From eac925f740f8e0347753b7fec7d8baee0c51dc41 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Wed, 11 Mar 2026 17:23:39 +0300
Subject: [PATCH 01/12] fix the CSRF token on delete files and directories

---
 .../templates/bootstrap4/admin/file/list.html |   8 +-
 flask_admin/tests/fileadmin/test_fileadmin.py | 127 ++++++++++++++++++
 2 files changed, 131 insertions(+), 4 deletions(-)

diff --git a/flask_admin/templates/bootstrap4/admin/file/list.html b/flask_admin/templates/bootstrap4/admin/file/list.html
index dc9be0191f..2b63f2cbf7 100644
--- a/flask_admin/templates/bootstrap4/admin/file/list.html
+++ b/flask_admin/templates/bootstrap4/admin/file/list.html
@@ -86,8 +86,8 @@
                         {% if name != '..' and admin_view.can_delete_dirs %}
                         <form class="icon" method="POST" action="{{ get_url('.delete') }}">
                             {{ delete_form.path(value=path) }}
-                            {% if delete_form.csrf_token is defined and delete_form.csrf_token %}
-                            {{ delete_form.csrf_token }}
+                            {% if csrf_token is defined and csrf_token %}
+                              <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                             {% endif %}
                             <button onclick="return confirm('{{ _gettext('Are you sure you want to delete \\\'%(name)s\\\' recursively?', name=name) }}')">
                                 <i class="fa fa-times glyphicon glyphicon-remove"></i>
@@ -97,8 +97,8 @@
                     {% else %}
                     <form class="icon" method="POST" action="{{ get_url('.delete') }}">
                         {{ delete_form.path(value=path) }}
-                        {% if delete_form.csrf_token is defined and delete_form.csrf_token %}
-                        {{ delete_form.csrf_token }}
+                        {% if csrf_token is defined and csrf_token %}
+                          <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                         {% endif %}
                         <button onclick="return confirm('{{ _gettext('Are you sure you want to delete \\\'%(name)s\\\'?', name=name) }}')">
                             <i class="fa fa-trash glyphicon glyphicon-trash"></i>
diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index 955119e5fe..b3b6767075 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -2,6 +2,9 @@
 import os.path as op
 from io import BytesIO
 
+import pytest
+from flask_wtf.csrf import CSRFProtect
+
 from flask_admin import Admin
 from flask_admin.contrib import fileadmin
 from flask_admin.theme import Bootstrap4Theme
@@ -222,6 +225,130 @@ class EditModalOff(fileadmin_class):  # type: ignore[valid-type, misc]
             data = rv.data.decode("utf-8")
             assert "fa_modal_window" not in data
 
