Add setting to isolate components' context by default

2025-08-03 13:58:16 +00:00 · 2024-01-12 16:05:44 +01:00 · 2024-01-12 16:05:44 +01:00 · 4da76c178b
commit 4da76c178b
parent 93facba53e
4 changed files with 130 additions and 50 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # django-components
+
 <a href="https://github.com/EmilStenstrom/django-components/actions?query=workflow%3A%22Run+tests%22"><img align="right" src="https://github.com/EmilStenstrom/django-components/workflows/Run%20tests/badge.svg" alt="Show test status"></a>
 <a href="https://pepy.tech/project/django-components"><img align="right" src="https://pepy.tech/badge/django-components" alt="Show download stats"></a>

@ -20,19 +21,19 @@ Read on to learn about the details!

 ## Release notes

-*Version 0.28* introduces 'implicit' slot filling and the `default` option for `slot` tags.
+_Version 0.28_ introduces 'implicit' slot filling and the `default` option for `slot` tags.

-*Version 0.27* adds a second installable app: *django_components.safer_staticfiles*. It provides the same behavior as *django.contrib.staticfiles* but with extra security guarantees (more info below in Security Notes).
+_Version 0.27_ adds a second installable app: _django_components.safer_staticfiles_. It provides the same behavior as _django.contrib.staticfiles_ but with extra security guarantees (more info below in Security Notes).

-*Version 0.26* changes the syntax for `{% slot %}` tags. From now on, we separate defining a slot (`{% slot %}`) from filling a slot with content (`{% fill %}`). This means you will likely need to change a lot of slot tags to fill. We understand this is annoying, but it's the only way we can get support for nested slots that fill in other slots, which is a very nice feature to have access to. Hoping that this will feel worth it!
+_Version 0.26_ changes the syntax for `{% slot %}` tags. From now on, we separate defining a slot (`{% slot %}`) from filling a slot with content (`{% fill %}`). This means you will likely need to change a lot of slot tags to fill. We understand this is annoying, but it's the only way we can get support for nested slots that fill in other slots, which is a very nice feature to have access to. Hoping that this will feel worth it!

-*Version 0.22* starts autoimporting all files inside components subdirectores, to simplify setup. An existing project might start to get AlreadyRegistered-errors because of this. To solve this, either remove your custom loading of components, or set "autodiscover": False in settings.COMPONENTS.
+_Version 0.22_ starts autoimporting all files inside components subdirectores, to simplify setup. An existing project might start to get AlreadyRegistered-errors because of this. To solve this, either remove your custom loading of components, or set "autodiscover": False in settings.COMPONENTS.

-*Version 0.17* renames `Component.context` and `Component.template` to `get_context_data` and `get_template_name`. The old methods still work, but emit a deprecation warning. This change was done to sync naming with Django's class based views, and make using django-components more familiar to Django users. `Component.context` and `Component.template` will be removed when version 1.0 is released.
+_Version 0.17_ renames `Component.context` and `Component.template` to `get_context_data` and `get_template_name`. The old methods still work, but emit a deprecation warning. This change was done to sync naming with Django's class based views, and make using django-components more familiar to Django users. `Component.context` and `Component.template` will be removed when version 1.0 is released.

 ## Security notes 🚨

-*You are advised to read this section before using django-components in production.*
+_You are advised to read this section before using django-components in production._

 ### Static files

@ -42,12 +43,12 @@ This means that files containing backend logic, such as Python modules and HTML

 If your are using _django.contrib.staticfiles_ to collect static files, no distinction is made between the different kinds of files.
 As a result, your Python code and templates may inadvertently become available on your static file server.
-You probably don't want this, as parts of your backend logic will be exposed, posing a __potential security vulnerability__.
+You probably don't want this, as parts of your backend logic will be exposed, posing a **potential security vulnerability**.

-As of *v0.27*, django-components ships with an additional installable app *django_components.__safer_staticfiles__*.
-It is a drop-in replacement for *django.contrib.staticfiles*.
+As of _v0.27_, django-components ships with an additional installable app _django_components.**safer_staticfiles**_.
+It is a drop-in replacement for _django.contrib.staticfiles_.
 Its behavior is 100% identical except it ignores .py and .html files, meaning these will not end up on your static files server.
-To use it, add it to INSTALLED_APPS and remove _django.contrib.staticfiles_.
+To use it, add it to INSTALLED*APPS and remove \_django.contrib.staticfiles*.

 ```python
 INSTALLED_APPS = [
@ -64,7 +65,7 @@ Both routes are described in the official [docs of the _staticfiles_ app](https:

 Install the app into your environment:

-> ```pip install django_components```
+> `pip install django_components`

 Then add the app into INSTALLED_APPS in settings.py

@ -76,7 +77,8 @@ INSTALLED_APPS = [
 ```

 Modify `TEMPLATES` section of settings.py as follows:
- *Remove `'APP_DIRS': True,`*
+
+- _Remove `'APP_DIRS': True,`_
 - add `loaders` to `OPTIONS` list and set it to following value:

 ```python
@ -110,7 +112,7 @@ STATICFILES_DIRS = [

 ### Optional

-To avoid loading the app in each template using ``` {% load django_components %} ```, you can add the tag as a 'builtin' in settings.py
+To avoid loading the app in each template using `{% load django_components %}`, you can add the tag as a 'builtin' in settings.py

 ```python
 TEMPLATES = [
@ -134,15 +136,15 @@ Read on to find out how to build your first component!

