Clean up CSRF section and move it to index page.

doc/advanced.rst

@@ -336,75 +336,6 @@ Form Rendering Rule                                     Description
 :class:`flask_admin.form.rules.FieldSet`                Renders form header and child rules
 ======================================================= ========================================================
 
-Enabling CSRF Validation
------------------------------
-
-****
-
-TODO: make this easier to understand
-
-Adding CSRF validation will require overriding the :class:`flask_admin.form.BaseForm` by using :attr:`flask_admin.model.BaseModelView.form_base_class`.
-
-WTForms >=2::
-
-    from wtforms.csrf.session import SessionCSRF
-    from wtforms.meta import DefaultMeta
-    from flask import session
-    from datetime import timedelta
-    from flask_admin import form
-    from flask_admin.contrib import sqla
-
-    class SecureForm(form.BaseForm):
-        class Meta(DefaultMeta):
-            csrf = True
-            csrf_class = SessionCSRF
-            csrf_secret = b'EPj00jpfj8Gx1SjnyLxwBBSQfnQ9DJYe0Ym'
-            csrf_time_limit = timedelta(minutes=20)
-
-            @property
-            def csrf_context(self):
-                return session
-
-    class ModelAdmin(sqla.ModelView):
-        form_base_class = SecureForm
-
-For WTForms 1, you can use use Flask-WTF's Form class::
-
-    import os
-    import flask
-    import flask_wtf
-    import flask_admin
-    import flask_sqlalchemy
-    from flask_admin.contrib.sqla import ModelView
-
-    DBFILE = 'app.db'
-
-    app = flask.Flask(__name__)
-    app.config['SECRET_KEY'] = 'Dnit7qz7mfcP0YuelDrF8vLFvk0snhwP'
-    app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + DBFILE
-    app.config['CSRF_ENABLED'] = True
-
-    flask_wtf.CsrfProtect(app)
-    db = flask_sqlalchemy.SQLAlchemy(app)
-    admin = flask_admin.Admin(app, name='Admin')
-
-    class MyModelView(ModelView):
-        # Here is the fix:
-        form_base_class = flask_wtf.Form
-
-    class User(db.Model):
-        id = db.Column(db.Integer, primary_key=True)
-        username = db.Column(db.String)
-        password = db.Column(db.String)
-
-    if not os.path.exists(DBFILE):
-        db.create_all()
-
-    admin.add_view( MyModelView(User, db.session, name='User') )
-
-    app.run(debug=True)
-
-
 .. _database-backends:
 
 Using Different Database Backends

doc/index.rst

@@ -75,6 +75,29 @@ There are many options available for customizing the display and functionality o
 For more details on that, see :ref:`customising-builtin-views`. For more details on the other
 ORM backends that are available, see :ref:`database-backends`.
 
+Enabling CSRF Validation
+-----------------------------
+
+****
+
+To add CSRF protection to the forms that are generated by *ModelView* instances, use the
+`FlaskWTF <https://flask-wtf.readthedocs.org/>`_ form class in your *ModelView*
+subclass by specifying the *form_base_class* parameter::
+
+    from flask_admin.contrib.sqla import ModelView
+    import flask_wtf
+
+    # Flask and Flask-SQLAlchemy initialization here
+
+    app.config['CSRF_ENABLED'] = True
+    flask_wtf.CsrfProtect(app)
+
+    class MicroBlogModelView(ModelView):
+        form_base_class = flask_wtf.Form
+
+The FlaskWTF form class comes with CSRF protection builtin, so it will generate
+the tokens for you, and validate them when the forms are submitted.
+
 Adding Content to the Index Page
 ------------------------------------
 The first thing you'll notice when you visit `http://localhost:5000/admin/ <http://localhost:5000/admin/>`_