python - Flask Confirm Action

Question

I'm creating a site using the Flask framework, and am implementing a confirmation page for (mainly administrative) actions; i.e. deleting a user.

My current method (detailed below) works, but feels quite clunky and seems like a huge amount of work for a simple task. Is there a more optimal solution to this?

Currently I have a route to initiate the action:

@admin.route('/user/<int:user_id>/delete', methods=['GET'])
@login_required
@admin_required
def del_user(user_id):
    user = User.query.get_or_404(user_id)
    desc = "delete"
    subject = user.username
    action = 'admin.do_del_user'
    next = url_for('admin.get_user', user_id=user.id)
    return redirect(url_for('main._confirm', desc=desc, subject=subject, action=action, next=next, user_id=user.id))

Which redirects over to the confirm route:

@main.route('/confirm', methods=['GET', 'POST'])
def _confirm():
    form = Confirm()
    kwargs = {}
    for arg in request.args:
        if arg != 'action' or arg != 'desc' or arg != 'subject':
            kwargs[arg] = request.args[arg]
    action = request.args.get('action')
    desc = request.args.get('desc')
    subject = request.args.get('subject')

    if action is None:
        abort(404)

    if form.validate_on_submit():
        return redirect(url_for(action, confirm=form.confirm.data, **kwargs))
    return render_template('_confirm.html', form=form, desc=desc, subject=subject)

Which then redirects again to do the actual action after validating the confirmation form:

@admin.route('/user/<int:user_id>/do_delete', methods=['GET'])
@login_required
@admin_required
def do_del_user(user_id):
    confirm = request.args.get('confirm')
    next = request.args.get('next')
    if confirm:
        user = User.query.get_or_404(user_id)
        db.session.delete(user)
        db.session.commit()
    return redirect(next)

I hope that makes sense! Just to note, desc and subject are passed for the confirmation template, and the kwargs is just to catch anything url_for() needs in building the urls.

Answer 1

I think the simplest approach would be to do the confirmation client-side. It's not visually pretty, but a window.confirm('Are you sure?'); would do the same thing.

That said, if you're only looking for a server-side solution, you could create a @confirmation_required decorator to handle the redirects. Then, you can wrap any view you need confirmation for with it, passing in a function to get the message you want to display.

from functools import wraps
from urllib import urlencode, quote, unquote
from flask import Flask, request, redirect, url_for, render_template

app = Flask(__name__)

def confirmation_required(desc_fn):
    def inner(f):
        @wraps(f)
        def wrapper(*args, **kwargs):
            if request.args.get('confirm') != '1':
                desc = desc_fn()
                return redirect(url_for('confirm', 
                    desc=desc, action_url=quote(request.url)))
            return f(*args, **kwargs)
        return wrapper
    return inner

@app.route('/confirm')
def confirm():
    desc = request.args['desc']
    action_url = unquote(request.args['action_url'])

    return render_template('_confirm.html', desc=desc, action_url=action_url)

def you_sure():
    return "Are you sure?"

@app.route('/')
@confirmation_required(you_sure)
def hello_world():
    return 'Hello World!'


if __name__ == '__main__':
    app.run(debug=True)

_confirm.html:

<html xmlns="http://www.w3.org/1999/html">
<body>
<h1>{{ desc }}</h1>
<form action="{{ action_url }}" method="GET">
    <input type="hidden" name="confirm" value="1">
    <input type="submit" value="Yes">
</form>
</body>
</html>

Note though that doing this redirecting will only work if the view you are wrapping accepts a GET, and it's not a good idea to allow GETs for any operation that modifies data. (See Why shouldn't data be modified on an HTTP GET request?)

Update: If you really wanted a generic solution that worked with POSTs, I would switch to class-based views and create a mixin that handles the confirmation logic. Something like:

class ConfirmationViewMixin(object):
    confirmation_template = '_confirm.html'

    def get_confirmation_context(self):
        # implement this in your view class
        raise NotImplementedError()

    def post(self):
        if request.args.get('confirm') == '1':
            return super(ConfirmationViewMixin, self).post()

        return render_template(
            self.confirmation_template, **self.get_confirmation_context())

(That's untested, not sure how that would fare. But you get the idea.)