Merge pull request #552 from pawl/master

Add documentation about enabling CSRF validation

doc/form_rules.rst

@@ -56,6 +56,47 @@ Form Rendering Rule                                     Description
 :class:`flask.ext.admin.form.rules.FieldSet`            Renders form header and child rules
 ======================================================= ========================================================
 
+Enabling CSRF Validation 
+---------------
+
+Flask-Admin does not use Flask-WTF Form class - it uses the wtforms Form class, which does not have CSRF validation.
+Adding CSRF validation will require importing flask_wtf and overriding the :class:`flask.ext.admin.form.BaseForm` by using :attr:`flask.ext.admin.model.BaseModelView.form_base_class`::
+
+	import os
+	import flask
+	**import flask_wtf**
+	import flask_admin
+	import flask_sqlalchemy
+	from flask_admin.contrib.sqla import ModelView
+
+	DBFILE = 'app.db'
+
+	app = flask.Flask(__name__)
+	app.config['SECRET_KEY'] = 'Dnit7qz7mfcP0YuelDrF8vLFvk0snhwP'
+	app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + DBFILE
+	**app.config['CSRF_ENABLED'] = True**
+
+	**flask_wtf.CsrfProtect(app)**
+	db = flask_sqlalchemy.SQLAlchemy(app)
+	admin = flask_admin.Admin(app, name='Admin')
+
+	## Here is the fix:
+	class MyModelView(ModelView):
+		**form_base_class = flask_wtf.Form**
+
+	class User(db.Model):
+		id = db.Column(db.Integer, primary_key=True)
+		username = db.Column(db.String)
+		password = db.Column(db.String)
+
+	if not os.path.exists(DBFILE):
+		db.create_all()
+
+	## The subclass is used here:
+	admin.add_view( MyModelView(User, db.session, name='User') )
+
+	app.run(debug=True)
+
 Further reading
 ---------------
 

flask_admin/model/base.py

@@ -365,6 +365,15 @@ class BaseModelView(BaseView, ActionsMixin):
                         'style': 'color: black'
                     }
                 }
+                
+        Note, changing the format of a DateTimeField will require changes to both form_widget_args and form_args:
+
+            form_args = dict(
+                start=dict(format='%Y-%m-%d %H:%M') # changes how the input is parsed by strptime
+            )
+            form_widget_args = dict(
+                start={'data-date-format': u'yyyy-mm-dd hh:ii'} # changes how the DateTimeField displays the time
+            )
     """
 
     form_extra_fields = None