Learn Flask (Python)


I’m currently working through the Learn Flask Python course. The course introduces how to protect a form from CSRF (cross-site request forgery).

However later on the course appears to be disabling this protection. Relevant code snippet below:

# login route
@app.route('/login', methods=['GET','POST'])
def login():
  form = LoginForm(csrf_enabled=False) ### appears to disable CSRF protection
  if form.validate_on_submit():
    user = User.query.filter_by(email=form.email.data).first()
    if user and user.check_password(form.password.data):
      login_user(user, remember=form.remember.data)
      next_page = request.args.get('next')
      return redirect(next_page) if next_page else redirect(url_for('index', _external=True, _scheme='https'))
      return redirect(url_for('login', _external=True, _scheme='https'))
  return render_template('login.html', form=form)

Line 4 appears to disable the CSRF protection.

Surely this cannot be correct? I’ve looked at the flask documentation and it does appear that this will disable it. Can anyone explain why this line of code has been included and if I’m missing something about how this works?