def load_user(id): u = pg.select1r(g.db.cursor(), 'usager', where={'usager_id': id}) if u: # VERY IMPORTANT: here we set the PG role corresponding to the usager, to enforce # that its associated privileges will be taken into account g.db.cursor().execute('set role %s', [u['usager_nom']]) return User(u) return None
def login(): un = request.form["username"] pw = request.form["password"] u = pg.select1r(g.db.cursor(), 'usager', where={'usager_nom': un}) if u: u = pg.select1r(g.db.cursor(), 'usager', what=["mdp_hash = (select crypt('%s', mdp_hash)) is_pw_ok" % pw, 'usager.*'], where={'usager_nom': un}) if u['is_pw_ok']: login_user(User(u), remember=('remember' in request.form)) u = dict(u) del u['mdp_hash'] u['success'] = True return u else: return {'success': False, 'error': 'password'} # in principle it's not a good practice to reveal the login error (pw/user), # but.. as it's definitely more user-friendly, let's do it anyway! return {'success': False, 'error': 'username'}