I have a Flask form (WTForms) which consist of several inserted FormFields. I don't know how to deal with the fact, that each sub-form and the main form generates it's own csrf token.
Should I render all tokens in template? Deactivate csrf for "inner" forms? The view itself wouldn't be accesible to all (only staff users).
Here are the forms.py:
class PersonForm(FlaskForm):
name = StringField('Name')
role = HiddenField(validators=[AnyOf(values=['A', 'T', 'R', 'I'])])
class CreatorsForm(FlaskForm):
authors = FieldList(FormField(PersonForm, default={'role': 'A'), min_entries=3)
translators = FieldList(FormField(PersonForm, default={'role': 'T'), min_entries=3)
submit = SubmitField('Submit')
The presented code it's just a begining of a much bigger form, which I'd have to convert into a step form. So I render the fields manually, and my template looks like this:
<form class="form form-horizontal" action="" method="POST" accept-charset="utf-8">
{{ form.hidden_tag() }}
<div class="container" id="authors">
<h4>{{ form.authors.label }}</h4>
{% for f in form.authors %}
<p> {{ f.form.name.label }} {{ f.form.name() }}</p>
{% endfor %}
{% for error in form.authors.errors %}
<span style="color: red">{{ error }}</span>
{% endfor %}
</div> <br>
<div class="container" id="translators">
<h4>{{ form.translators.label }}</h4>
{% for f in form.translators %}
<p>{{ f.form.name.label }} {{ f.form.name() }}</p>
{% endfor %}
{% for error in form.translators.errors %}
<span style="color: red">{{ error }}</span>
{% endfor %}
</div>
<p>{{ form.submit() }}</p>
</form>
