page N.

+

Here are the parameters that route() and +add_url_rule() accept. The only difference is that +with the route parameter the view function is defined with the decorator +instead of the view_func parameter.

+ ++++ + + + + + + + + + + + + + + + + + + + + +

rule	the URL roule as string
endpoint	the endpoint for the registered URL rule. Flask itself +assumes that the name of the view function is the name +of the endpoint if not explicitly stated.
view_func	the function to call when serving a request to the +provided endpoint. If this is not provided one can +specify the function later by storing it in the +`view_functions` dictionary with the +endpoint as key.
defaults	A dictionary with defaults for this rule. See the +example above for how defaults work.
subdomain	specifies the rule for the subdomain in case subdomain +matching is in use. If not specified the default +subdomain is assumed.
**options	the options to be forwarded to the underlying +`Rule` object. A change to +Werkzeug is handling of method options. methods is a list +of methods this rule should be limited to (GET, POST +etc.). By default a rule just listens for GET (and +implicitly HEAD). Starting with Flask 0.6, OPTIONS is +implicitly added and handled by the standard request +handling. They have to be specified as keyword arguments.

+

View Function Options¶

+

For internal usage the view functions can have some attributes attached to +customize behavior the view function would normally not have control over. +The following attributes can be provided optionally to either override +some defaults to add_url_rule() or general behavior:

+

__name__: The name of a function is by default used as endpoint. If +endpoint is provided explicitly this value is used. Additionally this +will be prefixed with the name of the blueprint by default which +cannot be customized from the function itself.
methods: If methods are not provided when the URL rule is added, +Flask will look on the view function object itself is an methods +attribute exists. If it does, it will pull the information for the +methods from there.
provide_automatic_options: if this attribute is set Flask will +either force enable or disable the automatic implementation of the +HTTP OPTIONS response. This can be useful when working with +decorators that want to customize the OPTIONS response on a per-view +basis.

+

Full example:

+

def index():
+    if request.method == 'OPTIONS':
+        # custom options handling here
+        ...
+    return 'Hello World!'
+index.provide_automatic_options = False
+index.methods = ['GET', 'OPTIONS']
+
+app.add_url_rule('/', index)
+

+

+

+New in version 0.8: The provide_automatic_options functionality was added.

+

+ + +

API¶

Application Object¶

Blueprint Objects¶

Incoming Request Data¶

Response Objects¶

Sessions¶

Session Interface¶

Test Client¶

Application Globals¶

Useful Functions and Classes¶

Message Flashing¶

Returning JSON¶

Template Rendering¶

Configuration¶

Extensions¶

Useful Internals¶

Signals¶

Class Based Views¶

URL Route Registrations¶

View Function Options¶

Table Of Contents

Related Topics

This Page

Navigation

API¶

Application Object¶

Blueprint Objects¶

Incoming Request Data¶

Response Objects¶

Sessions¶

Session Interface¶

Test Client¶

Application Globals¶

Useful Functions and Classes¶

Message Flashing¶

Returning JSON¶

Template Rendering¶

Configuration¶

Extensions¶

Useful Internals¶

Signals¶

Class Based Views¶

URL Route Registrations¶

View Function Options¶

Table Of Contents

Related Topics

This Page

Quick search