Specify fixed locals for rendered templates by default, disable with use_template_fixed_locals? false

This is designed to work with the fixed locals support added to
Roda, in applications that specify default fixed locals for
templates using the :template_opts option to Roda's render
plugin.  A recommended practice for Roda going forward is to
specify that templates do not accept local variables by default,
and force templates that accept local variables to specify which
local variables are accepted:

  plugin :render, template_opts: {
      default_fixed_locals: '()',
      extract_fixed_locals: true
    }

This change allows Rodauth to work with such a recommendation,
by specifying that Rodauth templates take the rodauth local
variable (and the button template takes the value and opts
local variables). In cases where the user is passing additional
local variables via the :locals option, the assumption is they
are using their own templates, in which case Rodauth shouldn't
specify the fixed locals, so Rodauth doesn't set fixed locals
in that case.  There may be other cases where Rodauth shouldn't
set fixed locals, and for those cases, the
use_template_fixed_locals? false configuration method can be used.

If the Roda and Tilt versions support fixed locals, this run the
tests with fixed locals on by default.

Author: jeremyevans

CHANGELOG

@@ -1,5 +1,7 @@
 === master
 
+* Specify fixed locals for rendered templates by default, disable with use_template_fixed_locals? false (jeremyevans)
+
 * Make rodauth.has_password? method public (enescakir) (#461)
 
 * Use JWT.gem_version to check jwt gem version, for compatibility with jwt 2.10.0 (janko) (#462)

doc/base.rdoc

@@ -82,6 +82,7 @@ unopen_account_error_status :: The response status to use when trying to login t
 use_database_authentication_functions? :: Whether to use functions to do authentication.  True by default on PostgreSQL, MySQL, and Microsoft SQL Server, false otherwise.
 use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into the database.  Defaults to whether deadline values should be set.
 use_request_specific_csrf_tokens? :: Whether to use request-specific CSRF tokens.  True if the default CSRF setting are used.
+use_template_fixed_locals? :: Whether to specify fixed locals for rodauth templates.  True by default, should only be set to false if overriding the templates and having them accept different local variables.
 
 == Auth Methods
 

lib/rodauth/features/base.rb

@@ -67,6 +67,7 @@ module Rodauth
     auth_value_method :unopen_account_error_status, 403
     translatable_method :unverified_account_message, "unverified account, please verify account before logging in"
     auth_value_method :default_field_attributes, ''
+    auth_value_method :use_template_fixed_locals?, true
 
     redirect(:require_login){"#{prefix}/login"}
 
@@ -409,6 +410,7 @@ def csrf_tag(path=request.path)
 
     def button_opts(value, opts)
       opts = Hash[template_opts].merge!(opts)
+      _merge_fixed_locals_opts(opts, '(value:, opts:)')
       opts[:locals] = {:value=>value, :opts=>opts}
       opts[:cache] = cache_templates
       opts[:cache_key] = :rodauth_button
@@ -912,13 +914,22 @@ def update_account(values, ds=account_ds)
 
     def _view_opts(page)
       opts = template_opts.dup
+      _merge_fixed_locals_opts(opts, '(rodauth: self.rodauth)')
       opts[:locals] = opts[:locals] ? opts[:locals].dup : {}
       opts[:locals][:rodauth] = self
       opts[:cache] = cache_templates
       opts[:cache_key] = :"rodauth_#{page}"
       _template_opts(opts, page)
     end
 
+    def _merge_fixed_locals_opts(opts, fixed_locals)
+      if use_template_fixed_locals? && !opts[:locals]
+        fixed_locals_opts = {default_fixed_locals: fixed_locals}
+        fixed_locals_opts.merge!(opts[:template_opts]) if opts[:template_opts]
+        opts[:template_opts] = fixed_locals_opts
+      end
+    end
+
     # Set the template path only if there isn't an overridden template in the application.
     # Result should replace existing template opts.
     def _template_opts(opts, page)

spec/rodauth_spec.rb

@@ -74,6 +74,40 @@
     page.title.must_equal 'Foo Login'
   end
 
+  it "should disabled setting default_fixed_locals if use_template_fixed_locals? false" do
+    rodauth do
+      enable :login
+      use_template_fixed_locals? false
+    end
+    roda do |r|
+      r.rodauth
+    end
+
+    if app.render_opts[:template_opts][:default_fixed_locals]
+      proc{visit '/login'}.must_raise ArgumentError
+    else
+      visit '/login'
+      page.title.must_equal 'Login'
+    end
+  end
+
+  it "should allow overriding fixed_locals via template_opts" do
+    rodauth do
+      enable :login
+      template_opts(template_opts: {fixed_locals: "()"})
+    end
+    roda do |r|
+      r.rodauth
+    end
+
+    if app.render_opts[:template_opts][:default_fixed_locals]
+      proc{visit '/login'}.must_raise ArgumentError
+    else
+      visit '/login'
+      page.title.must_equal 'Login'
+    end
+  end
+
   it "should support flash_error_key and flash_notice_key" do
     rodauth do
       enable :login
@@ -910,7 +944,7 @@ def foo
     auth = nil
     rodauth do
       enable :login
-      template_opts(:locals=>{a: 1})
+      template_opts(:locals=>{a: 1}, :template_opts=>{:fixed_locals=>false})
     end
     roda(:no_csrf) do |r|
       r.rodauth

spec/spec_helper.rb

@@ -217,7 +217,12 @@ def roda(type=nil, &block)
     app.opts[:verbatim_string_matcher] = true
     rodauth_block = @rodauth_block
     opts = rodauth_opts(type)
-    app.plugin :render, :template_opts=>{:freeze => true} if ENV['RODAUTH_TEMPLATE_FREEZE']
+    template_opts = {}
+    template_opts[:freeze] = true if ENV['RODAUTH_TEMPLATE_FREEZE']
+    if Tilt::Template.method_defined?(:fixed_locals?) && defined?(Roda::RodaPlugins::Render::FIXED_LOCALS_COMPILED_METHOD_SUPPORT)
+      template_opts[:default_fixed_locals] = '()'
+    end
+    app.plugin :render, :template_opts=>template_opts
 
     if json || jwt
       opts[:json] = jwt_only ? :only : true