+        @pytest.mark.parametrize(
+            "page",
+            [
+                "/admin/fileadmin/",
+                "/admin/fileadmin/upload",
+                "/admin/fileadmin/rename/?path=dummy.txt",
+                "/admin/fileadmin/rename/?path=d1",
+                "/admin/fileadmin/mkdir",
+            ],
+        )
+        def test_csrf_token(self, app, admin, page):
+            # Cross-Site-Request-Forgery (CSRF) Protection
+            CSRFProtect(app)
+
+            def get_csrf_token(data):
+                data = data.split('type="hidden" name="csrf_token" value="')[1]
+                token = data.split('"')[0]
+                return token
+
+            view = fileadmin.FileAdmin(self._test_files_root, "/files")
+            admin.add_view(view)
+
+            client = app.test_client()
+
+            rv = client.get(page, follow_redirects=True)
+            data = rv.data.decode("utf-8")
+            assert rv.status_code == 200
+            assert 'name="csrf_token"' in data
+
+        def test_csrf_submit(self, app, admin):
+            # Cross-Site-Request-Forgery (CSRF) Protection
+            app.config["WTF_CSRF_ENABLED"] = True
+            CSRFProtect(app)
+
+            def get_csrf_token(page):
+                rv = client.get(page, follow_redirects=True)
+                data = rv.data.decode("utf-8")
+                data = data.split('type="hidden" name="csrf_token" value="')[1]
+                token = data.split('"')[0]
+                return token
+
+            view = fileadmin.FileAdmin(
+                self._test_files_root, "/files", endpoint="myfileadmin"
+            )
+            admin.add_view(view)
+
+            client = app.test_client()
+
+            # rename
+            assert os.path.exists(op.join(self._test_files_root, "dummy.txt"))
+
+            csrf_token = get_csrf_token("/admin/myfileadmin/rename/?path=dummy.txt")
+            rv = client.post(
+                "/admin/myfileadmin/rename/?path=dummy.txt",
+                data=dict(
+                    name="dummy_renamed.txt",
+                    path="dummy.txt",
+                ),
+            )
+            data = rv.data.decode("utf-8")
+            assert rv.status_code == 400
+
+            rv = client.post(
+                "/admin/myfileadmin/rename/?path=dummy.txt",
+                data=dict(
+                    name="dummy_renamed.txt", path="dummy.txt", csrf_token=csrf_token
+                ),
+                follow_redirects=True,
+            )
+            assert rv.status_code == 200
+            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed.txt"))
+
+            rv = client.post(
+                "/admin/myfileadmin/upload/",
+                data=dict(upload=(BytesIO(b""), "dummy.txt"), csrf_token=csrf_token),
+                follow_redirects=True,
+            )
+            data = rv.data.decode("utf-8")
+            assert rv.status_code == 200
+            assert os.path.exists(op.join(self._test_files_root, "dummy.txt"))
+            assert "already exists." in data
+
+            # delete
+            rv = client.post(
+                "/admin/myfileadmin/delete/",
+                data=dict(path="dummy_renamed.txt", csrf_token=csrf_token),
+                follow_redirects=True,
+            )
+            assert rv.status_code == 200
+            assert not os.path.exists(
+                op.join(self._test_files_root, "dummy_renamed.txt")
+            )
+
+            # mkdir
+            rv = client.post(
+                "/admin/myfileadmin/mkdir/",
+                data=dict(name="dummy_dir", csrf_token=csrf_token),
+                follow_redirects=True,
+            )
+            assert rv.status_code == 200
+            assert os.path.exists(op.join(self._test_files_root, "dummy_dir"))
+
+            # rename - dir
+            rv = client.post(
+                "/admin/myfileadmin/rename/?path=dummy_dir",
+                data=dict(
+                    name="dummy_renamed_dir", path="dummy_dir", csrf_token=csrf_token
+                ),
+                follow_redirects=True,
+            )
+            assert rv.status_code == 200
+            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed_dir"))
+
+            # delete - directory
+            rv = client.post(
+                "/admin/myfileadmin/delete/",
+                data=dict(path="dummy_renamed_dir", csrf_token=csrf_token),
+                follow_redirects=True,
+            )
+            assert rv.status_code == 200
+            assert not os.path.exists(
+                op.join(self._test_files_root, "dummy_renamed_dir")
+            )
+
 
 class TestLocalFileAdmin(Base.FileAdminTests):
     def fileadmin_class(self):

From 1ba10f69d19b34b41094c1ca109e0240f4fde897 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 10:09:30 +0300
Subject: [PATCH 02/12] use SecureForm

---
 .../templates/bootstrap4/admin/file/list.html | 14 ++++--
 flask_admin/tests/fileadmin/test_fileadmin.py | 50 +++++++++++--------
 2 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/flask_admin/templates/bootstrap4/admin/file/list.html b/flask_admin/templates/bootstrap4/admin/file/list.html
index 2b63f2cbf7..d12244b683 100644
--- a/flask_admin/templates/bootstrap4/admin/file/list.html
+++ b/flask_admin/templates/bootstrap4/admin/file/list.html
@@ -86,8 +86,11 @@
                         {% if name != '..' and admin_view.can_delete_dirs %}
                         <form class="icon" method="POST" action="{{ get_url('.delete') }}">
                             {{ delete_form.path(value=path) }}
-                            {% if csrf_token is defined and csrf_token %}
-                              <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+
+                            {% if delete_form.csrf_token is defined and delete_form.csrf_token %}
+                              {{ delete_form.csrf_token }}
+                            {% elif csrf_token is defined and csrf_token %}
+                              <input name="csrf_token" type="hidden" value="{{ csrf_token() }}"/>
                             {% endif %}
                             <button onclick="return confirm('{{ _gettext('Are you sure you want to delete \\\'%(name)s\\\' recursively?', name=name) }}')">
                                 <i class="fa fa-times glyphicon glyphicon-remove"></i>
@@ -97,8 +100,11 @@
                     {% else %}
                     <form class="icon" method="POST" action="{{ get_url('.delete') }}">
                         {{ delete_form.path(value=path) }}
-                        {% if csrf_token is defined and csrf_token %}
-                          <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+
+                        {% if delete_form.csrf_token is defined and delete_form.csrf_token %}
+                          {{ delete_form.csrf_token }}
+                        {% elif csrf_token is defined and csrf_token %}
+                          <input name="csrf_token" type="hidden" value="{{ csrf_token() }}"/>
                         {% endif %}
                         <button onclick="return confirm('{{ _gettext('Are you sure you want to delete \\\'%(name)s\\\'?', name=name) }}')">
                             <i class="fa fa-trash glyphicon glyphicon-trash"></i>
diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index b3b6767075..be296b4cbb 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -3,13 +3,20 @@
 from io import BytesIO
 
