wtforms, CSRF, flask, FieldList

The issue seems to be that Flask-WTForms Form is actually a subclass of wtforms.ext.SecureForm - and the only way to disable the csrf protection on a form is to pass the keyword argument csrf_enabled=False to the form when constructing it. Since FormField actually handles instantiating the form and you can either:

• Create a subclass of FormField that will let you pass in form keyword arguments
  or
• Subclass wtforms.Form rather than flask.ext.wtforms.Form for your FilterForm (as long as you never display a FilterForm on its own you won't need to worry about CSRF).

After encountering the same problem, I wanted to to supply a third option to the solution above

You can also override the constructor in your form class to replace the default value of csrf_enabled. This has the advantage that you can use the the same form definition as both a fieldlist member, and a standalone form with CSRF enabled by passing csrf_enabled=True.

class FilterForm(wtf.Form):    field = wtf.Form ...    def __init__(self, csrf_enabled=False, *args, **kwargs):        super(FilterForm, self).__init__(csrf_enabled=csrf_enabled, *args, **kwargs)

It seems csrf_enabled is deprecated. Here's a solution that works with Flask-WTForms 0.14.2, partially based on leebriggs's answer. Rather than pass a parameter when creating the form, I just created a xNoCsrf subclass, because I didn't want someone to accidentally forget to include the CSRF token when they do want it. This way, you have to type NoCsrf to get the non-CSRF version.

class FilterForm(FlaskForm):    <some stuff here>class FilterFormNoCsrf(FilterForm):    def __init__(self, *args, **kwargs):        super(FilterFormNoCsrf, self).__init__(meta={'csrf':False}, *args, **kwargs)

Here is the documentation for csrf field of the meta class.