pythonpylonsformencodehtmlfill

Using Pylons validate and authenticate_form decorator


The validate and authenticate_form decorators don't seem to play nice together. This is my template:

<html>
<title>Test</title>
<body>
${h.secure_form('/meow/do_post')}
<input type="text" name="dummy">
<form:error name="dummy"><br>
<input type="submit" name="doit" value="Do It">
${h.end_form()}
</body>
</html>

And this is the controller:

import logging

from pylons import request, response, session, tmpl_context as c, url
from pylons.controllers.util import abort, redirect

from ocust.lib.base import BaseController, render
import formencode
import formencode.validators
from formencode import htmlfill
from pylons.decorators import validate
from pylons.decorators.secure import authenticate_form

class MeowForm(formencode.Schema):
    allow_extra_fields = True
    dummy = formencode.validators.NotEmpty()

class MeowController(BaseController):

    def index(self): 
        return render('/index.mako')

    @authenticate_form
    @validate(schema=MeowForm(), form='index')
    def do_post(self):
        return 'posted OK'

If validation fails, the form is re-rendered using htmlfill.render by the @validate decorator, but this strips out the authentication token, so a 403 CSRF detected error is shown the next time the form is submitted.

The authentication token seems to be stripped because @authenticate_form deletes the authentication token from request.POST.

If this is used instead:

@validate(schema=MeowForm(), form='index', force_defaults=False)

it works fine. Is there anything bad that can happen if force_defaults is set to False? The docs for htmlfill seem to recommend it be set to True when the defaults "are the result of a form submission".


Solution

  • @validate(schema=MeowForm(), form='index')
    @authenticate_form
    def do_post(self):
    

    You need to change order of decorators, authenticate decorator must be last