Should EmbeddedDocument converted into Forms have their own CSRF tokens?

[ripperdoc]

I'm not 100% sure if this is by design, but assume this model:

class B(EmbeddedDocument)
  ...
class A(Document)
  b = EmbeddedDocumentField(B)

form_class = model_form(A)

As model_form() uses the secured form from flask-wtf as base class, this will create CSRF token fields not only for the parent form (A) but also for each Embedded document. In practice, even I use only one view to edit the complete form, I need to manually add a CSRF token form call in the template to each of the Embedded documents. So with a document with 6 embedded documents, that's 7 separate CSRF codes. CSRF can be turned off by passing csrf_enabled=False to the constructor of the Form, but as I'm only explicitly calling the parent form A and still want it CSRF enabled, there is no way that I can see to make CSRF not appear for FormFields.

Is this intentional, am I missing a solution or is it something worth fixing in the codebase?

[csabaszilveszter]

I'm having the same issue... can't find a way to hide the token when I render forms with Embedded Documents...

[csabaszilveszter]

The only solution I found just now is to create a form for each embedded document and exclude all the common fields.

[DeaconDesperado]

Seeing the same, it would be strange if entities intended to be nested in a single form would required their own csrf.

[lafrech]

I guess it is not intentional. I also think one CSRF for the parent form would be nice.

[electricworry]

Anyone have any idea what would need to be done to resolve this? I'm not familiar with the codebase.