 Django-components supports all <a href="https://docs.djangoproject.com/en/dev/faq/install/#what-python-version-can-i-use-with-django">officially supported versions</a> of Django and Python.

-| Python version | Django version           |
-|----------------|--------------------------|
-| 3.6            | 3.2                      |
-| 3.7            | 3.2                      |
-| 3.8            | 3.2, 4.0, 4.1, 4.2       |
-| 3.9            | 3.2, 4.0, 4.1, 4.2       |
-| 3.10           | 3.2, 4.0, 4.1, 4.2, 5.0  |
-| 3.11           | 4.1, 4.2, 5.0            |
-| 3.12           | 4.2, 5.0                 |
+| Python version | Django version          |
+| -------------- | ----------------------- |
+| 3.6            | 3.2                     |
+| 3.7            | 3.2                     |
+| 3.8            | 3.2, 4.0, 4.1, 4.2      |
+| 3.9            | 3.2, 4.0, 4.1, 4.2      |
+| 3.10           | 3.2, 4.0, 4.1, 4.2, 5.0 |
+| 3.11           | 4.1, 4.2, 5.0           |
+| 3.12           | 4.2, 5.0                |

 ## Create your first component

@ -156,19 +158,26 @@ First you need a CSS file. Be sure to prefix all rules with a unique class so th

 ```css
 /* In a file called [project root]/components/calendar/style.css */
-.calendar-component { width: 200px; background: pink; }
-.calendar-component span { font-weight: bold; }
+.calendar-component {
+  width: 200px;
+  background: pink;
+}
+.calendar-component span {
+  font-weight: bold;
+}
 ```

 Then you need a javascript file that specifies how you interact with this component. You are free to use any javascript framework you want. A good way to make sure this component doesn't clash with other components is to define all code inside an anonymous function that calls itself. This makes all variables defined only be defined inside this component and not affect other components.

 ```js
 /* In a file called [project root]/components/calendar/script.js */
-(function(){
-    if (document.querySelector(".calendar-component")) {
-        document.querySelector(".calendar-component").onclick = function(){ alert("Clicked calendar!"); };
-    }
-})()
+(function () {
+  if (document.querySelector(".calendar-component")) {
+    document.querySelector(".calendar-component").onclick = function () {
+      alert("Clicked calendar!");
+    };
+  }
+})();
 ```

 Now you need a Django template for your component. Feel free to define more variables like `date` in this example. When creating an instance of this component we will send in the values for these variables. The template will be rendered with whatever template backend you've specified in your Django settings file.
@ -229,15 +238,18 @@ The output from the above template will be:
 ```html
 <!DOCTYPE html>
 <html>
-<head>
+  <head>
    <title>My example calendar</title>
-    <link href="style.css" type="text/css" media="all" rel="stylesheet">
-</head>
-<body>
-    <div class="calendar-component">Today's date is <span>2015-06-19</span></div>
+    <link href="style.css" type="text/css" media="all" rel="stylesheet" />
+  </head>
+  <body>
+    <div class="calendar-component">
+      Today's date is <span>2015-06-19</span>
+    </div>
    <script src="script.js"></script>
-</body>
-<html>
+  </body>
+  <html></html>
+</html>
 ```

 This makes it possible to organize your front-end around reusable components. Instead of relying on template tags and keeping your CSS and Javascript in the static directory.
@ -362,12 +374,8 @@ The rendered result (exactly the same as before):

 ```html
 <div class="calendar-component">
-    <div class="header">
-        Calendar header
-    </div>
-    <div class="body">
-        Can you believe it's already <span>2020-06-06</span>??
-    </div>
+  <div class="header">Calendar header</div>
+  <div class="body">Can you believe it's already <span>2020-06-06</span>??</div>
 </div>
 ```

@ -403,7 +411,6 @@ This is fine too:
 {% endcomponent_block %}
 ```

-
 ### Advanced

 #### Re-using content defined in the original slot
@ -429,7 +436,6 @@ Produces:
 </div>
 ```

-
 #### Conditional slots

 _Added in version 0.26._
@ -455,11 +461,8 @@ explicit fills, the div containing the slot is still rendered, as shown below:

 ```html
 <div class="frontmatter-component">
-    <div class="title">
-        Title
-    </div>
-    <div class="subtitle">
-    </div>
+  <div class="title">Title</div>
+  <div class="subtitle"></div>
 </div>
 ```

@ -556,6 +559,7 @@ NOTE: `{% csrf_token %}` tags need access to the top-level context, and they wil

 Components can also access the outer context in their context methods by accessing the property `outer_context`.

