flask-wtf
flask-wtf copied to clipboard
Inconsistency with raising CSRFError
The Flask-WTF docs state:
When CSRF validation fails, it will raise a CSRFError.
However, this appears to only be true, if this optional code has been used:
from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)
When that code is not used, forms are created by subclassing FlaskForm
, and CSRF validation fails, then validate_on_submit
returns False instead of raising CSRFError
.
It seems that ideally you would always raise CSRFError
for consistency, but if you don't want to do that, then it would be helpful to update the docs.
It doesn't make sense to raise an unhandled exception during validation. I suppose the docs could be clearer that the extension raises the error, not forms. PRs welcome.
You can check out form.errors after validate_on_submit() returns false. It's more elegant.