Porting Customizations

Porting       • Basics       • Customizations       • Advanced      

Read this if you have:

  • Specified custom Form classes (the .py files)
  • Specified custom View functions
  • Specified custom Password or username validators
  • Specified a custom TokenManager
  • Used the optional UserAuth class

This topic assumes that you completed the porting tasks described in Porting Basics.

UserManager customization

In v0.6, Flask-User was customized by adding parameters to the UserManager() instantiation. For example:

# Setup Flask-User
db_adapter = SQLAlchemyAdaper(db, User)
user_manager = UserManager(db_adapter, app,
    register_form = CustomRegisterForm,
    register_view_function = custom_register_view,
    password_validator = custom_password_validator,
    token_manager = CustomTokenManager())

In v1.0, Flask-User is customized by: - Extending the CustomUserManager class - Setting properties in its customize() method - Overriding or extending methods

# Customize Flask-User
class CustomUserManager(UserManager):

    def customize(self, app):
        # Override properties
        self.RegisterFormClass = CustomRegisterForm
        self.token_manager = CustomTokenManager(app)

    # Override methods
    def register_view(self):

    # Extend methods
    def password_validator(self):
        super(CustomUserManager, self).password_validator()

In v1.0, almost all UserManager initiation parameters have been obsolted and now only accepts the following:

  • Required parameters app, db and UserClass.
  • Optional keyword parameters: UserEmailClass and UserInvitationClass.

Data-model changes

The email_confirmed_at property has been renamed.
See Porting Basics for porting steps and Advanced Porting topics for an advanced option.
The UserAuth class has been deprecated.
Support for the optional v0.6 UserAuth class has been dropped in v1.0+ to simplify the Flask-User source code and make it more readable and easier to customize.

See Advanced Porting topics for a workaround if you can not merge the UserAuth and User classes.

The UserInvitation class has been renamed.
The v0.6 UserInvite class has been renamed to UserInvitation in v1.0+ to reflect that it’s an object and not an action.

Use the following approach to use the new class name while keeping the old table name:

class UserInvitation(db.Model):
    __tablename__ = 'user_invite'

Password method changes

We changed the verify_password() API
from v0.6 verify_password(password, user)
to v1.0+ verify_password(password, password_hash)
to keep data-model knowledge out of the PasswordManager.

Please change:

user_manager.verify_password(password, user)


verify_password(password, user.password)

@confirm_email_required decorator deprecated

The @confirm_email_required view decorator has been deprecated for security reasons.

In v0.6, the USER_ENABLE_LOGIN_WITHOUT_CONFIRM_EMAIL setting removed confirmed email protection for all the views and required developers to re-protect the vulnerable views with @confirm_email_required.

In v1.0+ we adopt the opposite approach where the (renamed) USER_ALLOW_LOGIN_WITHOUT_CONFIRMED_EMAIL=True setting continues to protect all the views, except those decorated with the new @allow_unconfirmed_email decorator.

Contact us

We believe this concludes the Porting steps for for applications with a high degree of Flask-User customizations.

If, after reading Advanced Porting topics, you still think this page is incomplete, please email ling.thio@gmail.com.

Porting       • Basics       • Customizations       • Advanced