It seems that there is a general problem how sqlachemy handling 'csrf_token' in forum related operations
How come? CSRF tokens are entirely managed by Flask-WTF.
Error message looks like sqlalchemy ... i face a lot of those in the past.
i've taken a look at the part where you pass it to sqlachlemy, looks like you pass along the whole wtf element which contains the csrf_token, too.
id = HiddenField()
def __init__(self, forum, *args, **kwargs):
self.forum = forum
kwargs['obj'] = self.forum
ForumForm.__init__(self, *args, **kwargs)
data = self.data
# remove the button
forum = Forum(**data)
# flush SQLA info from created instance so that it can be merged
maybe you just need to declare it in the models