Merge branch 'master' into inline-boolean

Author: petrus-jvrensburg

README.rst

@@ -43,23 +43,23 @@ on the existing examples, and submit a *pull-request*.
 
 To run the examples in your local environment::
 
-1. Clone the repository::
+  1. Clone the repository::
 
-    git clone https://github.com/flask-admin/flask-admin.git
-    cd flask-admin
+        git clone https://github.com/flask-admin/flask-admin.git
+        cd flask-admin
 
-2. Create and activate a virtual environment::
+  2. Create and activate a virtual environment::
 
-    virtualenv env -p python3
-    source env/bin/activate
+        virtualenv env -p python3
+        source env/bin/activate
 
-3. Install requirements::
+  3. Install requirements::
 
-    pip install -r 'examples/sqla/requirements.txt'
+        pip install -r 'examples/sqla/requirements.txt'
 
-4. Run the application::
+  4. Run the application::
 
-    python examples/sqla/app.py
+        python examples/sqla/app.py
 
 Documentation
 -------------

doc/api/index.rst

@@ -15,6 +15,7 @@ API
    mod_actions
 
    mod_contrib_sqla
+   mod_contrib_sqla_fields
    mod_contrib_mongoengine
    mod_contrib_mongoengine_fields
    mod_contrib_peewee

doc/api/mod_contrib_sqla_fields.rst

@@ -0,0 +1,13 @@
+``flask_admin.contrib.sqla.fields``
+===================================
+
+.. automodule:: flask_admin.contrib.sqla.fields
+
+	.. autoclass:: QuerySelectField
+		:members:
+
+	.. autoclass:: QuerySelectMultipleField
+		:members:
+
+	.. autoclass:: CheckboxListField
+		:members:

doc/changelog.rst

@@ -1,14 +1,16 @@
 Changelog
 =========
 
-next release
+1.5.3
 -----
 
+* Fixed XSS vulnerability
 * Support nested categories in the navbar menu
 * Fix display of inline x-editable boolean fields on list view
 * SQLAlchemy
     * sort on multiple columns with `column_default_sort`
     * sort on related models in `column_sortable_list`
+    * show searchable fields in search input's placeholder text
     * fix: inline model forms can now also be used for models with multiple primary keys
     * support for using mapped `column_property`
 * Upgrade Leaflet and Leaflet.draw plugins, used for geoalchemy integration
@@ -19,6 +21,7 @@ next release
     * handle special characters in filename
     * fix a bug with listing directories on Windows
     * avoid raising an exception when unknown sort parameter is encountered
+* WTForms 3 support
 
 1.5.2
 -----

doc/introduction.rst

@@ -16,11 +16,11 @@ The first step is to initialize an empty admin interface for your Flask app::
     from flask import Flask
     from flask_admin import Admin
 
+    app = Flask(__name__)
+
     # set optional bootswatch theme
     app.config['FLASK_ADMIN_SWATCH'] = 'cerulean'
 
-    app = Flask(__name__)
-
     admin = Admin(app, name='microblog', template_mode='bootstrap3')
     # Add administrative views here
 

examples/sqla/app.py

@@ -202,10 +202,16 @@ class PostAdmin(sqla.ModelView):
     column_labels = dict(title='Post Title')  # Rename 'title' column in list view
     column_searchable_list = [
         'title',
-        User.first_name,
-        User.last_name,
         'tags.name',
+        'user.first_name',
+        'user.last_name',
     ]
+    column_labels = {
+        'title': 'Title',
+        'tags.name': 'tags',
+        'user.first_name': 'user\'s first name',
+        'user.last_name': 'last name',
+    }
     column_filters = [
         'user',
         'title',

flask_admin/__init__.py

@@ -1,4 +1,4 @@
-__version__ = '1.5.2'
+__version__ = '1.5.3'
 __author__ = 'Flask-Admin team'
 __email__ = '[email protected]'
 

