Clean up CSRF section and move it to index page.

dzhou · Jul 5, 2015 · 1084cfb · 1084cfb
1 parent a935d7a
commit 1084cfb
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 69 deletions.
diff --git a/doc/advanced.rst b/doc/advanced.rst
@@ -336,75 +336,6 @@ Form Rendering Rule Description
 :class:`flask_admin.form.rules.FieldSet` Renders form header and child rules
 ======================================================= ========================================================
 
-Enabling CSRF Validation
------------------------------
-
-****
-
-TODO: make this easier to understand
-
-Adding CSRF validation will require overriding the :class:`flask_admin.form.BaseForm` by using :attr:`flask_admin.model.BaseModelView.form_base_class`.
-
-WTForms >=2::
-
- from wtforms.csrf.session import SessionCSRF
- from wtforms.meta import DefaultMeta
- from flask import session
- from datetime import timedelta
- from flask_admin import form
- from flask_admin.contrib import sqla
-
- class SecureForm(form.BaseForm):
- class Meta(DefaultMeta):
- csrf = True
- csrf_class = SessionCSRF
- csrf_secret = b'EPj00jpfj8Gx1SjnyLxwBBSQfnQ9DJYe0Ym'
- csrf_time_limit = timedelta(minutes=20)
-
- @property
- def csrf_context(self):
- return session
-
- class ModelAdmin(sqla.ModelView):
- form_base_class = SecureForm
-
-For WTForms 1, you can use use Flask-WTF's Form class::
-
- import os
- import flask
- import flask_wtf
- import flask_admin
- import flask_sqlalchemy
- from flask_admin.contrib.sqla import ModelView
-
- DBFILE = 'app.db'
-
- app = flask.Flask(__name__)
- app.config['SECRET_KEY'] = 'Dnit7qz7mfcP0YuelDrF8vLFvk0snhwP'
- app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + DBFILE
- app.config['CSRF_ENABLED'] = True
-
- flask_wtf.CsrfProtect(app)
- db = flask_sqlalchemy.SQLAlchemy(app)
- admin = flask_admin.Admin(app, name='Admin')
-
- class MyModelView(ModelView):
- # Here is the fix:
- form_base_class = flask_wtf.Form
-
- class User(db.Model):
- id = db.Column(db.Integer, primary_key=True)
- username = db.Column(db.String)
- password = db.Column(db.String)
-
- if not os.path.exists(DBFILE):
- db.create_all()
-
- admin.add_view( MyModelView(User, db.session, name='User') )
-
- app.run(debug=True)
-
-
 .. _database-backends:
 
 Using Different Database Backends

diff --git a/doc/index.rst b/doc/index.rst
@@ -75,6 +75,29 @@ There are many options available for customizing the display and functionality o
 For more details on that, see :ref:`customising-builtin-views`. For more details on the other
 ORM backends that are available, see :ref:`database-backends`.
 
+Enabling CSRF Validation
+-----------------------------
+
+****
+
+To add CSRF protection to the forms that are generated by *ModelView* instances, use the
+`FlaskWTF <https://flask-wtf.readthedocs.org/>`_ form class in your *ModelView*
+subclass by specifying the *form_base_class* parameter::
+
+ from flask_admin.contrib.sqla import ModelView
+ import flask_wtf
+
+ # Flask and Flask-SQLAlchemy initialization here
+
+ app.config['CSRF_ENABLED'] = True
+ flask_wtf.CsrfProtect(app)
+
+ class MicroBlogModelView(ModelView):
+ form_base_class = flask_wtf.Form
+
+The FlaskWTF form class comes with CSRF protection builtin, so it will generate
+the tokens for you, and validate them when the forms are submitted.
+
 Adding Content to the Index Page
 ------------------------------------
 The first thing you'll notice when you visit `http://localhost:5000/admin/ <http://localhost:5000/admin/>`_