Can not use SECURITY_UNAUTHORIZED_VIEW to redirect.

[odinms]

1.From the FLASK docs:

url_for() usage is like : return redirect(url_for('auth.login'))

this will get you the url for auth.login()

2.if the SECURITY_UNAUTHORIZED_VIEW is set right. e.g.

SECURITY_UNAUTHORIZED_VIEW = 'auth.login'

view = utils.get_url(utils.config_value('UNAUTHORIZED_VIEW')) will set view = "/login" with is the URL of the login page correspond to the 'auth.login' endpoint

def get_url(endpoint_or_url):
    try:
        return url_for(endpoint_or_url)
    except:
        return endpoint_or_url

And since view = "/login" is just a STRING, not a callable(). it will go to

try:
    view = url_for(view)
except BuildError:
    view = None

THEN, everything went wrong here~!!! url_for() can not use "/login" as input to process, since it is already processed by url_for() once!! It will always raise error~!!

So , the code runs to except BuildError: view = None Finally, end up with view = None

So.. the redirect torequest.referrer or '/' forever~!!!!

_Originally posted by @odinms in https://github.com/mattupstate/flask-security/issue_comments#issuecomment-448192001_

[skozlovf]

Same to me. Fixed in #726 which is not merged.

Workaround is make a function:

SECURITY_UNAUTHORIZED_VIEW = lambda: url_for('auth.login')