modify a boolen field(mysql) case a csrf-token errors

[a16su]

my model has a boolean field(is_admin), i add it to the column_editable_list,but when i modify its value, the response return a error code 400 with error message The CSRF token is missing.

[Hossein-Roshandel]

I have come across a similar issue and I think there is a clash between csrf = CSRFProtect(app) of flast_wtf and form_base_class = SecureForm of flask_admin. I am not sure if I have to report it as a separate bug or sharing it on this thread will do.

The following is the code of a simple flask web application that is using flask admin for crud operations on user data.
If I comment out the form_base_class = SecureForm from class UserView on line 37, the issue will be resolved and the flask_admin forms still retain CSRF security feature because CSRF has been enabled globally by csrf = CSRFProtect(app) on line 21. Alternatively, removing csrf = CSRFProtect(app) will also fix the issue with form_base_class = SecureForm, however, in this case other wtforms of the app will lose their csrf.

from flask import Flask, render_template,redirect
from flask_wtf import FlaskForm
from wtforms import StringField
from wtforms.validators import DataRequired
from flask_wtf.csrf import CSRFProtect

from flask_sqlalchemy import SQLAlchemy

from flask_admin import Admin
from flask_admin.contrib.sqla import ModelView
from flask_admin.form import SecureForm




class MyForm(FlaskForm):
    name = StringField('name', validators=[DataRequired()])

app = Flask(__name__)
app.secret_key = "Some Secret key!"
csrf = CSRFProtect(app)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///test.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)
admin = Admin(app)

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    email = db.Column(db.String(120), unique=True, nullable=False)
    status = db.Column(db.Boolean, nullable=True)

    def __repr__(self):
        return '<User %r>' % self.username

class UserView(ModelView):
    form_base_class = SecureForm  # very important to secure the forms
    page_size = 50  # the number of entries to display on the list view
    column_editable_list = ["username", "email", 'status']
    # show create and edit pages as modal windows instead of new windows
    create_modal = True
    edit_modal = True
    can_view_details = True
    details_modal = True

admin.add_view(UserView(User,db.session))



@app.route("/")
def hello_world():
    return "<p>Hello, World!</p>"

@app.route('/submit', methods=['GET', 'POST'])
def submit():
    form = MyForm()
    if form.validate_on_submit():
        return redirect('/success')
    return render_template('submit.html', form=form)

@app.route('/success')
def success():
    return "<p>Hello, The transaction was successful!</p>"


if __name__ == '__main__':
    app.run()

And this is my template file for the /submit endpoint.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<form method="POST" >
    {{ form.csrf_token }}
    {{ form.name.label }} {{ form.name(size=20) }}
    <input type="submit" value="Go">

</form>
</body>
</html>

The code that I have presented above will produce the follwing error as also shown in the picture:

<!doctype html>
<html lang=en>
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>The CSRF token is invalid.</p>