wtforms · rauchy · Aug 16, 2020 · Aug 24, 2020
diff --git a/flask_wtf/csrf.py b/flask_wtf/csrf.py
@@ -213,16 +213,7 @@ def csrf_protect():
             if not request.endpoint:
                 return
 
-            if request.blueprint in self._exempt_blueprints:
-                return
-
-            view = app.view_functions.get(request.endpoint)
-            dest = f'{view.__module__}.{view.__name__}'
-
-            if dest in self._exempt_views:
-                return
-
-            self.protect()
+            self.protect(respect_exempts=True)
 
     def _get_csrf_token(self):
         # find the token in the form data
@@ -249,7 +240,15 @@ def _get_csrf_token(self):
 
         return None
 
-    def protect(self):
+    def protect(self, respect_exempts=False):
+        if respect_exempts:
+            if request.blueprint in self._exempt_blueprints:
+                return
+
+            view = current_app.view_functions.get(request.endpoint)
+            if view is not None and f'{view.__module__}.{view.__name__}' in self._exempt_views:
+                return
+
         if request.method not in current_app.config['WTF_CSRF_METHODS']:
             return
 

diff --git a/tests/test_csrf_extension.py b/tests/test_csrf_extension.py
@@ -132,6 +132,18 @@ def manual():
     assert response.status_code == 400
 
 
+def test_exempt_with_manual_protect(app, csrf, client):
+    app.config['WTF_CSRF_CHECK_DEFAULT'] = False
+
+    @app.route('/manual', methods=['POST'])
+    @csrf.exempt
+    def manual():
+        csrf.protect(respect_exempts=True)
+
+    response = client.post('/manual')
+    assert response.status_code == 200
+
+
 def test_exempt_blueprint(app, csrf, client):
     bp = Blueprint('exempt', __name__, url_prefix='/exempt')
     csrf.exempt(bp)