Booleanfield's checked state got broken in 2.2

If an object's member variable is True, the generated field's data will be False.

# user.verified is True

class UserEditForm(Form):
    verified = BooleanField('verified')

form = UserEditForm(obj=user)
print(user.verified) # True
print(form.verified.data) # False

According to http://www.w3.org/TR/html-markup/syntax.html#syntax-attributes attribute name allows almost all characters, including - (dash)

I'm trying to create an <input> tag with attribute data-toggle to work with Flat-UI's css definition, but unfortunately current design of Field.__call__ doesn't allow such attribute names.

https://github.com/wtforms/wtforms/blob/2.1/wtforms/ext/sqlalchemy/fields.py#L188-L190

In 1.2 identity_key returns a third item which is not really relevant here but breaks the list unpacking. I would suggest this change to support both 1.1 and 1.2:

-cls, key = identity_key(instance=obj)
+key = identity_key(instance=obj)[1]

For reference, here's the relevant part of the traceback with WTForms 2.1 and SQLAlchemy 1.2:

  File ".../wtforms/ext/sqlalchemy/fields.py", line 100, in _get_object_list
    self._object_list = list((text_type(get_pk(obj)), obj) for obj in query)
  File ".../wtforms/ext/sqlalchemy/fields.py", line 100, in <genexpr>
    self._object_list = list((text_type(get_pk(obj)), obj) for obj in query)
  File ".../wtforms/ext/sqlalchemy/fields.py", line 189, in get_pk_from_identity
    cls, key = identity_key(instance=obj)
ValueError: too many values to unpack

Hello,

I have a form that looks like this,

class VoteForm(Form):
    article_id = IntegerField('article_id', [validators.DataRequired()])
    vote_type  = IntegerField('vote_type', [validators.InputRequired(), validators.NumberRange(min = 0, max = 1)])

and create the form with,

form = VoteForm(data = request.json_body)

request.json_body is the dictionary {u'article_id': 1, u'vote_type': 0}.

I would expect that the value 0 is fine with InputRequired but it seems it is not.

Took a similar approach to SelectField and SelectMultipleField. The FileInput widget now takes a multiple argument, and there are two fields FileField and MultipleFileField.

FileField is no longer based on StringField, since it's only a coincidence that the data is a string. I updated the docs to clarify that extensions might change what data is passed to this field (see Flask-WTF for example).

If no data is passed to the field, its data is None rather than the empty string. There was no test for this before, so I figured it was ok to break this. None makes more sense for "no file was uploaded". The multiple field will have an empty list for no data.

FileInput always sets value to False so that it is not rendered. Browsers won't honor the value of a file input for security reasons anyway. FileField._value returns False as well, to be consistent if the widget it changed.

An alternate implementation could use one FileField with a multiple argument as well. I'm willing to implement that instead if it sounds better.

This patch contains #280 (call process_formdata if formdata is empty) since testing this ran into that issue. Merging this after that, or just closing that, should both work in git.

This allows to specify a function returning a dictionary for field_flags. This allows validators to set flags which are supported directly in HTML for client side validation, such as minlength, which then get rendered appropriately by the widgets supporting that attribute.

Fixes #406

(This PR is a resubmission of #258.)

Three facets two consider:

1. New behaviour adds None for empty errors. Maybe it should add [] so users can avoid the extra is not None?
2. To localize errors, it's only necessary to add Nones up to the latest error, e.g. ['a', '', 'a'] -> [None, <errors>] instead of [None, <errors>, None]. It might be more convenient to have the error list the same length as the data.
3. If no errors, the old behaviour (errors == []) is kept. Ditto above on convenience.

Hi,

I am trying to add "required" validation on FileField in Pyramid.

When I don't provide any file and submit the form, it works fine by providing "The field is required" message. However, when I actually choose a file and submit the form, I am getting errors. (Please see stacktrace at the end)

The following is the minimal code to reproduce the error.