 import pytest
-from flask_wtf.csrf import CSRFProtect
 
 from flask_admin import Admin
 from flask_admin.contrib import fileadmin
+from flask_admin.form import SecureForm
 from flask_admin.theme import Bootstrap4Theme
 
 
+class SecureFileAdmin(fileadmin.FileAdmin):
+    form_base_class = SecureForm
+
+    def is_accessible(self):
+        return True
+
+
 class Base:
     class FileAdminTests:
         _test_files_root = op.join(op.dirname(__file__), "files")
@@ -225,6 +232,11 @@ class EditModalOff(fileadmin_class):  # type: ignore[valid-type, misc]
             data = rv.data.decode("utf-8")
             assert "fa_modal_window" not in data
 
+        def get_csrf_token(self, data):
+            data = data.split('name="csrf_token" type="hidden" value="')[1]
+            token = data.split('"')[0]
+            return token
+
         @pytest.mark.parametrize(
             "page",
             [
@@ -237,14 +249,11 @@ class EditModalOff(fileadmin_class):  # type: ignore[valid-type, misc]
         )
         def test_csrf_token(self, app, admin, page):
             # Cross-Site-Request-Forgery (CSRF) Protection
-            CSRFProtect(app)
-
-            def get_csrf_token(data):
-                data = data.split('type="hidden" name="csrf_token" value="')[1]
-                token = data.split('"')[0]
-                return token
+            app.config["WTF_CSRF_ENABLED"] = True
 
-            view = fileadmin.FileAdmin(self._test_files_root, "/files")
+            view = SecureFileAdmin(
+                self._test_files_root, "/files", endpoint="fileadmin"
+            )
             admin.add_view(view)
 
             client = app.test_client()
@@ -253,30 +262,30 @@ def get_csrf_token(data):
             data = rv.data.decode("utf-8")
             assert rv.status_code == 200
             assert 'name="csrf_token"' in data
+            assert len(self.get_csrf_token(data)) == 56
 
         def test_csrf_submit(self, app, admin):
             # Cross-Site-Request-Forgery (CSRF) Protection
             app.config["WTF_CSRF_ENABLED"] = True
-            CSRFProtect(app)
-
-            def get_csrf_token(page):
-                rv = client.get(page, follow_redirects=True)
-                data = rv.data.decode("utf-8")
-                data = data.split('type="hidden" name="csrf_token" value="')[1]
-                token = data.split('"')[0]
-                return token
 
-            view = fileadmin.FileAdmin(
+            view = SecureFileAdmin(
                 self._test_files_root, "/files", endpoint="myfileadmin"
             )
             admin.add_view(view)
 
             client = app.test_client()
 
-            # rename
             assert os.path.exists(op.join(self._test_files_root, "dummy.txt"))
 
-            csrf_token = get_csrf_token("/admin/myfileadmin/rename/?path=dummy.txt")
+            # read the token
+            rv = client.get("/admin/myfileadmin", follow_redirects=True)
+            data = rv.data.decode("utf-8")
+            assert rv.status_code == 200
+            assert 'name="csrf_token"' in data
+            assert len(self.get_csrf_token(data)) == 56
+            csrf_token = self.get_csrf_token(data)
+
+            # rename
             rv = client.post(
                 "/admin/myfileadmin/rename/?path=dummy.txt",
                 data=dict(
@@ -285,7 +294,8 @@ def get_csrf_token(page):
                 ),
             )
             data = rv.data.decode("utf-8")
-            assert rv.status_code == 400
+            assert rv.status_code == 200
+            assert "CSRF token missing." in data
 
