From 6720d6816d0c2699ab84712fa68ab5cec3deb594 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89loi=20Rivard?= Date: Tue, 25 Jul 2023 22:13:37 +0200 Subject: [PATCH] fix: nested blueprints can be CSRF exempted --- docs/changes.rst | 1 + src/flask_wtf/csrf.py | 4 ++-- tests/test_csrf_extension.py | 16 ++++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/changes.rst b/docs/changes.rst index 8c8da042..19d77c21 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -10,6 +10,7 @@ Unreleased ``flask.Markup`` :pr:`565` :issue:`561` - Stop support for python 3.7 :pr:`574` - Use `pyproject.toml` instead of `setup.cfg` :pr:`576` +- Fixed nested blueprint CSRF exemption :pr:`572` Version 1.1.1 ------------- diff --git a/src/flask_wtf/csrf.py b/src/flask_wtf/csrf.py index 18e75971..06afa0cd 100644 --- a/src/flask_wtf/csrf.py +++ b/src/flask_wtf/csrf.py @@ -217,7 +217,7 @@ def csrf_protect(): if not request.endpoint: return - if request.blueprint in self._exempt_blueprints: + if app.blueprints.get(request.blueprint) in self._exempt_blueprints: return view = app.view_functions.get(request.endpoint) @@ -292,7 +292,7 @@ def some_view(): """ if isinstance(view, Blueprint): - self._exempt_blueprints.add(view.name) + self._exempt_blueprints.add(view) return view if isinstance(view, str): diff --git a/tests/test_csrf_extension.py b/tests/test_csrf_extension.py index 637c63b6..1a760b84 100644 --- a/tests/test_csrf_extension.py +++ b/tests/test_csrf_extension.py @@ -154,6 +154,22 @@ def index(): assert response.status_code == 200 +def test_exempt_nested_blueprint(app, csrf, client): + bp1 = Blueprint("exempt1", __name__, url_prefix="/") + bp2 = Blueprint("exempt2", __name__, url_prefix="/exempt") + csrf.exempt(bp2) + + @bp2.route("/", methods=["POST"]) + def index(): + pass + + bp1.register_blueprint(bp2) + app.register_blueprint(bp1) + + response = client.post("/exempt/") + assert response.status_code == 200 + + def test_error_handler(app, client): @app.errorhandler(CSRFError) def handle_csrf_error(e):