Contains the base application used by other applications.



Baseclass for Morepath OneGov applications.



get_shared_assets_path(→ str)

get_i18n_used_locales(→ set[str])

get_i18n_localedirs(→ list[str])

get_i18n_default_locale(→ str)

get_locale_negotiator(→ Callable[[Sequence[str], ...)

get_static_directory(→ str)

get_template_directory(→ str)




get_status_mail_roles(→ Collection[str])

get_ticket_manager_roles(→ Collection[str])

get_require_complete_userprofile(→ bool)


get_default_directory_search_widget(→ None)

get_default_event_search_widget(→ None)

get_public_ticket_messages(→ Collection[str])

Returns a list of message types which are availble on the ticket

get_disabled_extensions(→ Collection[str])

enable_iframes_tween_factory(→ Callable[[OrgRequest], ...)

get_js_path(→ str)

get_css_path(→ str)

get_webasset_output(→ str)

get_sortable_asset(→ Iterator[str])

get_fullcalendar_asset(→ Iterator[str])

get_reservation_list_asset(→ Iterator[str])

get_code_editor_asset(→ Iterator[str])

get_editor_asset(→ Iterator[str])

get_timeline_asset(→ Iterator[str])

get_redactor_asset(→ Iterator[str])

get_upload_asset(→ Iterator[str])

get_editalttext_asset(→ Iterator[str])

get_prompt(→ Iterator[str])

get_photoswipe_asset(→ Iterator[str])

get_tags_input(→ Iterator[str])

get_filehash(→ Iterator[str])

get_monthly_view(→ Iterator[str])

get_common_asset(→ Iterator[str])

get_fontpreview_asset(→ Iterator[str])

get_scroll_to_username_asset(→ Iterator[str])

get_all_blank_asset(→ Iterator[str])

wrap_with_mtan_hook(→ Callable[[OrgApp, Any, ...)

Module Contents


Bases: onegov.core.Framework, onegov.reservation.LibresIntegration,, onegov.gis.MapboxApp, onegov.file.DepotApp,, onegov.form.FormApp, onegov.user.UserApp, onegov.websockets.WebsocketsApp

Baseclass for Morepath OneGov applications.

serve_static_files = True[source]
send_ticket_statistics = True[source]
is_allowed_application_id(application_id: str) bool[source]

Stops onegov.server from ever passing the request to the org application, if the schema does not exist. This way we can host in a way that allows all requests to *

If the schema for exists, the request is handled. If the schema does not exist, the request is not handled.

Here we basically decide if an org exists or not.

configure_application(**cfg: Any) None[source]

Configures the application. This function calls all methods on the current class which start with configure_, passing the configuration as keyword arguments.

The core itself supports the following parameters. Additional parameters are made available by extra configure_ methods.


The database connection to use. May be None.

See onegov.core.orm.session_manager.setup()


The declarative base class used. By default, onegov.core.orm.Base is used.


True if the identity cookie is only transmitted over https. Only set this to False during development!


A random string used to sign the identity. By default a random string is generated. The drawback of this is the fact that users will be logged out every time the application restarts.

So provide your own if you don’t want that, but be sure to have a really long, really random key that you will never share with anyone!


The redis url used (default is ‘redis://localhost:6379/0’).


The file_storage module to use. See


A dictionary of options passed to the __init__ method of the file_storage class.

The file storage is expected to work as is. For example, if fs.osfs.OSFS is used, the root_path is expected exist.

The file storage can be shared between different onegov.core applications. Each application automatically gets its own namespace inside this space.


If true, the theme is always compiled - no caching is employed.


If true, the theme is recompiled if shift+f5 is done on the browser (or shift + reload button click).


A random string used to sign the csrf token. Make sure this differs from identity_secret! The algorithms behind identity_secret and the csrf protection differ. If the same secret is used we might leak information about said secret.

By default a random string is generated. The drawback of this is the fact that users won’t be able to submit their forms if the app is restarted in the background.

So provide your own, but be sure to have a really long, really random string that you will never share with anyone!


The csrf time limit in seconds. Basically the amount of time a user has to submit a form, from the time it’s rendered.

Defaults to 1’200s (20 minutes).


A dictionary keyed by e-mail category (i.e. ‘marketing’, ‘transactional’) with the following subkeys:

  • host: The mail server to send e-mails from.

  • port: The port used for the mail server.

  • force_tls: True if TLS should be forced.

