add note about enabling csrf validation

doc/form_rules.rst

@@ -56,6 +56,47 @@ Form Rendering Rule                                     Description
 :class:`flask.ext.admin.form.rules.FieldSet`            Renders form header and child rules
 ======================================================= ========================================================
 
+Enabling CSRF Validation 
+---------------
+
+Flask-Admin does not use Flask-WTF Form class - it uses the wtforms Form class, which does not have CSRF validation.
+Adding CSRF validation will require importing flask_wtf and overriding the :class:`flask.ext.admin.form.BaseForm` class:: by using :attr:`flask.ext.admin.model.BaseModelView.form_base_class`::
+
+	import os
+	import flask
+	**import flask_wtf**
+	import flask_admin
+	import flask_sqlalchemy
+	from flask_admin.contrib.sqla import ModelView
+
+	DBFILE = 'app.db'
+
+	app = flask.Flask(__name__)
+	app.config['SECRET_KEY'] = 'Dnit7qz7mfcP0YuelDrF8vLFvk0snhwP'
+	app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + DBFILE
+	**app.config['CSRF_ENABLED'] = True**
+
+	**flask_wtf.CsrfProtect(app)**
+	db = flask_sqlalchemy.SQLAlchemy(app)
+	admin = flask_admin.Admin(app, name='Admin')
+
+	## Here is the fix:
+	class MyModelView(ModelView):
+		**form_base_class = flask_wtf.Form**
+
+	class User(db.Model):
+		id = db.Column(db.Integer, primary_key=True)
+		username = db.Column(db.String)
+		password = db.Column(db.String)
+
+	if not os.path.exists(DBFILE):
+		db.create_all()
+
+	## The subclass is used here:
+	admin.add_view( MyModelView(User, db.session, name='User') )
+
+	app.run(debug=True)
+
 Further reading
 ---------------