flask_admin/_backwards.py

@@ -8,6 +8,11 @@
 import sys
 import warnings
 
+try:
+    from wtforms.widgets import HTMLString as Markup
+except ImportError:
+    from markupsafe import Markup  # noqa: F401
+
 
 def get_property(obj, name, old_name, default=None):
     """

flask_admin/contrib/mongoengine/view.py

@@ -140,7 +140,8 @@ class MyModelView(BaseModelView):
 
     allowed_search_types = (mongoengine.StringField,
                             mongoengine.URLField,
-                            mongoengine.EmailField)
+                            mongoengine.EmailField,
+                            mongoengine.ReferenceField)
     """
         List of allowed search field types.
     """
@@ -466,7 +467,12 @@ def _search(self, query, search_term):
         criteria = None
 
         for field in self._search_fields:
-            flt = {'%s__%s' % (field.name, op): term}
+            if type(field) == mongoengine.ReferenceField:
+                import re
+                regex = re.compile('.*%s.*' % term)
+            else:
+                regex = term
+            flt = {'%s__%s' % (field.name, op): regex}
             q = mongoengine.Q(**flt)
 
             if criteria is None:

flask_admin/contrib/mongoengine/widgets.py

@@ -1,9 +1,10 @@
-from wtforms.widgets import HTMLString, html_params
+from wtforms.widgets import html_params
 
 from jinja2 import escape
 
 from mongoengine.fields import GridFSProxy, ImageGridFsProxy
 
+from flask_admin._backwards import Markup
 from flask_admin.helpers import get_url
 from . import helpers
 
@@ -31,10 +32,10 @@ def __call__(self, field, **kwargs):
                 'marker': '_%s-delete' % field.name
             }
 
-        return HTMLString('%s<input %s>' % (placeholder,
-                                            html_params(name=field.name,
-                                                        type='file',
-                                                        **kwargs)))
+        return Markup('%s<input %s>' % (placeholder,
+                      html_params(name=field.name,
+                                  type='file',
+                                  **kwargs)))
 
 
 class MongoImageInput(object):
@@ -48,7 +49,6 @@ class MongoImageInput(object):
 
     def __call__(self, field, **kwargs):
         kwargs.setdefault('id', field.id)
-
         placeholder = ''
         if field.data and isinstance(field.data, ImageGridFsProxy):
             args = helpers.make_thumb_args(field.data)
@@ -57,7 +57,7 @@ def __call__(self, field, **kwargs):
                 'marker': '_%s-delete' % field.name
             }
 
-        return HTMLString('%s<input %s>' % (placeholder,
-                                            html_params(name=field.name,
-                                                        type='file',
-                                                        **kwargs)))
+        return Markup('%s<input %s>' % (placeholder,
+                      html_params(name=field.name,
+                                  type='file',
+                                  **kwargs)))

flask_admin/contrib/sqla/fields.py

@@ -13,6 +13,7 @@
 
 from .tools import get_primary_key
 from flask_admin._compat import text_type, string_types, iteritems
+from flask_admin.contrib.sqla.widgets import CheckboxListInput
 from flask_admin.form import FormOpts, BaseForm, Select2Widget
 from flask_admin.model.fields import InlineFieldList, InlineModelFormField
 from flask_admin.babel import lazy_gettext
@@ -181,6 +182,30 @@ def pre_validate(self, form):
                     raise ValidationError(self.gettext(u'Not a valid choice'))
 
 
+class CheckboxListField(QuerySelectMultipleField):
+    """
+    Alternative field for many-to-many relationships.
+
+    Can be used instead of `QuerySelectMultipleField`.
+    Appears as the list of checkboxes.
+    Example::
+
+        class MyView(ModelView):
+            form_columns = (
+                'languages',
+            )
+            form_args = {
+                'languages': {
+                    'query_factory': Language.query,
+                },
+            }
+            form_overrides = {
+                'languages': CheckboxListField,
+            }
+    """
+    widget = CheckboxListInput()
+
+
 class HstoreForm(BaseForm):
     """ Form used in InlineFormField/InlineHstoreList for HSTORE columns """
     key = StringField(lazy_gettext('Key'))

flask_admin/contrib/sqla/view.py

@@ -590,10 +590,10 @@ class MyModelView(BaseModelView):
                 column_labels = dict(name='Name', last_name='Last Name')
                 column_searchable_list = ('name', 'last_name')
 
