protect the delete method by default

simplify exempt checks
pallets-eco · Oct 13, 2016 · 2954c77 · 2954c77
1 parent 682e695
commit 2954c77
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/flask_wtf/csrf.py b/flask_wtf/csrf.py
@@ -98,7 +98,9 @@ def __init__(self, app=None):
     def init_app(self, app):
         app.config.setdefault('WTF_CSRF_ENABLED', True)
         app.config.setdefault('WTF_CSRF_CHECK_DEFAULT', True)
-        app.config.setdefault('WTF_CSRF_METHODS', ['POST', 'PUT', 'PATCH'])
+        app.config['WTF_CSRF_METHODS'] = set(app.config.get(
+            'WTF_CSRF_METHODS', ['POST', 'PUT', 'PATCH', 'DELETE']
+        ))
         app.config.setdefault('WTF_CSRF_HEADERS', ['X-CSRFToken', 'X-CSRF-Token'])
         app.config.setdefault('WTF_CSRF_SSL_STRICT', True)
 
@@ -125,14 +127,13 @@ def _csrf_protect():
             if not view:
                 return
 
-            if self._exempt_views or self._exempt_blueprints:
-                dest = '%s.%s' % (view.__module__, view.__name__)
+            if request.blueprint in self._exempt_blueprints:
+                return
 
-                if dest in self._exempt_views:
-                    return
+            dest = '%s.%s' % (view.__module__, view.__name__)
 
-                if request.blueprint in self._exempt_blueprints:
-                    return
+            if dest in self._exempt_views:
+                return
 
             self.protect()