New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix forms & csrf_enabled deprecation doc #287
Fix forms & csrf_enabled deprecation doc #287
Conversation
Mention the non-depredacted way to disable CSRF for a given form.
e38d90d
to
a919882
Compare
Codecov Report
@@ Coverage Diff @@
## master #287 +/- ##
==========================================
- Coverage 99.66% 99.66% -0.01%
==========================================
Files 19 18 -1
Lines 897 895 -2
Branches 74 74
==========================================
- Hits 894 892 -2
Misses 3 3
Continue to review full report at Codecov.
|
oops, forgot to fix the associated test, that's done by now :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I meant to show setting Meta.csrf = False
while defining the form, rather than passing the override, since you probably don't want a form that is for both CSRF and non-CSRF contexts.
Thanks for reviews!
@davidism I don't understand what you mean. Could you provide an example please :-) ? |
class MyForm(FlaskForm):
class Meta:
csrf = False
form = MyForm() |
@davidism ok, thanks :-). So, from my understanding, there are two ways to disable CSRF for a form
The warning where I changed the message is clearly for an instance-level option (it's a constructor parameter), so it seems the right one to put here. @davidism What do you think ? Side note: is the |
As I said in the review, I meant the warning to refer to the meta attribute, as it makes more sense to design a form that never has CSRF than to have to decide on the fly. I just forgot to capitalize |
I got that :)
Depends. If this deprecation warning is reached, it's in the context of a code that decides it "on the fly". So suggestin a "drop-in" replacement could be useful to the developper. Would mentioning both solutions in the warning ( |
Fair enough, I agree with you about the context of this message. Let's change it to |
a919882
to
b61f9d6
Compare
@davidism Ok, I just updated my PR accordingly. I let someone else document the |
docs/form.rst
Outdated
@@ -11,7 +11,7 @@ form with csrf protection. We encourage you do nothing. | |||
|
|||
But if you want to disable the csrf protection, you can pass:: | |||
|
|||
form = FlaskForm(csrf_enabled=False) | |||
form = FlaskForm(meta={'csrf_enabled': False}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be 'csrf'
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well spotted, thanks, fixed.
b61f9d6
to
b8ff4f9
Compare
It was speaking about meta.csrf which is pretty much unclear : - what is this `meta` ? - suggests that `csrf` is an attribute of `meta` (which is wrong: it is a dict key)
I had hard times understanding the deprecation of
csrf_enabled
. The only way I managed to do it was by reading form.py.Let's make the doc and deprecation message better :-)