-            placeholder is: "Search: Name, Last Name"
+            placeholder is: "Name, Last Name"
         """
         if not self.column_searchable_list:
-            return 'Search'
+            return None
 
         placeholders = []
 
@@ -605,7 +605,7 @@ class MyModelView(BaseModelView):
                 placeholders.append(
                     self.column_labels.get(searchable, searchable))
 
-        return 'Search: %s' % u', '.join(placeholders)
+        return u', '.join(placeholders)
 
     def scaffold_filters(self, name):
         """
@@ -824,15 +824,17 @@ def get_query(self):
         """
             Return a query for the model type.
 
-            If you override this method, don't forget to override `get_count_query` as well.
-
             This method can be used to set a "persistent filter" on an index_view.
 
             Example::
 
                 class MyView(ModelView):
                     def get_query(self):
                         return super(MyView, self).get_query().filter(User.username == current_user.username)
+
+
+            If you override this method, don't forget to also override `get_count_query`, for displaying the correct
+            item count in the list view, and `get_one`, which is used when retrieving records for the edit view.
         """
         return self.session.query(self.model)
 
@@ -1073,6 +1075,14 @@ def get_one(self, id):
         """
             Return a single model by its id.
 
+            Example::
+
+                def get_one(self, id):
+                    query = self.get_query()
+                    return query.filter(self.model.id == id).one()
+
+            Also see `get_query` for how to filter the list view.
+
             :param id:
                 Model id
         """

flask_admin/contrib/sqla/widgets.py

@@ -0,0 +1,31 @@
+from wtforms.widgets.core import escape
+
+from flask_admin._backwards import Markup
+
+
+class CheckboxListInput:
+    """
+    Alternative widget for many-to-many relationships.
+
+    Appears as the list of checkboxes.
+    """
+    template = (
+        '<div class="checkbox">'
+        ' <label>'
+        '  <input id="%(id)s" name="%(name)s" value="%(id)s" '
+        'type="checkbox"%(selected)s>%(label)s'
+        ' </label>'
+        '</div>'
+    )
+
+    def __call__(self, field, **kwargs):
+        items = []
+        for val, label, selected in field.iter_choices():
+            args = {
+                'id': val,
+                'name': field.name,
+                'label': escape(label),
+                'selected': ' checked' if selected else '',
+            }
+            items.append(self.template % args)
+        return Markup(''.join(items))

flask_admin/form/upload.py

@@ -5,7 +5,7 @@
 from werkzeug.datastructures import FileStorage
 
 from wtforms import ValidationError, fields
-from wtforms.widgets import HTMLString, html_params
+from wtforms.widgets import html_params
 
 try:
     from wtforms.fields.core import _unset_value as unset_value
@@ -15,6 +15,7 @@
 from flask_admin.babel import gettext
 from flask_admin.helpers import get_url
 
+from flask_admin._backwards import Markup
 from flask_admin._compat import string_types, urljoin
 
 
@@ -59,7 +60,7 @@ def __call__(self, field, **kwargs):
         else:
             value = field.data or ''
 
-        return HTMLString(template % {
+        return Markup(template % {
             'text': html_params(type='text',
                                 readonly='readonly',
                                 value=value,
@@ -108,7 +109,7 @@ def __call__(self, field, **kwargs):
         else:
             template = self.empty_template
 
-        return HTMLString(template % args)
+        return Markup(template % args)
 
     def get_url(self, field):
         if field.thumbnail_size: