add documentation for enabling csrf validation with WTForms 2

c01277a3 · Paul Brown · bf554b1d · c01277a3
Commit c01277a3 authored Jan 19, 2015 by Paul Brown
Show whitespace changes
Inline Side-by-side

Showing with 65 additions and 43 deletions

form_rules.rst doc/form_rules.rst +65 -43

No files found.
--- a/doc/form_rules.rst
+++ b/doc/form_rules.rst
@@ -58,13 +58,36 @@ Form Rendering Rule                                     Description

 Enabling CSRF Validation 
 ---------------
+Adding CSRF validation will require overriding the :class:`flask.ext.admin.form.BaseForm` by using :attr:`flask.ext.admin.model.BaseModelView.form_base_class`.

-Flask-Admin does not use Flask-WTF Form class - it uses the wtforms Form class, which does not have CSRF validation.
-Adding CSRF validation will require importing flask_wtf and overriding the :class:`flask.ext.admin.form.BaseForm` by using :attr:`flask.ext.admin.model.BaseModelView.form_base_class`::
+WTForms >=2::
+
+    from wtforms.csrf.session import SessionCSRF
+    from wtforms.meta import DefaultMeta
+    from flask import session
+    from datetime import timedelta
+    from flask.ext.admin import form
+    from flask.ext.admin.contrib import sqla
+
+    class SecureForm(form.BaseForm):
+        class Meta(DefaultMeta):
+            csrf = True
+            csrf_class = SessionCSRF
+            csrf_secret = b'EPj00jpfj8Gx1SjnyLxwBBSQfnQ9DJYe0Ym'
+            csrf_time_limit = timedelta(minutes=20)
+            
+            @property
+            def csrf_context(self):
+                return session
+    
+    class ModelAdmin(sqla.ModelView):
+        form_base_class = SecureForm
+
+For WTForms 1, you can use use Flask-WTF's Form class::

    import os
    import flask
-	**import flask_wtf**
+    import flask_wtf
    import flask_admin
    import flask_sqlalchemy
    from flask_admin.contrib.sqla import ModelView
@@ -74,15 +97,15 @@ Adding CSRF validation will require importing flask_wtf and overriding the :clas
    app = flask.Flask(__name__)
    app.config['SECRET_KEY'] = 'Dnit7qz7mfcP0YuelDrF8vLFvk0snhwP'
    app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + DBFILE
-	**app.config['CSRF_ENABLED'] = True**
+    app.config['CSRF_ENABLED'] = True

-	**flask_wtf.CsrfProtect(app)**
+    flask_wtf.CsrfProtect(app)
    db = flask_sqlalchemy.SQLAlchemy(app)
    admin = flask_admin.Admin(app, name='Admin')

-	## Here is the fix:
    class MyModelView(ModelView):
-		**form_base_class = flask_wtf.Form**
+        # Here is the fix:
+        form_base_class = flask_wtf.Form

    class User(db.Model):
        id = db.Column(db.Integer, primary_key=True)
@@ -92,7 +115,6 @@ Adding CSRF validation will require importing flask_wtf and overriding the :clas
    if not os.path.exists(DBFILE):
        db.create_all()

-	## The subclass is used here:
    admin.add_view( MyModelView(User, db.session, name='User') )

    app.run(debug=True)