Pyramid view and Form:

class File(Form):
    file = FileField('Upload a file', validators=[required()])


@view_config(route_name='upload', renderer='templates/file.pt')
def file_view(request):
    file = File(request.POST)
    if request.method == 'POST' and file.validate():
        return render_to_response('templates/success.pt',
                                  {},
                                  request=request)
    return {'form': file}

And chameleon template:

<!DOCTYPE HTML>
<html lang="en">
<body>
    <form method="POST" enctype="multipart/form-data" accept-charset="utf-8">
        <span tal:repeat="field form">
            ${field.label} ${field()}
            <span class="error" tal:repeat="error field.errors">
                <span>${error}</span>
            </span>
            <br><br>
        </span>
        <input type="submit" value="submit">
    </form>
</body>
</html>

The error I am getting is the following:

    if request.method == 'POST' and file.validate():
  File "/home/james/venv/lib/python3.5/site-packages/wtforms/form.py", line 310, in validate
    return super(Form, self).validate(extra)
  File "/home/james/venv/lib/python3.5/site-packages/wtforms/form.py", line 152, in validate
    if not field.validate(self, extra):
  File "/home/james/venv/lib/python3.5/site-packages/wtforms/fields/core.py", line 204, in validate
    stop_validation = self._run_validation_chain(form, chain)
  File "/home/james/venv/lib/python3.5/site-packages/wtforms/fields/core.py", line 224, in _run_validation_chain
    validator(form, self)
  File "/home/james/venv/lib/python3.5/site-packages/wtforms/validators.py", line 201, in __call__
    if not field.data or isinstance(field.data, string_types) and not field.data.strip():
  File "/usr/lib/python3.5/cgi.py", line 661, in __bool__
    raise TypeError("Cannot be converted to bool.")
TypeError: Cannot be converted to bool.

Any help is appreciated!

We have this logo for the wtforms group:

And we have this logo for the documentation:

Both are in poor resolution. We should probably make them svgs.

Any suggestions or help is welcomed!

When adding a DataRequired or InputRequired validator to a RadioField, the required attribute of the input tag.

Here's the function I wrote that reveals the problem:

    @bp.route('/<string:slug>/survey', methods=['GET', 'POST'])
    def survey(slug):
        survey = Survey.query.filter_by(slug=slug).first_or_404()
        questions = survey.questions
        for question in questions:
            if question.category == 'word':
                field = StringField(question.question, validators=[InputRequired()])
            elif question.category == 'likert':
                choices = [('1', 'Strongly Agree'),
                           ('2', 'Agree'),
                           ('3', 'Neutral'),
                           ('4', 'Disagree'),
                           ('5', 'Strongly Disagree')]
                field = RadioField(question.question, choices=choices, validators=[InputRequired()])
            setattr(FlaskForm, str(question.id), field)
        setattr(FlaskForm, 'submit', SubmitField('Submit'))
        form = FlaskForm()
        if form.validate_on_submit():
            response = Response(survey=survey)
            db.session.add(response)
            for question in questions:
                answer = Answer(question=question, response=response)
                field = getattr(form, str(question.id))
                if question.category == 'word':
                    answer.answer = field.data
                elif question.category == 'likert':
                    choices = {'1': 'Strongly Agree',
                               '2': 'Agree',
                               '3': 'Neutral',
                               '4': 'Disagree',
                               '5': 'Strongly Disagree'}
                    answer.answer = choices[field.data]
                db.session.add(answer)
            db.session.commit()
            with open('app/static/ty.txt', 'r') as f:
                ty = [x.strip() for x in f.readlines()]
            return render_template('ty.html', ty=ty)
        return render_template('survey.html', form=form, questions=questions)

I understand there might be other issues with the above (such as me being informed I should subclass FlaskForm).

The above function gives the following input tag for a StringField:

    <input class="form-control" id="4" name="4" required="" type="text" value="">

This is the input tag for a RadioField:

    <input id="1-0" name="1" type="radio" value="1">

While in the browser's debugger, if I edit the above to <input id="1-0" name="1" type="radio" value="1" required="">, the radio button requires a selection.

Hi,

I have just updated my WTForms requirements from 2.1 to 2.2.1 but it triggers what looks like a python 3 compatibility issue (I reproduced the issue both with python 3.7.2 and 3.6.8).

