Best way to make Flask-Login's login_required the default

Question

Like this question: Best way to make Django's login_required the default

I\'m using Flask-Login\'s login_required decorator now. Is there anyway to

Answer 1

This is a follow up ( bit more pythonic but thats debatable ) to @MalphasWats already great answer.

Also includes an important security fix suggested by @nonagon.

Explanation of the vulnerability with 'static' in request.endpoint:

Imagine that there is route which can be user defiened in some way, like a profile link for example.

If the user sets his name lets say Static Joe, then:

"Static Joe" --slugifys--> /usr/profiles/static_joe.

This way making this route public. This is just asking for trouble.

---

Here is the route guard function which is appened before every request handling:

@app.before_request
def check_route_access():
    if any([request.endpoint.startswith('static/'),
            current_user.is_authenticated,  # From Flask-Login
            getattr(app.view_functions[request.endpoint],'is_public',False)]):
        return  # Access granted
    else:
        return redirect(url_for('users.login_page'))

( Flask-Login is an excellent module and makes session handling a breeze )

And here is the decorator ( @public_route ) which you can use to allow access to special pages that need public access by default. (register page, login page):

def public_route(decorated_function):
    decorated_function.is_public = True
    return decorated_function