pallets-eco · rauchy · Aug 16, 2020 · Aug 24, 2020 · Apr 28, 2025
diff --git a/src/flask_wtf/csrf.py b/src/flask_wtf/csrf.py
@@ -217,16 +217,7 @@ def csrf_protect():
             if not request.endpoint:
                 return
 
-            if app.blueprints.get(request.blueprint) in self._exempt_blueprints:
-                return
-
-            view = app.view_functions.get(request.endpoint)
-            dest = f"{view.__module__}.{view.__name__}"
-
-            if dest in self._exempt_views:
-                return
-
-            self.protect()
+            self.protect(respect_exempts=True)
 
     def _get_csrf_token(self):
         # find the token in the form data
@@ -253,7 +244,16 @@ def _get_csrf_token(self):
 
         return None
 
-    def protect(self):
+    def protect(self, respect_exempts=False):
+        if respect_exempts:
+            if current_app.blueprints.get(request.blueprint) in self._exempt_blueprints:
+                return
+
+            view = current_app.view_functions.get(request.endpoint)
+            dest = f"{view.__module__}.{view.__name__}"
+            if view is not None and dest in self._exempt_views:
+                return
+
         if request.method not in current_app.config["WTF_CSRF_METHODS"]:
             return
 

diff --git a/tests/test_csrf_extension.py b/tests/test_csrf_extension.py
@@ -141,6 +141,18 @@ def manual():
     assert response.status_code == 400
 
 
+def test_exempt_with_manual_protect(app, csrf, client):
+    app.config["WTF_CSRF_CHECK_DEFAULT"] = False
+
+    @app.route("/manual", methods=["POST"])
+    @csrf.exempt
+    def manual():
+        csrf.protect(respect_exempts=True)
+
+    response = client.post("/manual")
+    assert response.status_code == 200
+
+
 def test_exempt_blueprint(app, csrf, client):
     bp = Blueprint("exempt", __name__, url_prefix="/exempt")
     csrf.exempt(bp)