extra_validators change breaks many many forms

[jwag956]

In 1.1.0 the 'extra_validators' parameter was added as a positional parameter to the form.validate() call, whereas in WTForms and Flask-WTForms.validate_on_submit() it is a keyword parameter.

To reproduce:
Create a form with a validate() method which takes no parameters.

Desired Outcome:
FlaskForms.validate() shouldn't require any positional parameters (and therefore be backwards compatible with prior releases).

Environment:

• Python version:3.9
• Flask-WTF version:1.1.0
• Flask version:2.2.2

[jwag956]

Hmm - this is certainly going to break a lot of things, and it won't be easy to have extensions/apps that work with both 1.0.1 and 1.1.0 - but I see the utility in the change and not sure a better way to do this....

[jwag956]

Sorry - confusing myself - yes this is an issue with I believe a very simple fix:

return self.is_submitted() and self.validate(extra_validators)

should be:
return self.is_submitted() and self.validate(extra_validators=extra_validators)

[HwangTaehyun]

@jwag956 Yeah, this is also a problem in pgadmin with the following error when user clicks login button. (pgadmin-org/pgadmin4@e0b670f)
loginForm.validate() takes 1 positional argument but 2 were given

When I reflect on your code, then it works! (w/ @chlrlrhs95)
Can I open PR to that?
I would like to fix that asap.

[azmeuk]

Can I open PR to that?

Sure! Go on and I will try to release 1.1.1 tonight.

[HwangTaehyun]

Oh, sorry... I re-test but it does not fix the error.

[jwag956]

That simple fix worked for me (i.e. Flask-Security-Too unit tests now pass).

[HwangTaehyun]

@jwag956 Could you give me some advice?
I changed that code on flask wtf 1.1.0 but it throws error like the following.

{"success":0,"errormsg":"LoginForm.validate() got an unexpected keyword argument 'extra_validators'","info":"","result":null,"data":null}

Why does keyword passing not working in my case (for pgadmin4==6.19 with fixed flask-wtf 1.1.0 which was fixed with this change)

wtforms receive exactly same name: extra_validators..
https://github.com/wtforms/wtforms/blob/6b570a55a2d9959804390bf0e74df2a96cf4c9a0/src/wtforms/form.py#:~:text=%3Dfield_extra_filters)-,def%20validate(self%2C%20extra_validators%3DNone)%3A,-%22%22%22

[jwag956]

They added 'extra_validators' in 1.1.0 - to validate_on_submit - but didn't pass that as a keyword param to validate
So this fix is to 1.1.0 only - 1.0.1 doesn't have this issue (and should work just fine)

[HwangTaehyun]

I fixed my comment a few minutes ago. I changed that code on flask wtf 1.1.0!

[andrei-at-emtelligent]

Why does keyword passing not working in my case (for pgadmin4==6.19 with fixed flask-wtf 1.1.0 which was fixed with this change)

It's likely you need to add update your LoginForm.validate() method to also accept an extra_validators parameter. If you're subclassing FlaskForm, then that self.validate() call in FlaskForm.validate_on_submit() will be calling LoginForm.validate() not Form.validate(), so any keyword arguments included in that call will need to be supported by your LoginForm.validate() method.

[jwag956]

The default validate() method in Flask-Security takes **kwargs - so should work fine. Do you have your own LoginForm? or are you using FS's Loginform?

[HwangTaehyun]

Probably pgadmin uses like that. I will dig it. Thank you!

[HwangTaehyun]

I figured it out. pgadmin4 uses LoginForm of Flask-Security. And Flask-wtf's validate_on_submit function calls their derived class Flask-Security 4.1.5 LoginForm's validate function and that does not receive extra_validators and it throws an error. However, now the master branch receives extra_validators. You are right!
https://github.com/Flask-Middleware/flask-security/blob/a2f43ff35527f37839fa8da7af6827a4c5e52e31/flask_security/forms.py#L495-L503

So, if pgadmin uses the next version of flask-security, then it works with flask-wtf 1.1.0.
@jwag956 Thank you!