I'm not 100% sure if this is by design, but assume this model:
class B(EmbeddedDocument)
...
class A(Document)
b = EmbeddedDocumentField(B)
form_class = model_form(A)
As model_form() uses the secured form from flask-wtf as base class, this will create CSRF token fields not only for the parent form (A) but also for each Embedded document. In practice, even I use only one view to edit the complete form, I need to manually add a CSRF token form call in the template to each of the Embedded documents. So with a document with 6 embedded documents, that's 7 separate CSRF codes. CSRF can be turned off by passing csrf_enabled=False to the constructor of the Form, but as I'm only explicitly calling the parent form A and still want it CSRF enabled, there is no way that I can see to make CSRF not appear for FormFields.
Is this intentional, am I missing a solution or is it something worth fixing in the codebase?
I'm not 100% sure if this is by design, but assume this model:
As model_form() uses the secured form from flask-wtf as base class, this will create CSRF token fields not only for the parent form (A) but also for each Embedded document. In practice, even I use only one view to edit the complete form, I need to manually add a CSRF token form call in the template to each of the Embedded documents. So with a document with 6 embedded documents, that's 7 separate CSRF codes. CSRF can be turned off by passing csrf_enabled=False to the constructor of the Form, but as I'm only explicitly calling the parent form A and still want it CSRF enabled, there is no way that I can see to make CSRF not appear for FormFields.
Is this intentional, am I missing a solution or is it something worth fixing in the codebase?