             rv = client.post(
                 "/admin/myfileadmin/rename/?path=dummy.txt",

From e59eecaee37b5abdf07d74ce258cd15e73d6284b Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 10:35:29 +0300
Subject: [PATCH 03/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index be296b4cbb..d0b0096d63 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -309,14 +309,21 @@ def test_csrf_submit(self, app, admin):
 
             rv = client.post(
                 "/admin/myfileadmin/upload/",
-                data=dict(upload=(BytesIO(b""), "dummy.txt"), csrf_token=csrf_token),
+                data=dict(
+                    upload=(BytesIO(b""), "dummy_renamed.txt"), csrf_token=csrf_token
+                ),
                 follow_redirects=True,
             )
             data = rv.data.decode("utf-8")
             assert rv.status_code == 200
-            assert os.path.exists(op.join(self._test_files_root, "dummy.txt"))
+            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed.txt"))
             assert "already exists." in data
 
+            assert os.rename(
+                op.join(self._test_files_root, "dummy_renamed.txt"),
+                op.join(self._test_files_root, "dummy.txt"),
+            )
+
             # delete
             rv = client.post(
                 "/admin/myfileadmin/delete/",

From 2a04043179405eeacafc88470810d74061000ec1 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 10:48:41 +0300
Subject: [PATCH 04/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index d0b0096d63..5cdd8167ee 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -251,6 +251,8 @@ def test_csrf_token(self, app, admin, page):
             # Cross-Site-Request-Forgery (CSRF) Protection
             app.config["WTF_CSRF_ENABLED"] = True
 
+            os.makedirs(op.join(self._test_files_root, "d1"), exist_ok=True)
+
             view = SecureFileAdmin(
                 self._test_files_root, "/files", endpoint="fileadmin"
             )

From 5fd464187413d74881497aaf3afff3c4a0b5f96e Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 11:10:36 +0300
Subject: [PATCH 05/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index 5cdd8167ee..d9c3658cf9 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -321,10 +321,8 @@ def test_csrf_submit(self, app, admin):
             assert os.path.exists(op.join(self._test_files_root, "dummy_renamed.txt"))
             assert "already exists." in data
 
-            assert os.rename(
-                op.join(self._test_files_root, "dummy_renamed.txt"),
-                op.join(self._test_files_root, "dummy.txt"),
-            )
+            with open(op.join(self._test_files_root, "dummy.txt"), "w") as fp:
+                fp.write("new_string\n")
 
             # delete
             rv = client.post(

From 81e89b62db920bcd4c32e252e333f06e5b28f263 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 12:06:32 +0300
Subject: [PATCH 06/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 41 ++++++++++++-------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index d9c3658cf9..a652cbc3aa 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -10,13 +10,6 @@
 from flask_admin.theme import Bootstrap4Theme
 
 
-class SecureFileAdmin(fileadmin.FileAdmin):
-    form_base_class = SecureForm
-
-    def is_accessible(self):
-        return True
-
-
 class Base:
     class FileAdminTests:
         _test_files_root = op.join(op.dirname(__file__), "files")
@@ -253,9 +246,14 @@ def test_csrf_token(self, app, admin, page):
 
             os.makedirs(op.join(self._test_files_root, "d1"), exist_ok=True)
 
-            view = SecureFileAdmin(
-                self._test_files_root, "/files", endpoint="fileadmin"
-            )
+            fileadmin_class = self.fileadmin_class()
+            fileadmin_args, fileadmin_kwargs = self.fileadmin_args()
+
+            class SecureFileAdmin(fileadmin_class):  # type: ignore[valid-type, misc]
+                form_base_class = SecureForm
+
+            fileadmin_kwargs["endpoint"] = "fileadmin"
+            view = SecureFileAdmin(*fileadmin_args, **fileadmin_kwargs)
             admin.add_view(view)
 
             client = app.test_client()
@@ -266,13 +264,28 @@ def test_csrf_token(self, app, admin, page):
             assert 'name="csrf_token"' in data
             assert len(self.get_csrf_token(data)) == 56
 
-        def test_csrf_submit(self, app, admin):
+        def test_csrf_submit(self, app, admin, request):
             # Cross-Site-Request-Forgery (CSRF) Protection
             app.config["WTF_CSRF_ENABLED"] = True
 
