Validation (FileAllowed) issue upgrading 0.13.1 -> 0.14 #276
Comments
@ThiefMaster on #pocoo suggested trying |
Turns out my assumption was wrong: empty file fields still populate |
|
Fixed in release 0.14.1 on PyPI. |
@davidism Thank you very much for getting this sorted so fast. It's a massive help. |
Thanks to @davidism in issue for resolving so quickly. lepture/flask-wtf#276
* Upgraded Flask-WTF to 0.14.1 to fix issue with empty fields. Thanks to @davidism in issue for resolving so quickly. lepture/flask-wtf#276 * Moved back to flask_wtf.file.FileField as deprecation has been removed.
Version 0.14.2 -------------- Released 2017-01-10 - Fix bug where ``FlaskForm`` assumed ``meta`` argument was not ``None`` if it was passed. (`#278`_) .. _#278: lepture/flask-wtf#278 Version 0.14.1 -------------- Released 2017-01-10 - Fix bug where the file validators would incorrectly identify an empty file as valid data. (`#276`_, `#277`_) - ``FileField`` is no longer deprecated. The data is checked during processing and only set if it's a valid file. - ``has_file`` *is* deprecated; it's now equivalent to ``bool(field.data)``. - ``FileRequired`` and ``FileAllowed`` work with both the Flask-WTF and WTForms ``FileField`` classes. - The ``Optional`` validator now works with ``FileField``. .. _#276: lepture/flask-wtf#276 .. _#277: lepture/flask-wtf#277 Version 0.14 ------------ Released 2017-01-06 - Use itsdangerous to sign CSRF tokens and check expiration instead of doing it ourselves. (`#264`_) - All tokens are URL safe, removing the ``url_safe`` parameter from ``generate_csrf``. (`#206`_) - All tokens store a timestamp, which is checked in ``validate_csrf``. The ``time_limit`` parameter of ``generate_csrf`` is removed. - Remove the ``app`` attribute from ``CsrfProtect``, use ``current_app``. (`#264`_) - ``CsrfProtect`` protects the ``DELETE`` method by default. (`#264`_) - The same CSRF token is generated for the lifetime of a request. It is exposed as ``g.csrf_token`` for use during testing. (`#227`_, `#264`_) - ``CsrfProtect.error_handler`` is deprecated. (`#264`_) - Handlers that return a response work in addition to those that raise an error. The behavior was not clear in previous docs. - (`#200`_, `#209`_, `#243`_, `#252`_) - Use ``Form.Meta`` instead of deprecated ``SecureForm`` for CSRF (and everything else). (`#216`_, `#271`_) - ``csrf_enabled`` parameter is still recognized but deprecated. All other attributes and methods from ``SecureForm`` are removed. (`#271`_) - Provide ``WTF_CSRF_FIELD_NAME`` to configure the name of the CSRF token. (`#271`_) - ``validate_csrf`` raises ``wtforms.ValidationError`` with specific messages instead of returning ``True`` or ``False``. This breaks anything that was calling the method directly. (`#239`_, `#271`_) - CSRF errors are logged as well as raised. (`#239`_) - ``CsrfProtect`` is renamed to ``CSRFProtect``. A deprecation warning is issued when using the old name. ``CsrfError`` is renamed to ``CSRFError`` without deprecation. (`#271`_) - ``FileField`` is deprecated because it no longer provides functionality over the provided validators. Use ``wtforms.FileField`` directly. (`#272`_) .. _`#200`: lepture/flask-wtf#200 .. _`#209`: lepture/flask-wtf#209 .. _`#216`: lepture/flask-wtf#216 .. _`#227`: lepture/flask-wtf#227 .. _`#239`: lepture/flask-wtf#239 .. _`#243`: lepture/flask-wtf#243 .. _`#252`: lepture/flask-wtf#252 .. _`#264`: lepture/flask-wtf#264 .. _`#271`: lepture/flask-wtf#271 .. _`#272`: lepture/flask-wtf#272 Version 0.13.1 -------------- Released 2016/10/6 - Deprecation warning for ``Form`` is shown during ``__init__`` instead of immediately when subclassing. (`#262`_) - Don't use ``pkg_resources`` to get version, for compatibility with GAE. (`#261`_) .. _`#261`: lepture/flask-wtf#261 .. _`#262`: lepture/flask-wtf#262 Version 0.13 ------------ Released 2016/09/29 - ``Form`` is renamed to ``FlaskForm`` in order to avoid name collision with WTForms's base class. Using ``Form`` will show a deprecation warning. (`#250`_) - ``hidden_tag`` no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (`#217`_, `#193`_) - ``flask_wtf.html5`` is deprecated. Import directly from ``wtforms.fields.html5``. (`#251`_) - ``is_submitted`` is true for ``PATCH`` and ``DELETE`` in addition to ``POST`` and ``PUT``. (`#187`_) - ``generate_csrf`` takes a ``token_key`` parameter to specify the key stored in the session. (`#206`_) - ``generate_csrf`` takes a ``url_safe`` parameter to allow the token to be used in URLs. (`#206`_) - ``form.data`` can be accessed multiple times without raising an exception. (`#248`_) - File extension with multiple parts (``.tar.gz``) can be used in the ``FileAllowed`` validator. (`#201`_) .. _`#187`: lepture/flask-wtf#187 .. _`#193`: lepture/flask-wtf#193 .. _`#201`: lepture/flask-wtf#201 .. _`#206`: lepture/flask-wtf#206 .. _`#217`: lepture/flask-wtf#217 .. _`#248`: lepture/flask-wtf#248 .. _`#250`: lepture/flask-wtf#250 .. _`#251`: lepture/flask-wtf#251
Seems that this bug still exists using following setup:
form class defintion
route
rendering
Using this setup and submitting an empty form will print
|
What's the problem in Flask-WTF? Werkzeug adds empty file objects for each field received, regardless of if the file contained data. You're not using Flask-WTF to process the form data, so it won't check that the object is empty. |
But there is no other way to process multiple files in Flask-WTF at the moment, right?
Gives you |
Probably something that would be fixed with your patch right? |
Yes, I was about to link that. As it says at the bottom, just copy those fields into your own code, there's nothing requiring them to be in WTForms. |
form_fix.py
form class definition
This renders something that looks like a StringInput behind the FileInput when using The rendered html:
|
By manually calling |
Please use Stack Overflow for questions about your own code. If you have a new bug report, after ensuring it is a bug with Flask-WTF, please open a new issue. |
I upgraded Flask-WTF last night from 0.13.1 -> 0.14
The issue I have is that when the FileField is blank (if the user chooses not to upload an image) then the validation fails. I do not require the field.
If I do this through my test suite all is okay using the following code:
The the post is successful. However if I make the request through Firefox (or Chrome) the validation is triggered saying I have an invalid format.
Request body:
This was happening before I fixed the deprecation warnings that
FileField
is getting removed and to use the built-in WTFormsFileField
and after I changed the code to use this.I believe it's something to do with this change but can't find any documentation.
I have had to revert the change as it stopped my site being usable.
Thanks in advance
The text was updated successfully, but these errors were encountered: