MANZIL is a web-based platform for buying, selling, and renting properties. Users can browse listings, filter searches by location, price, and type, view detailed property pages with images, and communicate with sellers or agents.
| Home | Search & Filters | Property Detail |
|---|---|---|
![]() |
![]() |
![]() |
- User authentication (register, login, logout)
- Create, edit, and remove property listings with images
- Search and filtering by multiple criteria
- Messaging / contact between users and listers
- Admin views for managing listings and users
- Responsive UI for desktop and mobile
- Backend: Flask, SQLAlchemy
- Frontend: HTML, CSS, JavaScript
- Database: SQLite (default)
The application uses the exact packages listed in requirements.txt.
- blinker==1.9.0
- click==8.3.0
- colorama==0.4.6
- Flask==3.1.2
- Flask-Login==0.6.3
- Flask-SQLAlchemy==3.1.1
- Flask-Migrate (database migrations; installs Alembic)
- greenlet==3.2.4
- itsdangerous==2.2.0
- Jinja2==3.1.6
- MarkupSafe==3.0.3
- passlib==1.7.4
- SQLAlchemy==2.0.44
- typing_extensions==4.15.0
- Werkzeug==3.1.3
Install with:
python -m venv venv
# macOS / Linux
source venv/bin/activate
# Windows (PowerShell)
venv\Scripts\Activate.ps1
pip install -r requirements.txt- The repository includes an
instance/folder for local configuration. Create or updateinstance/config.py(or set environment variables) to provide secrets and database URLs. - The session secret key is read from the
SECRET_KEYenvironment variable, with a development-only fallback. Set a real value in production:
$env:SECRET_KEY = "a-long-random-string"Note on git history: the initial commit contained a hardcoded placeholder secret key. It was never used in any deployment and is treated as rotated — since the hardening pass, the application only trusts the
SECRET_KEYenvironment variable, and the in-code fallback is a non-secret development placeholder.
- Typical environment variables used by the app:
FLASK_APP=app.pyFLASK_ENV=development(for local development)DATABASE_URL(optional; defaults to SQLite if unset)
On Windows PowerShell:
$env:FLASK_APP = "app.py"
$env:FLASK_ENV = "development"
flask run- This repo includes a
migrations/folder (Alembic). If you need to run or update migrations, install Alembic and run:
pip install alembic
alembic upgrade headIf you prefer Flask-Migrate workflows, you can adapt the migration steps accordingly.
- Activate your virtual environment
- Install dependencies (
pip install -r requirements.txt) - Set environment variables (see Configuration)
- Initialize or migrate the database if needed
- Start the server:
flask run
Access the app at: http://127.0.0.1:5000
- Project Lead - Sameer Ahmed: https://github.com/sameer7075
- Muhammad Subhan: https://github.com/Denarzai
- Affaf Shahid: https://github.com/Affaf-Shahid
This project was developed by a 3-person team as part of a Software Engineering university course.
- Designed overall system architecture
- Implemented backend using Flask
- Developed authentication system (Flask-Login)
- Set up database models and relationships (SQLAlchemy)
- Managed project structure and integration
- Coordinated tasks and ensured feature completion
- Built the property listing, property detail, add/edit property, favorites, and messaging thread pages
- Implemented the search and filter UI with multi-criteria inputs (location, price range, property type)
- Applied responsive CSS layout and styling across all frontend pages
- Led a post-submission security and hardening pass: added input validation on registration and numeric form fields, restricted image upload types with timestamped filenames, moved the session secret key to an environment variable, enforced suspended-account blocking at login, and fixed the missing Flask-Migrate dependency
- Assisted in frontend and testing
- Helped with UI improvements and bug fixes
- Supported documentation and project refinement
A bug-fixing and security-hardening pass after the course submission:
- Registration now validates empty fields and duplicate usernames instead of crashing with a database IntegrityError
- Session secret key moved from a hardcoded string to the
SECRET_KEYenvironment variable - Property image uploads restricted to image file types, with timestamped filenames to prevent two uploads with the same name overwriting each other
- Numeric form fields (price, area, bedrooms, bathrooms) no longer crash the server when left empty
- Message attachment uploads no longer fail when the browser omits the Content-Length header
- Suspended accounts are now actually blocked at login
Flask-Migrateadded torequirements.txt(it was imported by the app but missing from the file, so fresh installs failed)
Contributions are welcome. Typical workflow:
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Commit changes:
git commit -m "Add feature" - Push and open a pull request