Here is a traceback:

  File "/opt/workspace/burp-ui/burpui/routes.py", line 479, in login
    form = LoginForm(request.form)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/form.py", line 212, in __call__
    return type.__call__(cls, *args, **kwargs)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/flask_wtf/form.py", line 88, in __init__
    super(FlaskForm, self).__init__(formdata=formdata, **kwargs)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/form.py", line 272, in __init__
    super(Form, self).__init__(self._unbound_fields, meta=meta_obj, prefix=prefix)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/form.py", line 52, in __init__
    field = meta.bind_field(self, unbound_field, options)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/meta.py", line 27, in bind_field
    return unbound_field.bind(form=form, **options)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/fields/core.py", line 353, in bind
    return self.field_class(*self.args, **kw)
  File "/root/.pyenv/versions/3.6.8/envs/bui-3.6.8/lib/python3.6/site-packages/wtforms/fields/core.py", line 451, in __init__
    self.choices = copy(choices)
  File "/root/.pyenv/versions/3.6.8/lib/python3.6/copy.py", line 96, in copy
    rv = reductor(4)
TypeError: can't pickle dict_items objects

My guess is this was introduced by #286

I'm also not sure whereas the default should be None or [] (since copy(None) => None)

I also don't know if I should make this PR against the 2.2 maintenance branch or not.

Actual Behavior

from wtforms import Form, SelectField

class MyForm(Form):
    foo = SelectField()


def test_construct():
    form = MyForm()
    assert form.foo.choices == []

When you run the test, it fails because form.foo.choices is None, not []:

./src/dyk_tools/test_select_form.py::test_construct Failed: [undefined]assert None == []
 +  where None = <wtforms.fields.choices.SelectField object at 0x7fac5325fbe0>.choices
 +    where <wtforms.fields.choices.SelectField object at 0x7fac5325fbe0> = <dyk_tools.test_select_form.MyForm object at 0x7fac5325fa90>.foo
def test_construct():
        form = MyForm()
>       assert form.foo.choices == []
E       assert None == []
E        +  where None = <wtforms.fields.choices.SelectField object at 0x7fac5325fbe0>.choices
E        +    where <wtforms.fields.choices.SelectField object at 0x7fac5325fbe0> = <dyk_tools.test_select_form.MyForm object at 0x7fac5325fa90>.foo

Expected Behavior

form.foo.choices should be [] as is documented at https://wtforms.readthedocs.io/en/3.0.x/fields/#wtforms.fields.SelectField

As a more practical example with this Flask code:

class TemplateForm(Form):
    name = SelectField(validate_choice=False)

def home_page():
    form = TemplateForm(request.form)
    if request.method == "POST" and form.validate():
        return redirect(url_for("display", template_name=form.name.data))
    form.name.choices = get_pending_nominations()
    return render_template("home_page.html", form=form)

It fails on the POST branch with:

Traceback (most recent call last):
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 2548, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 2528, in wsgi_app
    response = self.handle_exception(e)
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 2525, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 1822, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 1820, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/flask/app.py", line 1796, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/Users/roy/dev/dyk-tools/src/dyk_tools/flask_app/app.py", line 14, in home_page
    if request.method == "POST" and form.validate():
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/wtforms/form.py", line 329, in validate
    return super().validate(extra)
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/wtforms/form.py", line 146, in validate
    if not field.validate(self, extra):
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/wtforms/fields/core.py", line 231, in validate
    self.pre_validate(form)
  File "/Users/roy/dev/dyk-tools/venv/lib/python3.9/site-packages/wtforms/fields/choices.py", line 136, in pre_validate
    raise TypeError(self.gettext("Choices cannot be None."))
TypeError: Choices cannot be None.

Explicitly setting choices to []:

    name = SelectField(validate_choice=False, choices=[])

makes things work as expected.

Environment

• Python version: 3.9.13
• wtforms version: 3.0.1

Describe the issue you are attempting to fix

This issue was previously raised in #450.

The HTML standard for datetime-local inputs set the default step attribute to 60, meaning that the lowest denomination of input can be expressed in minutes, not seconds.

https://html.spec.whatwg.org/#local-date-and-time-state-(type=datetime-local)

The step attribute is expressed in seconds. The step scale factor is 1000 (which converts the seconds to milliseconds, as used in the other algorithms). The default step is 60 seconds.

