Check if CSRFProtect is enabled when using table delete action

greyli · greyli · commit 15b317ec5fce · 2021-09-04T12:20:18.000+08:00
diff --git a/docs/macros.rst b/docs/macros.rst
@@ -520,7 +520,21 @@ The following arguments are expect to accpet an URL tuple:
 You can also pass a fiexd URL string, but use a primary key placeholder in the URL is deprecated and will be removed
 in version 2.0.
 
-The ``new_url`` expects a fixed URL string or an endpoint.
+When setting the ``delete_url``, you will also need to enable the CSRFProtect extension provided by Flask-WTF, so that
+the CSRF protection can be added to the delete button:
+
+.. code-block:: text
+
+    $ pip install flask-wtf
+
+.. code-block:: python
+
+    from flask_wtf import CSRFProtect
+
+    csrf = CSRFProtect(app)
+
+By default, it will enable the CSRF token check for all the POST requests, read more about this extension in its
+`documentation <https://flask-wtf.readthedocs.io/en/0.15.x/csrf/>`_.
 
 
 render_icon()
diff --git a/flask_bootstrap/templates/bootstrap/table.html b/flask_bootstrap/templates/bootstrap/table.html
@@ -1,7 +1,7 @@
 {% from 'bootstrap/utils.html' import render_icon, arg_url_for %}
 
 {% macro deprecate_placeholder_url() %}
-    {{ warn('Passing an URL with primary key palceholder for view_url/edit_url/delete_url/custom_actions is deprecated. You will need to pass an fixed URL or an URL tuple to URL arguments, see the API docs of render_table for more details. The support to URL string will be removed in version 2.0.') }}
+    {{ warn('Passing an URL with primary key palceholder for view_url/edit_url/delete_url/custom_actions is deprecated. You will need to pass an fixed URL or an URL tuple to URL arguments, see the docs for more details (https://bootstrap-flask.readthedocs.io/en/stable/macros.html#render-table). The support to URL string will be removed in version 2.0.') }}
 {% endmacro %}
 
 {% macro build_url(endpoint, model, pk, url_tuples) %}
@@ -147,6 +147,9 @@
                    action="{{ build_url(delete_url[0], model, row[primary_key], delete_url[1]) | trim }}"
                   {% endif %}
                    method="post">
+                  {% if csrf_token is undefined %}
+                  {{ raise('You have to enable the CSRFProtect extension from Flask-WTF to use delete_url, see the docs for more details (https://bootstrap-flask.readthedocs.io/en/stable/macros.html#render-table).') }}
+                  {% endif %}
                 <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                 <a class="action-icon text-decoration-none"
                     href="javascript:{}"
