librelist archives

home // archives //

« back to archive

Flask-WTF csrf with FieldList

Flask-WTF csrf with FieldList

From:
Paolo Tessarolo
Date:
2010-10-09 @ 06:35 
Hi all,
I'm playing with flask to understand how it works and I'm having the
following problem with Flask-WTF, apparently related to the CSFR ('Missing
or invalid CSRF token') when using a form wit FieldList.

The code to reproduce the problem is the following:

from flask import Flask, render_template, flash
from flaskext.wtf import Form, TextField, Required, FormField, FieldList,
SelectField
app = Flask(__name__)


app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'


class IMForm(Form):
    protocol = SelectField(choices=[('aim', 'AIM'), ('msn', 'MSN')])
    username = TextField()

class ContactForm(Form):
    first_name  = TextField()
    last_name   = TextField()
    im_accounts = FieldList(FormField(IMForm), min_entries = 1)



@app.route('/', methods=['GET', 'POST'])
def index():
    this_form = ContactForm()

    if this_form.validate_on_submit():
       flash("success")
       print "validated"
       return render_template('test.html', form=this_form, a="validated")
    return render_template('test.html', form=this_form,  a="not validated")


if __name__ == '__main__':
    app.run(debug=True)


The template is the following:

{% with messages = get_flashed_messages() %}
  {% if messages %}
    <ul class=flashes>
    {% for message in messages %}
      <li>{{ message }}</li>
    {% endfor %}
    </ul>
  {% endif %}
{% endwith %}

{{ form.errors }}

<form action="." method=post class=add-entry>


{{ form.first_name.label }}: {{ form.first_name }} <br/>
{{ form.hidden_tag() }}

{{ form.last_name.label }}: {{ form.last_name }}<br/>
<hr/>
{% for im_account in form.im_accounts %}

  {{ im_account.protocol.label }}: {{ im_account.protocol }} <br/>

  {{ im_account.username.label }}: {{ im_account.username }} <br/>
<hr/>
{% endfor %}
<input type=submit value=Share>
</form>

{{a}}




Running this code results in two errors:
{'im_accounts': [{'csrf': ['Missing or invalid CSRF token']}], 'csrf':
['Missing or invalid CSRF token']}

It looks like that Flask-WTF is looking for a CSRF token within the
FieldList, and in fact playing with the console revealed that each
im_account in im_has its own csrf field

What I have to do to solve this?


Thank you in advance.


P.

Re: [flask] Flask-WTF csrf with FieldList

From:
Dan Jacob
Date:
2010-10-09 @ 07:44 
class IMForm(Form):
     ....your fields
     def __init__(self, *args, **kwargs):
           kwargs['csrf_enabled'] = False
           super(IMForm, self).__init__(*args, **kwargs)

On 9 October 2010 07:35, Paolo Tessarolo <p.tessarolo@gmail.com> wrote:
> Hi all,
> I'm playing with flask to understand how it works and I'm having the
> following problem with Flask-WTF, apparently related to the CSFR ('Missing
> or invalid CSRF token') when using a form wit FieldList.
>
> The code to reproduce the problem is the following:
>
> from flask import Flask, render_template, flash
> from flaskext.wtf import Form, TextField, Required, FormField, FieldList,
> SelectField
> app = Flask(__name__)
>
>
> app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
>
>
> class IMForm(Form):
>     protocol = SelectField(choices=[('aim', 'AIM'), ('msn', 'MSN')])
>     username = TextField()
>
> class ContactForm(Form):
>     first_name  = TextField()
>     last_name   = TextField()
>     im_accounts = FieldList(FormField(IMForm), min_entries = 1)
>
>
>
> @app.route('/', methods=['GET', 'POST'])
> def index():
>     this_form = ContactForm()
>
>     if this_form.validate_on_submit():
>        flash("success")
>        print "validated"
>        return render_template('test.html', form=this_form, a="validated")
>     return render_template('test.html', form=this_form,  a="not validated")
>
>
> if __name__ == '__main__':
>     app.run(debug=True)
>
>
> The template is the following:
>
> {% with messages = get_flashed_messages() %}
>   {% if messages %}
>     <ul class=flashes>
>     {% for message in messages %}
>       <li>{{ message }}</li>
>     {% endfor %}
>     </ul>
>   {% endif %}
> {% endwith %}
>
> {{ form.errors }}
>
> <form action="." method=post class=add-entry>
>
>
> {{ form.first_name.label }}: {{ form.first_name }} <br/>
> {{ form.hidden_tag() }}
>
> {{ form.last_name.label }}: {{ form.last_name }}<br/>
> <hr/>
> {% for im_account in form.im_accounts %}
>
>   {{ im_account.protocol.label }}: {{ im_account.protocol }} <br/>
>
>   {{ im_account.username.label }}: {{ im_account.username }} <br/>
> <hr/>
> {% endfor %}
> <input type=submit value=Share>
> </form>
>
> {{a}}
>
>
>
>
> Running this code results in two errors:
> {'im_accounts': [{'csrf': ['Missing or invalid CSRF token']}], 'csrf':
> ['Missing or invalid CSRF token']}
>
> It looks like that Flask-WTF is looking for a CSRF token within the
> FieldList, and in fact playing with the console revealed that each
> im_account in im_has its own csrf field
>
> What I have to do to solve this?
>
>
> Thank you in advance.
>
>
> P.
>
>
>

