wtforms, CSRF, flask, FieldList
After encountering the same problem, I wanted to to supply a third option to the solution above
You can also override the constructor in your form class to replace the default value of csrf_enabled. This has the advantage that you can use the the same form definition as both a fieldlist member, and a standalone form with CSRF enabled by passing csrf_enabled=True.
class FilterForm(wtf.Form):
field = wtf.Form ...
def __init__(self, csrf_enabled=False, *args, **kwargs):
super(FilterForm, self).__init__(csrf_enabled=csrf_enabled, *args, **kwargs)
The issue seems to be that Flask-WTForms Form is actually a subclass of wtforms.ext.SecureForm - and the only way to disable the csrf protection on a form is to pass the keyword argument csrf_enabled=False to the form when constructing it. Since FormField actually handles instantiating the form and you can either:
- Create a subclass of
FormFieldthat will let you pass in form keyword arguments
or - Subclass
wtforms.Formrather thanflask.ext.wtforms.Formfor yourFilterForm(as long as you never display aFilterFormon its own you won't need to worry about CSRF).