+You can also use the `isolate_component_context` setting to make all components isolated by default. This is useful if you want to make sure that components don't accidentally access the outer context.

 ## Available settings

@ -595,6 +599,16 @@ COMPONENTS = {
 }
 ```

+### Isolate components' context by default
+
+If you'd like to prevent components from accessing the outer context by default, you can set the `isolate_component_context` setting to `True`. This is useful if you want to make sure that components don't accidentally access the outer context.
+
+```python
+COMPONENTS = {
+    "isolate_component_context": True,
+}
+```
+
 ## Management Command

 You can use the built-in management command `startcomponent` to create a django component. The command accepts the following arguments and options:
@ -702,4 +716,3 @@ pyenv install -s 3.12
 pyenv local 3.6 3.7 3.8 3.9 3.10 3.11 3.12
 tox -p
 ```
-
--- a/django_components/app_settings.py
+++ b/django_components/app_settings.py
@ -17,5 +17,9 @@ class AppSettings:
    def TEMPLATE_CACHE_SIZE(self):
        return self.settings.setdefault("template_cache_size", 128)

+    @property
+    def ISOLATE_COMPONENT_CONTEXT(self):
+        return self.settings.setdefault("isolate_component_context", False)
+

 app_settings = AppSettings()
--- a/django_components/templatetags/component_tags.py
+++ b/django_components/templatetags/component_tags.py
@ -21,6 +21,7 @@ from django.template.exceptions import TemplateSyntaxError
 from django.template.library import parse_bits
 from django.utils.safestring import mark_safe

+from django_components.app_settings import app_settings
 from django_components.component_registry import ComponentRegistry
 from django_components.component_registry import registry as component_registry
 from django_components.middleware import (
@ -155,6 +156,7 @@ def component_js_dependencies_tag(preload=""):
 def do_component(parser, token):
    bits = token.split_contents()
    bits, isolated_context = check_for_isolated_context_keyword(bits)
+
    component_name, context_args, context_kwargs = parse_component_with_args(
        parser, bits, "component"
    )
@ -770,6 +772,10 @@ def check_for_isolated_context_keyword(bits):

    if bits[-1] == "only":
        return bits[:-1], True
+
+    if app_settings.ISOLATE_COMPONENT_CONTEXT:
+        return bits, True
+
    return bits, False


--- a/tests/test_context.py
+++ b/tests/test_context.py
@ -1,3 +1,5 @@
+from unittest.mock import PropertyMock, patch
+
 from django.template import Context, Template

 from django_components import component
@ -433,6 +435,61 @@ class IsolatedContextTests(SimpleTestCase):
        self.assertNotIn("outer_value", rendered, rendered)


+class IsolatedContextSettingTests(SimpleTestCase):
+    def setUp(self):
+        self.patcher = patch(
+            "django_components.app_settings.AppSettings.ISOLATE_COMPONENT_CONTEXT",
+            new_callable=PropertyMock,
+        )
+        self.mock_isolate_context = self.patcher.start()
+        self.mock_isolate_context.return_value = True
+
+    def tearDown(self):
+        self.patcher.stop()
+
+    def test_component_tag_includes_variable_with_isolated_context_from_settings(
+        self,
+    ):
+        template = Template(
+            "{% load component_tags %}{% component_dependencies %}"
+            "{% component 'simple_component' variable %}"
+        )
+        rendered = template.render(Context({"variable": "outer_value"}))
+        self.assertIn("outer_value", rendered, rendered)
+
+    def test_component_tag_excludes_variable_with_isolated_context_from_settings(
+        self,
+    ):
+        template = Template(
+            "{% load component_tags %}{% component_dependencies %}"
+            "{% component 'simple_component' %}"
+        )
+        rendered = template.render(Context({"variable": "outer_value"}))
+        self.assertNotIn("outer_value", rendered, rendered)
+
+    def test_component_block_includes_variable_with_isolated_context_from_settings(
+        self,
+    ):
+        template = Template(
+            "{% load component_tags %}{% component_dependencies %}"
+            "{% component_block 'simple_component' variable %}"
+            "{% endcomponent_block %}"
+        )
+        rendered = template.render(Context({"variable": "outer_value"}))
+        self.assertIn("outer_value", rendered, rendered)
+
+    def test_component_block_excludes_variable_with_isolated_context_from_settings(
+        self,
+    ):
+        template = Template(
+            "{% load component_tags %}{% component_dependencies %}"
+            "{% component_block 'simple_component' %}"
+            "{% endcomponent_block %}"
+        )
+        rendered = template.render(Context({"variable": "outer_value"}))
+        self.assertNotIn("outer_value", rendered, rendered)
+
+
 class OuterContextPropertyTests(SimpleTestCase):
    def test_outer_context_property_with_component(self):
        template = Template(