Fix forms & csrf_enabled deprecation doc

[JocelynDelalande]

I had hard times understanding the deprecation of csrf_enabled. The only way I managed to do it was by reading form.py.

Let's make the doc and deprecation message better :-)

[codecov-io]

Codecov Report

Merging #287 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #287      +/-   ##
==========================================
- Coverage   99.66%   99.66%   -0.01%     
==========================================
  Files          19       18       -1     
  Lines         897      895       -2     
  Branches       74       74              
==========================================
- Hits          894      892       -2     
  Misses          3        3

Impacted Files	Coverage Δ
flask_wtf/form.py	100% <ø> (ø)	⬆️
tests/test_form.py	100% <100%> (ø)	⬆️
flask_wtf/__init__.py	100% <0%> (ø)	⬆️
flask_wtf/recaptcha/__init__.py

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eff54ec...b8ff4f9. Read the comment docs.

[JocelynDelalande]

oops, forgot to fix the associated test, that's done by now :-)

[davidism]

I think I meant to show setting Meta.csrf = False while defining the form, rather than passing the override, since you probably don't want a form that is for both CSRF and non-CSRF contexts.

[JocelynDelalande]

Thanks for reviews!

I think I meant to show setting Meta.csrf = False while defining the form, rather than passing the override, since you probably don't want a form that is for both CSRF and non-CSRF contexts.

@davidism I don't understand what you mean. Could you provide an example please :-) ?

[davidism]

class MyForm(FlaskForm):
    class Meta:
        csrf = False

form = MyForm()

[JocelynDelalande]

@davidism ok, thanks :-). So, from my understanding, there are two ways to disable CSRF for a form

• the one you are speaking (with Meta), is defining the default at class-level (set the default for a given form class).
• the one that I'm dealing with (through warning message) is to disable CSRF at instanciation time ; thus overriding what could have been done at class-level, so it's instance-level

The warning where I changed the message is clearly for an instance-level option (it's a constructor parameter), so it seems the right one to put here. @davidism What do you think ?

Side note: is the Meta thing for forms documented somewhere ?

[davidism]

As I said in the review, I meant the warning to refer to the meta attribute, as it makes more sense to design a form that never has CSRF than to have to decide on the fly. I just forgot to capitalize Meta and change the example in the docs.

[JocelynDelalande]

As I said in the review, I meant the warning to refer to the meta attribute,

I got that :)

as it makes more sense to design a form that never has CSRF than to have to decide on the fly.

Depends. If this deprecation warning is reached, it's in the context of a code that decides it "on the fly". So suggestin a "drop-in" replacement could be useful to the developper.

Would mentioning both solutions in the warning (meta= arg and Meta class) looks good to you ?

[davidism]

Fair enough, I agree with you about the context of this message. Let's change it to "Pass meta={'csrf': False} instead." to be more explicit about what to do.

[JocelynDelalande]

Fair enough, I agree with you about the context of this message. Let's change it to "Pass meta={'csrf': False} instead." to be more explicit about what to do.

@davidism Ok, I just updated my PR accordingly.

I let someone else document the Meta behavior in another PR/commit at the place where you find it relevant.

[davidism]

Should be 'csrf' here.

[JocelynDelalande]

well spotted, thanks, fixed.