I am trying to build a small multipage web application using flask. So far my app consists of two separate routes. The first route renders a small webform that triggers an api request, which generates data that are unique to each user and session. The data come with a unique id for each api response. The second route is used to display the unique results for each user. How can I create an individual results page for each user that is threadsafe und ensures that the data is not accessible to any other user?

Pseudo code:

from flask import Flask, render_template, redirect 

app = Flask(__name__)

# A simple webform 
@app.route('/', methods=['GET', 'POST'])
def view_form(): 
 
  if request.method == "POST":
    
    # Validate form and perform api request
    
    return redirect(url_for('view_results'))

  return render_template('main.html')

# Results page
@app.route('/results', methods=['GET'])
def view_results():

  # Show an individual results page
  
  return render_template('results.html')

CodePudding user response：

This question is much wide. Here is tones of ways how to realise it.

Closer example will be looks like:

from flask import Flask, render_template, redirect 
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def view_form(): 
 
  if request.method == "POST":

    # get user id to be able redirect to specific results page
    user_id = request.form.get('user_id')
    
    # redirect to page for exact user_id
    return redirect(url_for('view_results/'   user_id))

  return render_template('main.html')

@app.route('/results/<user_id>', methods=['GET'])
def view_results(user_id=None):

  # Show an individual results according user_id
  if user_id == 'blahblah':
    return render_template('results_for_blahblah.html')
  
  # if user_id is None return a standard dummy results
  return render_template('results.html')

1. Get user_id from request form data
2. Redirect to new URL with user_id query parameter
3. Respond specifically generated template for specific user with user_id

CodePudding user response：

To have some security in your application's handling of users and their session you should look into the flask plugin Flask-Login.

I recommend that you also check The Flask Mega-Tutorial by Miguel Grinberg and the guides from OWASP.

Also as a matter of principle never ever trust user input as rzlvmp's response does. It may be fabricated to steal someone else's private data from your site.