Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistency with raising CSRFError #381

Open
pb-jeff-oneill opened this issue Oct 18, 2019 · 2 comments
Open

Inconsistency with raising CSRFError #381

pb-jeff-oneill opened this issue Oct 18, 2019 · 2 comments

Comments

@pb-jeff-oneill
Copy link

The Flask-WTF docs state:

When CSRF validation fails, it will raise a CSRFError.

However, this appears to only be true, if this optional code has been used:

from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)

When that code is not used, forms are created by subclassing FlaskForm, and CSRF validation fails, then validate_on_submit returns False instead of raising CSRFError.

It seems that ideally you would always raise CSRFError for consistency, but if you don't want to do that, then it would be helpful to update the docs.

@davidism
Copy link
Member

It doesn't make sense to raise an unhandled exception during validation. I suppose the docs could be clearer that the extension raises the error, not forms. PRs welcome.

@jawatech
Copy link

You can check out form.errors after validate_on_submit() returns false.
It's more elegant.

@azmeuk azmeuk added the csrf label Jul 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

4 participants