-            view = SecureFileAdmin(
-                self._test_files_root, "/files", endpoint="myfileadmin"
-            )
+            def finalizer():
+                try:
+                    os.remove(op.join(self._test_files_root, "d1/dum.txt"))
+                    os.remove(op.join(self._test_files_root, "dummy_renamed.txt"))
+                    os.remove(op.join(self._test_files_root, "dummy2.txt"))
+                except OSError:
+                    pass
+
+            request.addfinalizer(finalizer)
+
+            fileadmin_class = self.fileadmin_class()
+            fileadmin_args, fileadmin_kwargs = self.fileadmin_args()
+
+            class SecureFileAdmin(fileadmin_class):  # type: ignore[valid-type, misc]
+                form_base_class = SecureForm
+
+            fileadmin_kwargs["endpoint"] = "fileadmin"
+            view = SecureFileAdmin(*fileadmin_args, **fileadmin_kwargs)
             admin.add_view(view)
 
             client = app.test_client()

From 882f0ec114c85b7c1f994a7df1bce1886119a317 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 12:28:55 +0300
Subject: [PATCH 07/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index a652cbc3aa..5b05572917 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -284,7 +284,10 @@ def finalizer():
             class SecureFileAdmin(fileadmin_class):  # type: ignore[valid-type, misc]
                 form_base_class = SecureForm
 
-            fileadmin_kwargs["endpoint"] = "fileadmin"
+                def is_accessible(self):
+                    return True
+
+            fileadmin_kwargs["endpoint"] = "myfileadmin"
             view = SecureFileAdmin(*fileadmin_args, **fileadmin_kwargs)
             admin.add_view(view)
 

From 8e5fcd388199ab6346fdc4782922472008fdb318 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 12:37:45 +0300
Subject: [PATCH 08/12] fix Azure initial files

---
 flask_admin/tests/fileadmin/test_fileadmin_azure.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin_azure.py b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
index 56922b75df..c73a58248a 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin_azure.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
@@ -24,11 +24,13 @@ def setup_and_teardown(self):
             azure_connection_string
         )
         self._client.create_container(self._container_name)
-        file_name = "dummy.txt"
-        file_path = os.path.join(self._test_files_root, file_name)
-        blob_client = self._client.get_blob_client(self._container_name, file_name)
-        with open(file_path, "rb") as file:
-            blob_client.upload_blob(file)
+        for file_name in [("dummy.txt"), ("d1", "dum.txt")]:
+            file_path = os.path.join(self._test_files_root, *file_name)
+            blob_client = self._client.get_blob_client(
+                self._container_name, "/".join(file_name)
+            )
+            with open(file_path, "rb") as file:
+                blob_client.upload_blob(file)
 
         yield
 

From 8978304f135e4aefb0f290bb1582db236161b9f8 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 12:44:19 +0300
Subject: [PATCH 09/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin_azure.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin_azure.py b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
index c73a58248a..06959fcf74 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin_azure.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
@@ -24,7 +24,7 @@ def setup_and_teardown(self):
             azure_connection_string
         )
         self._client.create_container(self._container_name)
-        for file_name in [("dummy.txt"), ("d1", "dum.txt")]:
+        for file_name in [["dummy.txt"], ["d1", "dum.txt"]]:
             file_path = os.path.join(self._test_files_root, *file_name)
             blob_client = self._client.get_blob_client(
                 self._container_name, "/".join(file_name)

From 8ba868649fe8e3b352310b7174bb868d661df475 Mon Sep 17 00:00:00 2001
From: Sami Alfattany <sami_alfattani@hotmail.com>
Date: Thu, 12 Mar 2026 13:06:39 +0300
Subject: [PATCH 10/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin_azure.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin_azure.py b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
index 06959fcf74..ebe3e1bff1 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin_azure.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin_azure.py
@@ -26,9 +26,12 @@ def setup_and_teardown(self):
         self._client.create_container(self._container_name)
         for file_name in [["dummy.txt"], ["d1", "dum.txt"]]:
             file_path = os.path.join(self._test_files_root, *file_name)
-            blob_client = self._client.get_blob_client(
-                self._container_name, "/".join(file_name)
-            )
+            os.makedirs(os.path.dirname(file_path), exist_ok=True)
+            with open(file_path, "w") as f:
+                f.write("")
+
+            blob_path = "/".join(file_name)
+            blob_client = self._client.get_blob_client(self._container_name, blob_path)
             with open(file_path, "rb") as file:
                 blob_client.upload_blob(file)
 

