Merge pull request #437 from numirias/csrf_fix

FIXED #436: Omit CSRF token when populating model instance with form data
MongoEngine · Jul 1, 2022 · fc2627a · fc2627a
2 parents 438d6ef + 1ae739f
commit fc2627a
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/flask_mongoengine/wtf/models.py b/flask_mongoengine/wtf/models.py
@@ -13,10 +13,9 @@ def __init__(self, formdata=_Auto, **kwargs):
         super(ModelForm, self).__init__(formdata, **kwargs)
 
     def save(self, commit=True, **kwargs):
-        if self.instance:
-            self.populate_obj(self.instance)
-        else:
-            self.instance = self.model_class(**self.data)
+        if not self.instance:
+            self.instance = self.model_class()
+        self.populate_obj(self.instance)
 
         if commit:
             self.instance.save(**kwargs)

diff --git a/tests/test_forms.py b/tests/test_forms.py
@@ -526,3 +526,23 @@ def food_items_label_modifier(obj):
         form = FoodStoreForm()
 
         assert [obj.label.text for obj in form.food_items] == fruit_names
+
+
+def test_csrf_token(app, db):
+    # fixes MongoEngine/flask-mongoengine#436
+    app.config["WTF_CSRF_ENABLED"] = True
+    with app.test_request_context("/"):
+
+        class DummyCSRF(wtforms.csrf.core.CSRF):
+            def generate_csrf_token(self, csrf_token_field):
+                return "dummytoken"
+
+        class MyModel(db.Document):
+            pass
+
+        form = model_form(MyModel)(
+            MultiDict({"csrf_token": "dummytoken"}), meta={"csrf_class": DummyCSRF}
+        )
+        assert "csrf_token" in form
+        assert form.validate()
+        form.save()