-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation (FileAllowed) issue upgrading 0.13.1 -> 0.14 #276
Comments
@ThiefMaster on #pocoo suggested trying |
Turns out my assumption was wrong: empty file fields still populate |
|
Fixed in release 0.14.1 on PyPI. |
@davidism Thank you very much for getting this sorted so fast. It's a massive help. |
Thanks to @davidism in issue for resolving so quickly. wtforms/flask-wtf#276
* Upgraded Flask-WTF to 0.14.1 to fix issue with empty fields. Thanks to @davidism in issue for resolving so quickly. wtforms/flask-wtf#276 * Moved back to flask_wtf.file.FileField as deprecation has been removed.
Version 0.14.2 -------------- Released 2017-01-10 - Fix bug where ``FlaskForm`` assumed ``meta`` argument was not ``None`` if it was passed. (`#278`_) .. _#278: wtforms/flask-wtf#278 Version 0.14.1 -------------- Released 2017-01-10 - Fix bug where the file validators would incorrectly identify an empty file as valid data. (`#276`_, `#277`_) - ``FileField`` is no longer deprecated. The data is checked during processing and only set if it's a valid file. - ``has_file`` *is* deprecated; it's now equivalent to ``bool(field.data)``. - ``FileRequired`` and ``FileAllowed`` work with both the Flask-WTF and WTForms ``FileField`` classes. - The ``Optional`` validator now works with ``FileField``. .. _#276: wtforms/flask-wtf#276 .. _#277: wtforms/flask-wtf#277 Version 0.14 ------------ Released 2017-01-06 - Use itsdangerous to sign CSRF tokens and check expiration instead of doing it ourselves. (`#264`_) - All tokens are URL safe, removing the ``url_safe`` parameter from ``generate_csrf``. (`#206`_) - All tokens store a timestamp, which is checked in ``validate_csrf``. The ``time_limit`` parameter of ``generate_csrf`` is removed. - Remove the ``app`` attribute from ``CsrfProtect``, use ``current_app``. (`#264`_) - ``CsrfProtect`` protects the ``DELETE`` method by default. (`#264`_) - The same CSRF token is generated for the lifetime of a request. It is exposed as ``g.csrf_token`` for use during testing. (`#227`_, `#264`_) - ``CsrfProtect.error_handler`` is deprecated. (`#264`_) - Handlers that return a response work in addition to those that raise an error. The behavior was not clear in previous docs. - (`#200`_, `#209`_, `#243`_, `#252`_) - Use ``Form.Meta`` instead of deprecated ``SecureForm`` for CSRF (and everything else). (`#216`_, `#271`_) - ``csrf_enabled`` parameter is still recognized but deprecated. All other attributes and methods from ``SecureForm`` are removed. (`#271`_) - Provide ``WTF_CSRF_FIELD_NAME`` to configure the name of the CSRF token. (`#271`_) - ``validate_csrf`` raises ``wtforms.ValidationError`` with specific messages instead of returning ``True`` or ``False``. This breaks anything that was calling the method directly. (`#239`_, `#271`_) - CSRF errors are logged as well as raised. (`#239`_) - ``CsrfProtect`` is renamed to ``CSRFProtect``. A deprecation warning is issued when using the old name. ``CsrfError`` is renamed to ``CSRFError`` without deprecation. (`#271`_) - ``FileField`` is deprecated because it no longer provides functionality over the provided validators. Use ``wtforms.FileField`` directly. (`#272`_) .. _`#200`: wtforms/flask-wtf#200 .. _`#209`: wtforms/flask-wtf#209 .. _`#216`: wtforms/flask-wtf#216 .. _`#227`: wtforms/flask-wtf#227 .. _`#239`: wtforms/flask-wtf#239 .. _`#243`: wtforms/flask-wtf#243 .. _`#252`: wtforms/flask-wtf#252 .. _`#264`: wtforms/flask-wtf#264 .. _`#271`: wtforms/flask-wtf#271 .. _`#272`: wtforms/flask-wtf#272 Version 0.13.1 -------------- Released 2016/10/6 - Deprecation warning for ``Form`` is shown during ``__init__`` instead of immediately when subclassing. (`#262`_) - Don't use ``pkg_resources`` to get version, for compatibility with GAE. (`#261`_) .. _`#261`: wtforms/flask-wtf#261 .. _`#262`: wtforms/flask-wtf#262 Version 0.13 ------------ Released 2016/09/29 - ``Form`` is renamed to ``FlaskForm`` in order to avoid name collision with WTForms's base class. Using ``Form`` will show a deprecation warning. (`#250`_) - ``hidden_tag`` no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (`#217`_, `#193`_) - ``flask_wtf.html5`` is deprecated. Import directly from ``wtforms.fields.html5``. (`#251`_) - ``is_submitted`` is true for ``PATCH`` and ``DELETE`` in addition to ``POST`` and ``PUT``. (`#187`_) - ``generate_csrf`` takes a ``token_key`` parameter to specify the key stored in the session. (`#206`_) - ``generate_csrf`` takes a ``url_safe`` parameter to allow the token to be used in URLs. (`#206`_) - ``form.data`` can be accessed multiple times without raising an exception. (`#248`_) - File extension with multiple parts (``.tar.gz``) can be used in the ``FileAllowed`` validator. (`#201`_) .. _`#187`: wtforms/flask-wtf#187 .. _`#193`: wtforms/flask-wtf#193 .. _`#201`: wtforms/flask-wtf#201 .. _`#206`: wtforms/flask-wtf#206 .. _`#217`: wtforms/flask-wtf#217 .. _`#248`: wtforms/flask-wtf#248 .. _`#250`: wtforms/flask-wtf#250 .. _`#251`: wtforms/flask-wtf#251
Seems that this bug still exists using following setup:
form class defintion
route
rendering
Using this setup and submitting an empty form will print
|
What's the problem in Flask-WTF? Werkzeug adds empty file objects for each field received, regardless of if the file contained data. You're not using Flask-WTF to process the form data, so it won't check that the object is empty. |
But there is no other way to process multiple files in Flask-WTF at the moment, right?
Gives you |
Probably something that would be fixed with your patch right? |
Yes, I was about to link that. As it says at the bottom, just copy those fields into your own code, there's nothing requiring them to be in WTForms. |
form_fix.py
form class definition
This renders something that looks like a StringInput behind the FileInput when using The rendered html:
|
By manually calling |
Please use Stack Overflow for questions about your own code. If you have a new bug report, after ensuring it is a bug with Flask-WTF, please open a new issue. |
I upgraded Flask-WTF last night from 0.13.1 -> 0.14
The issue I have is that when the FileField is blank (if the user chooses not to upload an image) then the validation fails. I do not require the field.
If I do this through my test suite all is okay using the following code:
The the post is successful. However if I make the request through Firefox (or Chrome) the validation is triggered saying I have an invalid format.
Request body:
This was happening before I fixed the deprecation warnings that
FileField
is getting removed and to use the built-in WTFormsFileField
and after I changed the code to use this.I believe it's something to do with this change but can't find any documentation.
I have had to revert the change as it stopped my site being usable.
Thanks in advance
The text was updated successfully, but these errors were encountered: