From 2c04d3c25098d15c9cc6f30a70f787eae6899c74 Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Wed, 5 Apr 2017 12:01:17 -0700
Subject: [PATCH] [bugfix] save dash fails with CSRF related error (#2552)

---
 superset/assets/javascripts/dashboard/Dashboard.jsx | 1 +
 superset/templates/superset/basic.html              | 7 ++++++-
 superset/templates/superset/dashboard.html          | 6 ++++++
 superset/views/core.py                              | 3 ---
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/superset/assets/javascripts/dashboard/Dashboard.jsx b/superset/assets/javascripts/dashboard/Dashboard.jsx
index 73348a4621..dc02a7ef14 100644
--- a/superset/assets/javascripts/dashboard/Dashboard.jsx
+++ b/superset/assets/javascripts/dashboard/Dashboard.jsx
@@ -336,6 +336,7 @@ export function dashboardContainer(dashboard) {
 
 $(document).ready(() => {
   // Getting bootstrapped data from the DOM
+  utils.initJQueryAjaxCSRF();
   const dashboardData = $('.dashboard').data('dashboard');
   const contextData = $('.dashboard').data('context');
 
diff --git a/superset/templates/superset/basic.html b/superset/templates/superset/basic.html
index d07fa665fe..a2e9200c64 100644
--- a/superset/templates/superset/basic.html
+++ b/superset/templates/superset/basic.html
@@ -38,7 +38,12 @@
       <div id="app" data-bootstrap="{{ bootstrap_data }}" >
         <img src="/static/assets/images/loading.gif" style="width: 50px; margin: 10px;">
       </div>
-      {{ csrf_token() if csrf_token else None }}
+      <input
+        type="hidden"
+        name="csrf_token"
+        id="csrf_token"
+        value="{{ csrf_token() if csrf_token else '' }}"
+      >
     {% endblock %}
 
     <!-- Modal for misc messages / alerts  -->
diff --git a/superset/templates/superset/dashboard.html b/superset/templates/superset/dashboard.html
index f899d6fa0a..ae203ba3b1 100644
--- a/superset/templates/superset/dashboard.html
+++ b/superset/templates/superset/dashboard.html
@@ -22,4 +22,10 @@
   <div id="grid-container" class="slice-grid gridster"></div>
 
 </div>
+<input
+  type="hidden"
+  name="csrf_token"
+  id="csrf_token"
+  value="{{ csrf_token() if csrf_token else '' }}"
+>
 {% endblock %}
diff --git a/superset/views/core.py b/superset/views/core.py
index 70d220f59d..a3b708f2a6 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -2198,11 +2198,8 @@ class Superset(BaseSupersetView):
         d = {
             'defaultDbId': config.get('SQLLAB_DEFAULT_DBID'),
         }
-        from flask_wtf import FlaskForm
-        ff = FlaskForm()
         return self.render_template(
             'superset/sqllab.html',
-            csrf_token=ff.csrf_token,
             bootstrap_data=json.dumps(d, default=utils.json_iso_dttm_ser)
         )
 appbuilder.add_view_no_menu(Superset)