Re: [flask] Flask-WTF csrf with FieldList

From:
Paolo Tessarolo
Date:
2010-10-09 @ 11:14 
Terrific,

Thanks.


P.


2010/10/9 Dan Jacob <danjac354@gmail.com>

> class IMForm(Form):
>     ....your fields
>     def __init__(self, *args, **kwargs):
>           kwargs['csrf_enabled'] = False
>           super(IMForm, self).__init__(*args, **kwargs)
>
> On 9 October 2010 07:35, Paolo Tessarolo <p.tessarolo@gmail.com> wrote:
> > Hi all,
> > I'm playing with flask to understand how it works and I'm having the
> > following problem with Flask-WTF, apparently related to the CSFR
> ('Missing
> > or invalid CSRF token') when using a form wit FieldList.
> >
> > The code to reproduce the problem is the following:
> >
> > from flask import Flask, render_template, flash
> > from flaskext.wtf import Form, TextField, Required, FormField, FieldList,
> > SelectField
> > app = Flask(__name__)
> >
> >
> > app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
> >
> >
> > class IMForm(Form):
> >     protocol = SelectField(choices=[('aim', 'AIM'), ('msn', 'MSN')])
> >     username = TextField()
> >
> > class ContactForm(Form):
> >     first_name  = TextField()
> >     last_name   = TextField()
> >     im_accounts = FieldList(FormField(IMForm), min_entries = 1)
> >
> >
> >
> > @app.route('/', methods=['GET', 'POST'])
> > def index():
> >     this_form = ContactForm()
> >
> >     if this_form.validate_on_submit():
> >        flash("success")
> >        print "validated"
> >        return render_template('test.html', form=this_form, a="validated")
> >     return render_template('test.html', form=this_form,  a="not
> validated")
> >
> >
> > if __name__ == '__main__':
> >     app.run(debug=True)
> >
> >
> > The template is the following:
> >
> > {% with messages = get_flashed_messages() %}
> >   {% if messages %}
> >     <ul class=flashes>
> >     {% for message in messages %}
> >       <li>{{ message }}</li>
> >     {% endfor %}
> >     </ul>
> >   {% endif %}
> > {% endwith %}
> >
> > {{ form.errors }}
> >
> > <form action="." method=post class=add-entry>
> >
> >
> > {{ form.first_name.label }}: {{ form.first_name }} <br/>
> > {{ form.hidden_tag() }}
> >
> > {{ form.last_name.label }}: {{ form.last_name }}<br/>
> > <hr/>
> > {% for im_account in form.im_accounts %}
> >
> >   {{ im_account.protocol.label }}: {{ im_account.protocol }} <br/>
> >
> >   {{ im_account.username.label }}: {{ im_account.username }} <br/>
> > <hr/>
> > {% endfor %}
> > <input type=submit value=Share>
> > </form>
> >
> > {{a}}
> >
> >
> >
> >
> > Running this code results in two errors:
> > {'im_accounts': [{'csrf': ['Missing or invalid CSRF token']}], 'csrf':
> > ['Missing or invalid CSRF token']}
> >
> > It looks like that Flask-WTF is looking for a CSRF token within the
> > FieldList, and in fact playing with the console revealed that each
> > im_account in im_has its own csrf field
> >
> > What I have to do to solve this?
> >
> >
> > Thank you in advance.
> >
> >
> > P.
> >
> >
> >
>

Archives based on code by Armin Ronacher //