forms: use Form from flask.ext.wtf as base for all forms

Form from flask.ext.wtf has automatic csfr handling included. We need to hide this
form fields but we get extra security for nothing more.

2 files changed, 4 insertions, 3 deletions

diff --git a/forms.py b/forms.py
index 1944eaa..844bf16 100644
--- a/forms.py
+++ b/forms.py
@@ -1,10 +1,11 @@
-from wtforms import From, HiddenField, validators
+from wtforms import HiddenField, validators
 from utils import Unique
 from models import Group
 from wtfpeewee.orm import model_form
+from flask.ext.wtf import Form
 
 
-CreateGroup = model_form(Group, exclude=['api_id'], field_args={
+CreateGroup = model_form(Group, base_class=Form, exclude=['api_id'], field_args={
     'name': {'validators': [
         validators.Required(),
         validators.Regexp('^[a-zA-Z1-9_-]+$', message=u'Invalid group name '
diff --git a/templates/_formhelpers.html b/templates/_formhelpers.html
index e50f482..f0fe7fe 100644
--- a/templates/_formhelpers.html
+++ b/templates/_formhelpers.html
@@ -1,5 +1,5 @@
 {% macro render_field(field) %}
-  {% if field.type == 'HiddenField' %}
+  {% if field.type in ['HiddenField', 'CSRFTokenField'] %}
     {{ field()|safe }}
   {% else %}
     <div class="form-group {% if field.errors %}has-error{% endif %}">