Password reset creates new user even if REGISTERABLE is False + wrong redirect

[danaki]

SECURITY_URL_PREFIX = "/admin"

# Flask-Security URLs, overridden because they don't put a / at the end
SECURITY_LOGIN_URL = "/login/"
SECURITY_LOGOUT_URL = "/logout/"

SECURITY_POST_LOGIN_VIEW = "/admin/"
SECURITY_POST_LOGOUT_VIEW = "/admin/"

SECURITY_REGISTERABLE = False
SECURITY_CONFIRMABLE = False
SECURITY_SEND_REGISTER_EMAIL = False
SECURITY_RECOVERABLE = True

Flask security is

git+https://github.com/mattupstate/flask-security.git@develop

pip freeze

asn1crypto==0.23.0
Babel==2.5.1
blinker==1.4
certifi==2017.11.5
cffi==1.11.2
chardet==3.0.4
click==6.7
cryptography==2.1.3
enum-compat==0.0.2
eventlet==0.21.0
Flask==0.12.2
Flask-Admin==1.5.0
Flask-BabelEx==0.9.3
Flask-HTTPAuth==3.2.3
Flask-Login==0.4.0
Flask-Mail==0.9.1
flask-mongoengine==0.9.3
flask-mongoengine-migrations==0.2.1
Flask-Principal==0.4.0
Flask-Script==2.0.6
Flask-Security==3.0.0
Flask-WTF==0.14.2
greenlet==0.4.12
idna==2.6
itsdangerous==0.24
Jinja2==2.10
MarkupSafe==1.0
mongoengine==0.15.0
passlib==1.7.1
pycparser==2.18
pymongo==3.5.1
pyOpenSSL==17.3.0
pytz==2017.3
requests==2.18.4
six==1.11.0
speaklater==1.3
structlog==17.2.0
urllib3==1.22
Werkzeug==0.12.2
WTForms==2.1

To reproduce:

• Go to password reset URL: http://127.0.0.1:5000/admin/reset
• Enter any email you don't have in the database (I'm using mailcatcher)
• Follow the password reset link
• Use this email and new password to login

And another problem is that after password reset, user is redirected to /login which produces "Resource doesn't exist." in my case. Seems it does not respect SECURITY_URL_PREFIX setting.

[danaki]

I downgraded to 1.7, second problem disappeared. I understand that SECURITY_REGISTERABLE disables the endpoint, but how do I disable signup completely? In my project only admin is allowed to create users.

[biomap]

This would be private registration (allowing only x role to register users) which the current project does not support. I have this in my project but I am using a highly modified version of v1.7. Its not that difficult to implement but at this time you would need to write the code yourself to allow only admins or w/e role to be able to do this. Setting SECURITY_REGISTERABLE = False should disable the user registration however within the application. To do it manually (but still within the a web application context) you could use Flask Admin which gives you an admin page to do this if you would like to do it that way.