In such cases, it seems that common browser behaviour is to then send the input value, without any seconds, on form submission, in the format -

2022-11-02T12:23

The current default of WTForms is to validate against two possible date formats, both that require seconds -

def __init__(self, *args, **kwargs):
        kwargs.setdefault("format", ["%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"])

If seconds are not found, the validation will fail -

Not a valid datetime value.

Current fixes

This issue can be fixed by adding the correct format to a DateTimeLocalField() instance -

example_date_time = DateTimeLocalField('Example datetime', format="%Y-%m-%dT%H:%M")

or by change input step size to allow seconds (in HTML)**

<input type="datetime-local" step="1">

Proposal

Very simple PR to bring WTForms in line with the default behaviour of some browsers, by adding two formats (without seconds) to the default formats of DateTimeLocalField.

    def __init__(self, *args, **kwargs):
        kwargs.setdefault("format", ["%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S", "%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M"])

for Regexp validator set html input tag 'pattern' attribute (used if novalidate not set on a form)

Similar to the Length validator that sets the html input attributes minlength and maxlength I found it useful to have this for regex patterns as well. One advantage of using the browser is to get the message translated already (even tough here it is a bit generic, since it only says input needs to match the requested format and does not tell about the format itself)

added some basic test ... not sure if that is accepted this way?

In the RTD download section only old doc is available for download. I tried to create RTD project pointing to this repo, with epub and pdf enabled, but the build process yield no downloadable doc, until I fork this repo and specified the output format in the yaml config. If the official RTD project already have epub/pdf build enabled, it probably needs this change, otherwise please reject this.

I found no way to turn off csrf if testing with pytest. Am I missing something? Functional tests and app in production actually produce CSRF, thats all good. however I wan't to disable this for testing because all validates fail in testing as testing can't handle csrf. (this might be a "workaround" for all you interested - I wanted to go the "quick" way and disable csrf in testing and here I am 3 hours later).

Following meta.rst and csrf.rst my Class looks like this. I use Flask so I return session.

app/form/form.py

...
from app.config import Config
class BaseForm(ModelForm):
    class Meta:
        csrf = True
        csrf_class = SessionCSRF
        csrf_secret = Config.CSRF_SECRET_KEY

        @property
        def csrf_context(self):
            return session

app/__init__.py Inititiation:

import os
from flask import Flask
from app.config import Config

def create_app(test_config=None):

    app = Flask(__name__, instance_relative_config=True)

    app.config.from_object(Config)

    if test_config:
        app.config.from_mapping(test_config)

....#blueprints and blabla

config.py for the staging and production apps

from dotenv import dotenv_values
env = dotenv_values(".env")
class Config:

    SECRET_KEY = env.get("SECRET_KEY")
    CSRF_SECRET_KEY = env.get("CSRF_SECRET_KEY").encode()
    SQLALCHEMY_TRACK_MODIFICATIONS = False
    SQLALCHEMY_DATABASE_URI = "sqlite:///../instance/database.sqlite"

conftest.py for pytest, here you see the apparently legacy config commands which should stop CSRF according to half of the population of the internet

import pytest

from app import create_app
from app.db import db

test_config = {
    "SECRET_KEY": "TEST_CONFIG",
    "TESTING": True,
    "SQLALCHEMY_DATABASE_URI": "sqlite:///:memory:",
    "WTF_CSRF_ENABLED": False,
    "WTF_CSRF_CHECK_DEFAULT": False,
    "WTF_CSRF_SECRET_KEY":None,
    "CSRF_SECRET_KEY":None,
}

@pytest.fixture(scope="session")
def test_app():

    test_app = create_app(test_config=test_config)
    with test_app.app_context():

        db.create_all()
        yield test_app
        db.drop_all()

None of these apparently legacy (?) config parameters for the app factory of flask switch off csrf globally for testing - forms expect csrf tokens to be validated True

Is there no way to disable CSRF at app initiation, what am I missing?

wtforms==3.0.1 ; python_version >= "3.8" and python_version < "4.0"

FAQ Claims compatibility with python 3.6 : https://wtforms.readthedocs.io/en/3.0.x/faq/#what-versions-of-python-are-supported

Changelog does not exists for 3.0.1 : https://wtforms.readthedocs.io/en/3.0.x/changes/#version-3-0-0