  • username: The mail username

  • password: The mail password

  • sender: The mail sender

  • use_directory: True if a mail directory should be used

  • directory: Path to the directory that should be used


If true, mails are stored in the maildir defined through mail_directory. There, some other process is supposed to pick up the e-mails and send them.


The directory (maildir) where mails are stored if if mail_use_directory is set to True.


Prints out a report sql queries for each request, unless False. Valid values are:

  • ‘summary’ (only show the number of queries)

  • ‘redundant’ (show summary and the actual redundant queries)

  • ‘all’ (show summary and all executed queries)

Do not use in production!


If true, profiles the request and stores the result in the profiles folder with the following format: YYYY-MM-DD hh:mm:ss.profile

Do not use in production!


If true, exceptions are printed to stderr. Note that you should usually configure logging through onegov.server. This is mainly used for certain unit tests where we use WSGI more directly.

configure_organisation(*, enable_user_registration: bool = False, enable_yubikey: bool = False, disable_password_reset: bool = False, **cfg: Any) None[source]
configure_mtan_hook(**cfg: Any) None[source]

This inserts an mtan hook by wrapping the callable we receive from the key lookup on get_view.

We only need to do this once per application instance and we don’t risk contaminating other applications, since each instance has its own dispatch callable.

This relies heavily on implementation details of reg.dispatch_method and is thus a little bit fragile, take care when upgrading to newer versions of reg!

root_pages() tuple[, Ellipsis][source]
pages_tree() tuple[, Ellipsis][source]

This is the entire pages tree preloaded into the individual parent/children attributes. We optimize this as much as possible by performing the recursive join in Python, rather than SQL.

homepage_template() onegov.core.templates.PageTemplate[source]
ticket_count() onegov.ticket.collection.TicketCount[source]
ticket_permissions() dict[str, dict[str | None, list[str]]][source]
homepage_pages() dict[int, list[]][source]
publications_count() int[source]
prepare_email(reply_to: email.headerregistry.Address | str | None = None, category: Literal['marketing', 'transactional'] = 'marketing', receivers: SequenceOrScalar[Address | str] = (), cc: SequenceOrScalar[Address | str] = (), bcc: SequenceOrScalar[Address | str] = (), subject: str | None = None, content: str | None = None, attachments: Iterable[Attachment | StrPath] = (), headers: dict[str, str] | None = None, plaintext: str | None = None) onegov.core.types.EmailJsonDict[source]

Wraps onegov.core.framework.Framework.prepare_email(), setting the reply_to address by using the reply address from the organisation settings.

property theme_options: dict[str, Any][source]

Returns the application-bound theme options.

property font_family: str | None[source]
property custom_event_tags: list[str] | None[source]
load_custom_event_tags() list[str] | None[source]
property allowed_iframe_domains: list[str][source]
load_allowed_iframe_domains() list[str] | None[source]
property hashed_identity_key: bytes[source]

Take the sha-256 because we want a key that is 32 bytes long.

property custom_event_form_lead: str | None[source]
load_custom_event_form_lead() str | None[source]
checkout_button(button_label: str, title: str, price: Price | None, email: str, locale: str) str | None[source]
redirect_after_login(identity: Identity | NoIdentity, request:, default: str) str | None[source]

Returns the path to redirect after login, given the request and the default login path, which is usually the current path.

Returns a path or None, if the default should be used. str[source] set[str][source] list[str][source] str[source] Callable[[Sequence[str], OrgRequest], str | None][source] str[source] str[source][source] more.content_security.ContentSecurityPolicy[source] Callable[[OrgApp, str], Organisation][source] Collection[str][source] Collection[str][source] bool[source] Callable[[OrgRequest, str], bool][source] None[source] None[source] Collection[str][source]

Returns a list of message types which are availble on the ticket status page, visible to anyone that knows the unguessable url. Collection[str][source] OrgApp, handler: Callable[[OrgRequest], Response]) Callable[[OrgRequest], Response][source] str[source] str[source] str[source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Iterator[str][source] Callable[[OrgApp, Any, OrgRequest], Any]) Callable[[OrgApp, Any, OrgRequest], Any][source]
class reg.dispatch._KeyLookup)[source]
component(key: Sequence[Any]) Callable[..., Any] | None[source]
fallback(key: Sequence[Any]) Callable[..., Any] | None[source]
all(key: Sequence[Any]) Iterator[Callable[..., Any]][source]