Goals:

• 学习使用WTForms.
• 学习使用Flask-WTF
• 学习使用如何写Flask插件.
• 学习什么是CSRF(待完成).
• 学习flask中的redirect.

Part1 WTForms --- A Quick Start.

---

Let's begin from A mini example.

# flask_wtf_demo.py
from flask import Flask, render_template
from flask_wtf import Form
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired

app = Flask(__name__)
app.config['SECRET_KEY'] = "salt river"

class MyForm(Form):
    name = StringField("what's your name", validators=[DataRequired()])
    submit = SubmitField('Submit')

@app.route('/index', methods=('GET', 'POST'))
def submit():
    name = None
    form = MyForm()
    if form.validate_on_submit():
        name = form.name.data 
        form.name.data = ''
    return render_template('index.html', form=form, name=name)

if __name__ == '__main__':
    app.run(debug=True)

<!DOCTYPE html>
<html>
<head>
    <title>Flask-WTF Demo</title>
</head>
<body>
    <form method="POST">
        {{ form.hidden_tag() }}
        {{ form.name.label }} {{ form.name() }}
        {{ form.submit() }}
    </form>

    {% if not name %}
    <p>Hello, Stranger.</p>
    {% else %}
    <p>Hello, {{name}}</p>
    {% endif %}
</body>
</html>

Part2 Flask-WTF

---

下面我们一起来追踪一下程序执行流程，重点关注，flask.request, session, current_app中的信息是怎么与插件交互的. 当我们执行完这段代码时候（此时request还没有到来）:

class MyForm(Form):
    name = StringField("what's your name", validators=[DataRequired()])
    submit = SubmitField('Submit')

实际上MyForm的metaclass（wtforms中的FormMeta类）已经在定义类的时候干了很多事情了.具体干了哪些事呢？我们暂时只关注结果就行了. 查看MyForm.name, 和MyForm.submit中的内容.

• MyForm.name ---> <UnboundField(StringField, ("what's your name",), {'validators': [<wtforms.validators.DataRequired object at 0x10310cc10>]})>
• MyForm.submit ---> <UnboundField(SubmitField, ('Submit',), {})>
  从字面意思来理解就是未被绑定的Field.因为还没有与具体的request/app中的Form进行绑定.当我们直接初始化form = MyForm()时， 会出现 "RuntimeError: working outside of application context."原因在于，在flask_wtf.Form中的init函数中:

        if csrf_enabled is None:
            csrf_enabled = current_app.config.get('WTF_CSRF_ENABLED', True)

current_app并没有push到Request_Context中.
下面我们在命令行中做下面的实验:

$python -i flask_wtf_demo.py
>>>#模拟"GET"方法.
>>>ctx=app.test_request_context('127.0.0.1:5000/index')
>>>form = MyForm()
>>>form.name.data  # None
>>>form.validate()
False
>>>form.errors
...
>>>form.name.label()
u'<label for="name">what\'s your name</label>'
>>>form.name()
u'<input id="name" name="name" type="text" value="">'
>>>ctx.pop()

对应到flask_wtf源码中就是Form.init中:

        if formdata is _Auto:
            if self.is_submitted():
                ...
            else:
                formdata = None # <------

因为为"GET"方法所以formdata为None.
另一个实验,在命令行中测试"POST"方法:

>>>ctx = app.test_request_context('127.0.0.1:5000/index', method='POST', data={'name': 'saltriver'})
>>>ctx.push()
>>>form=MyForm(csrf_enabled=False)
>>>form.validate()
True
>>>form.validate_on_submit()
True

于是我们便可以对form进行处理了.

Part 3 Redirect重定向.

---

@app.route('/', methods=('GET', 'POST'))
def submit():
    name = None
    form = MyForm()
    if form.validate_on_submit():
        session['name'] = form.name.data
        return redirect(url_for('submit'))
    return render_template('index.html', form=form, name=session.get('name'))

下面看看redirect的实现.