flask-wtf icon indicating copy to clipboard operation
flask-wtf copied to clipboard

Published 20 hours ago verified publisher icon wtforms

Inconsistency with raising CSRFError

Open pb-jeff-oneill opened this issue 4 years ago • 2 comments

The Flask-WTF docs state:

When CSRF validation fails, it will raise a CSRFError.

However, this appears to only be true, if this optional code has been used:

from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)

When that code is not used, forms are created by subclassing FlaskForm, and CSRF validation fails, then validate_on_submit returns False instead of raising CSRFError.

It seems that ideally you would always raise CSRFError for consistency, but if you don't want to do that, then it would be helpful to update the docs.

pb-jeff-oneill avatar Oct 18 '19 18:10 pb-jeff-oneill

It doesn't make sense to raise an unhandled exception during validation. I suppose the docs could be clearer that the extension raises the error, not forms. PRs welcome.

davidism avatar Oct 18 '19 19:10 davidism

You can check out form.errors after validate_on_submit() returns false. It's more elegant.

jawatech avatar Dec 17 '19 01:12 jawatech