1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Step 5: The View Functions — Flask 0.8 documentation</title>
<link rel="stylesheet" href="../_static/flasky.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '0.8',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="top" title="Flask 0.8 documentation" href="../index.html" />
<link rel="up" title="Tutorial" href="index.html" />
<link rel="next" title="Step 6: The Templates" href="templates.html" />
<link rel="prev" title="Step 4: Request Database Connections" href="dbcon.html" />
<link rel="apple-touch-icon" href="../_static/touch-icon.png" />
<link media="only screen and (max-device-width: 480px)" href="../_static/small_flask.css" type= "text/css" rel="stylesheet" />
</head>
<body>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="templates.html" title="Step 6: The Templates"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="dbcon.html" title="Step 4: Request Database Connections"
accesskey="P">previous</a> |</li>
<li><a href="../index.html">Flask 0.8 documentation</a> »</li>
<li><a href="index.html" accesskey="U">Tutorial</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="step-5-the-view-functions">
<span id="tutorial-views"></span><h1>Step 5: The View Functions<a class="headerlink" href="#step-5-the-view-functions" title="Permalink to this headline">¶</a></h1>
<p>Now that the database connections are working we can start writing the
view functions. We will need four of them:</p>
<div class="section" id="show-entries">
<h2>Show Entries<a class="headerlink" href="#show-entries" title="Permalink to this headline">¶</a></h2>
<p>This view shows all the entries stored in the database. It listens on the
root of the application and will select title and text from the database.
The one with the highest id (the newest entry) will be on top. The rows
returned from the cursor are tuples with the columns ordered like specified
in the select statement. This is good enough for small applications like
here, but you might want to convert them into a dict. If you are
interested in how to do that, check out the <a class="reference internal" href="../patterns/sqlite3.html#easy-querying"><em>Easy Querying</em></a> example.</p>
<p>The view function will pass the entries as dicts to the
<cite>show_entries.html</cite> template and return the rendered one:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="nd">@app.route</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">show_entries</span><span class="p">():</span>
<span class="n">cur</span> <span class="o">=</span> <span class="n">g</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s">'select title, text from entries order by id desc'</span><span class="p">)</span>
<span class="n">entries</span> <span class="o">=</span> <span class="p">[</span><span class="nb">dict</span><span class="p">(</span><span class="n">title</span><span class="o">=</span><span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">text</span><span class="o">=</span><span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">cur</span><span class="o">.</span><span class="n">fetchall</span><span class="p">()]</span>
<span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'show_entries.html'</span><span class="p">,</span> <span class="n">entries</span><span class="o">=</span><span class="n">entries</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-new-entry">
<h2>Add New Entry<a class="headerlink" href="#add-new-entry" title="Permalink to this headline">¶</a></h2>
<p>This view lets the user add new entries if they are logged in. This only
responds to <cite>POST</cite> requests, the actual form is shown on the
<cite>show_entries</cite> page. If everything worked out well we will
<a class="reference internal" href="../api.html#flask.flash" title="flask.flash"><tt class="xref py py-func docutils literal"><span class="pre">flash()</span></tt></a> an information message to the next request and
redirect back to the <cite>show_entries</cite> page:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="nd">@app.route</span><span class="p">(</span><span class="s">'/add'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'POST'</span><span class="p">])</span>
<span class="k">def</span> <span class="nf">add_entry</span><span class="p">():</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">session</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s">'logged_in'</span><span class="p">):</span>
<span class="n">abort</span><span class="p">(</span><span class="mi">401</span><span class="p">)</span>
<span class="n">g</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s">'insert into entries (title, text) values (?, ?)'</span><span class="p">,</span>
<span class="p">[</span><span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s">'title'</span><span class="p">],</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s">'text'</span><span class="p">]])</span>
<span class="n">g</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span>
<span class="n">flash</span><span class="p">(</span><span class="s">'New entry was successfully posted'</span><span class="p">)</span>
<span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s">'show_entries'</span><span class="p">))</span>
</pre></div>
</div>
<p>Note that we check that the user is logged in here (the <cite>logged_in</cite> key is
present in the session and <cite>True</cite>).</p>
<div class="admonition-security-note admonition ">
<p class="first admonition-title">Security Note</p>
<p class="last">Be sure to use question marks when building SQL statements, as done in the
example above. Otherwise, your app will be vulnerable to SQL injection when
you use string formatting to build SQL statements.