From 4cd90ccf3603f6c46c196c74991679417e4b3632 Mon Sep 17 00:00:00 2001
From: Sami Alfattani <Sami_alfattani@hotmail.com>
Date: Sat, 14 Mar 2026 12:55:15 +0300
Subject: [PATCH 11/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 32 ++++++++++++-------
 .../tests/fileadmin/test_fileadmin_s3.py      |  1 +
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index 5b05572917..88549fc4d6 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -293,7 +293,9 @@ def is_accessible(self):
 
             client = app.test_client()
 
-            assert os.path.exists(op.join(self._test_files_root, "dummy.txt"))
+            assert "dummy.txt" in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
             # read the token
             rv = client.get("/admin/myfileadmin", follow_redirects=True)
@@ -323,7 +325,9 @@ def is_accessible(self):
                 follow_redirects=True,
             )
             assert rv.status_code == 200
-            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed.txt"))
+            assert "dummy_renamed.txt" in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
             rv = client.post(
                 "/admin/myfileadmin/upload/",
@@ -334,7 +338,9 @@ def is_accessible(self):
             )
             data = rv.data.decode("utf-8")
             assert rv.status_code == 200
-            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed.txt"))
+            assert "dummy_renamed.txt" in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
             assert "already exists." in data
 
             with open(op.join(self._test_files_root, "dummy.txt"), "w") as fp:
@@ -347,9 +353,9 @@ def is_accessible(self):
                 follow_redirects=True,
             )
             assert rv.status_code == 200
-            assert not os.path.exists(
-                op.join(self._test_files_root, "dummy_renamed.txt")
-            )
+            assert "dummy_renamed.txt" not in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
             # mkdir
             rv = client.post(
@@ -358,7 +364,9 @@ def is_accessible(self):
                 follow_redirects=True,
             )
             assert rv.status_code == 200
-            assert os.path.exists(op.join(self._test_files_root, "dummy_dir"))
+            assert "dummy_dir" in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
             # rename - dir
             rv = client.post(
@@ -369,7 +377,9 @@ def is_accessible(self):
                 follow_redirects=True,
             )
             assert rv.status_code == 200
-            assert os.path.exists(op.join(self._test_files_root, "dummy_renamed_dir"))
+            assert "dummy_renamed_dir" in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
             # delete - directory
             rv = client.post(
@@ -378,9 +388,9 @@ def is_accessible(self):
                 follow_redirects=True,
             )
             assert rv.status_code == 200
-            assert not os.path.exists(
-                op.join(self._test_files_root, "dummy_renamed_dir")
-            )
+            assert "dummy_renamed_dir" not in client.get(
+                "/admin/myfileadmin/", follow_redirects=True
+            ).data.decode("utf-8")
 
 
 class TestLocalFileAdmin(Base.FileAdminTests):
diff --git a/flask_admin/tests/fileadmin/test_fileadmin_s3.py b/flask_admin/tests/fileadmin/test_fileadmin_s3.py
index 47fe2fa3ae..320eae9a2e 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin_s3.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin_s3.py
@@ -18,6 +18,7 @@ def mock_s3_client():
         client = boto3.client("s3")
         client.create_bucket(Bucket=_bucket_name)
         client.upload_fileobj(BytesIO(b""), _bucket_name, "dummy.txt")
+        client.upload_fileobj(BytesIO(b""), _bucket_name, "d1/dum.txt")
         yield client
 
 

From 3770cffad164e4c4af6e6c3d67d55cc1166cbab0 Mon Sep 17 00:00:00 2001
From: Sami Alfattani <Sami_alfattani@hotmail.com>
Date: Wed, 18 Mar 2026 20:35:15 +0300
Subject: [PATCH 12/12] fix

---
 flask_admin/tests/fileadmin/test_fileadmin.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/flask_admin/tests/fileadmin/test_fileadmin.py b/flask_admin/tests/fileadmin/test_fileadmin.py
index 88549fc4d6..da5dc9d1a1 100644
--- a/flask_admin/tests/fileadmin/test_fileadmin.py
+++ b/flask_admin/tests/fileadmin/test_fileadmin.py
@@ -314,8 +314,9 @@ def is_accessible(self):
                 ),
             )
             data = rv.data.decode("utf-8")
+            data = data.split("</nav>")[1]
             assert rv.status_code == 200
-            assert "CSRF token missing." in data
+            assert "CSRF token missing" in data
 
             rv = client.post(
                 "/admin/myfileadmin/rename/?path=dummy.txt",