Merge pull request #1346 from ei-grad/production-csrf-fix

Fix CSRF for production deployments

Merge pull request #1346 from ei-grad/production-csrf-fix
Fix CSRF for production deployments
2797c94c · Serge S. Koval · GitHub · d897c718 · db21a600 · 2797c94c
Commit 2797c94c authored Sep 18, 2016 by Serge S. Koval Committed by GitHub Sep 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

__init__.py flask_admin/form/__init__.py +10 -2

No files found.
--- a/flask_admin/form/__init__.py
+++ b/flask_admin/form/__init__.py
@@ -43,8 +43,9 @@ def recreate_field(unbound):
 if int(wtforms_version[0]) > 1:
    # only WTForms 2+ has built-in CSRF functionality
    from os import urandom
-    from flask import session
+    from flask import session, current_app
    from wtforms.csrf.session import SessionCSRF
+    from flask_admin._compat import text_type

    class SecureForm(BaseForm):
        """
@@ -55,7 +56,14 @@ if int(wtforms_version[0]) > 1:
        class Meta:
            csrf = True
            csrf_class = SessionCSRF
-            csrf_secret = urandom(24)
+            _csrf_secret = urandom(24)
+
+            @property
+            def csrf_secret(self):
+                secret = current_app.secret_key or self._csrf_secret
+                if isinstance(secret, text_type):
+                    secret = secret.encode('utf-8')
+                return secret

            @property
            def csrf_context(self):