See <a class="reference internal" href="../patterns/sqlite3.html#sqlite3"><em>Using SQLite 3 with Flask</em></a> for more.</p>
</div>
</div>
<div class="section" id="login-and-logout">
<h2>Login and Logout<a class="headerlink" href="#login-and-logout" title="Permalink to this headline">¶</a></h2>
<p>These functions are used to sign the user in and out. Login checks the
username and password against the ones from the configuration and sets the
<cite>logged_in</cite> key in the session. If the user logged in successfully, that
key is set to <cite>True</cite>, and the user is redirected back to the <cite>show_entries</cite>
page. In addition, a message is flashed that informs the user that he or
she was logged in successfully. If an error occurred, the template is
notified about that, and the user is asked again:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="nd">@app.route</span><span class="p">(</span><span class="s">'/login'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'GET'</span><span class="p">,</span> <span class="s">'POST'</span><span class="p">])</span>
<span class="k">def</span> <span class="nf">login</span><span class="p">():</span>
<span class="n">error</span> <span class="o">=</span> <span class="bp">None</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s">'POST'</span><span class="p">:</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s">'username'</span><span class="p">]</span> <span class="o">!=</span> <span class="n">app</span><span class="o">.</span><span class="n">config</span><span class="p">[</span><span class="s">'USERNAME'</span><span class="p">]:</span>
<span class="n">error</span> <span class="o">=</span> <span class="s">'Invalid username'</span>
<span class="k">elif</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s">'password'</span><span class="p">]</span> <span class="o">!=</span> <span class="n">app</span><span class="o">.</span><span class="n">config</span><span class="p">[</span><span class="s">'PASSWORD'</span><span class="p">]:</span>
<span class="n">error</span> <span class="o">=</span> <span class="s">'Invalid password'</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">session</span><span class="p">[</span><span class="s">'logged_in'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span>
<span class="n">flash</span><span class="p">(</span><span class="s">'You were logged in'</span><span class="p">)</span>
<span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s">'show_entries'</span><span class="p">))</span>
<span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'login.html'</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">error</span><span class="p">)</span>
</pre></div>
</div>
<p>The logout function, on the other hand, removes that key from the session
again. We use a neat trick here: if you use the <a class="reference external" href="http://docs.python.org/dev/library/stdtypes.html#dict.pop" title="(in Python v3.3)"><tt class="xref py py-meth docutils literal"><span class="pre">pop()</span></tt></a> method
of the dict and pass a second parameter to it (the default), the method
will delete the key from the dictionary if present or do nothing when that
key is not in there. This is helpful because now we don’t have to check
if the user was logged in.</p>
<div class="highlight-python"><div class="highlight"><pre><span class="nd">@app.route</span><span class="p">(</span><span class="s">'/logout'</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">logout</span><span class="p">():</span>
<span class="n">session</span><span class="o">.</span><span class="n">pop</span><span class="p">(</span><span class="s">'logged_in'</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span>
<span class="n">flash</span><span class="p">(</span><span class="s">'You were logged out'</span><span class="p">)</span>
<span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s">'show_entries'</span><span class="p">))</span>
</pre></div>
</div>
<p>Continue with <a class="reference internal" href="templates.html#tutorial-templates"><em>Step 6: The Templates</em></a>.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper"><p class="logo"><a href="../index.html">
<img class="logo" src="../_static/flask.png" alt="Logo"/>
</a></p>
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Step 5: The View Functions</a><ul>
<li><a class="reference internal" href="#show-entries">Show Entries</a></li>
<li><a class="reference internal" href="#add-new-entry">Add New Entry</a></li>
<li><a class="reference internal" href="#login-and-logout">Login and Logout</a></li>
</ul>
</li>
</ul>
<h3>Related Topics</h3>
<ul>
<li><a href="../index.html">Documentation overview</a><ul>
<li><a href="index.html">Tutorial</a><ul>
<li>Previous: <a href="dbcon.html" title="previous chapter">Step 4: Request Database Connections</a></li>
<li>Next: <a href="templates.html" title="next chapter">Step 6: The Templates</a></li>
</ul></li>
</ul></li>
</ul>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/tutorial/views.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="footer">
© Copyright 2010, Armin Ronacher.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a>.
</div>
</body>
</html>
|
