Make ReflectionProperty#setAccessible() and ReflectionMethod#setAccessible() no-op
#5412
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'd probably also add a deprecation if |
|
Similar to #5411 (comment), I would probably open an alternate PR to add the deprecation there. Effectively 3 levels:
|
Ocramius
force-pushed
the
feature/remove-effects-of-reflection-property-and-method-accessibility
branch
2 times, most recently
from
46751dc to
f3fb39a
Compare
|
EDIT: deferred to later RFC about removal of |
|
@Ocramius imho the dependency on the attribute RFC is not really there, ad it would also trigger the runtime deprecation. Marking the method as deprecated is PHP project convention, so your preference against runtime deprecations is ranked lower here :) |
EDIT: I've explicitly deferred the deprecation to a future RFC: any inter-dependencies and side-effects are valuable/to be discussed for 8.2+. |
…otected` symbols by default With this patch, it is no longer required to call `ReflectionProperty#setAccessible()` or `ReflectionMethod#setAccessible()` with `true`. If a userland consumer already got to the point of accessing object/class information via reflection, it makes little sense for `ext/reflection` to disallow accessing `private`/`protected` symbols by default. After this patch, calling `ReflectionProperty#setAccessible(true)` or `ReflectionMethod#setAccessible(true)` on newly instantiated `ReflectionProperty` or `ReflectionMethod` respectively will have no effect. Full RFC text for the voted upon https://wiki.php.net/rfc/make-reflection-setaccessible-no-op is as follows: ``` ====== PHP RFC: Make reflection setAccessible() no-op ====== * Version: 1.0 * Date: 2021-06-13 * Author: Marco Pivetta * Status: Accepted * First Published at: https://wiki.php.net/rfc/make-reflection-setaccessible-no-op ===== Introduction ===== The `ext-reflection` API is designed to inspect static details of a code-base, as well as reading and manipulating runtime state and calling internal details of objects that are otherwise inaccessible. These methods are most notably: * `ReflectionMethod#invoke(): mixed` * `ReflectionMethod#invokeArgs(mixed ...$args): mixed` * `ReflectionProperty#getValue(object $object): mixed` * `ReflectionProperty#setValue(object $object, mixed $value): void` While breaking encapsulation principles that allow for safe coding practices, these methods are extremely valuable to tools like: * mappers * serializers * debuggers * etc. Infrastructural instrumentation is often required to do things that are in direct conflict with encapsulation itself. The 4 methods listed above change behavior depending on the only mutable state within the scope of `ext-reflection` classes, which is an "accessible" flag. This "accessibility" flag is steered by: * `ReflectionMethod#setAccessible(bool $accessible): void` * `ReflectionProperty#setAccessible(bool $accessible): void` Attempting to use any of the above listed methods without configuring accessibility first will lead to an exception being thrown. For example: <code php> class Foo { private $bar = 'a'; } (new ReflectionProperty(Foo::class, 'bar'))->getValue(); </code> https://3v4l.org/ousrD : <code> Fatal error: Uncaught ReflectionException: Cannot access non-public property Foo::$bar in <SNIP> </code> ==== The problem with mutability ==== By having `ReflectionProperty#setAccessible()` and `ReflectionMethod#setAccessible()`, any consumer of a `ReflectionMethod` or `ReflectionProperty` that is given by a third party must ensure that `#setAccessible()` is called: <code php> function doSomethingWithState(MyObject $o, ReflectionProperty $p) : void { $p->setAccessible(true); // wasteful safety check doSomethingWith($p->getValue($o)); } </code> In addition to that, any developer that is intentionally using the reflection API (after having evaluated its trade-off) will have to use this obnoxious syntax in order to use it at its fullest: <code php> $p = new ReflectionProperty(MyClass::class, 'propertyName'); $p->setAccessible(true); // now $p is usable </code> ===== Proposal ===== This RFC proposes to: * make `ReflectionProperty` and `ReflectionMethod` behave as if `#setAccessible(true)` had been called upfront * make `ReflectionProperty#setAccessible()` and `ReflectionMethod#setAccessible()` no-op operations, with no side-effects nor state mutation involved After the RFC is successfully accepted/implemented, the following code should no longer throw, improving therefore the ergonomics around reflection. <code php> class Foo { private $bar = 'a'; } (new ReflectionProperty(Foo::class, 'bar'))->getValue(); </code> ==== Deprecations ==== In order to ease migration to PHP 8.1, and minimize runtime side-effects, a deprecation is explicitly avoided in this RFC. Instead, a deprecation should be introduced when a new/separate RFC plans for the removal of `ReflectionProperty#setAccessible()` and `ReflectionMethod#setAccessible()`. Such RFC will be raised **after** the release of PHP 8.1, if this RFC is accepted. ===== Backward Incompatible Changes ===== Although of minimal concern, it is true that some behavior will change: * `ReflectionProperty#getValue()` will no longer throw an exception when used against a protected/private property * `ReflectionProperty#setValue()` will no longer throw an exception when used against a protected/private property * `ReflectionMethod#invoke()` will no longer throw an exception when used against a protected/private method * `ReflectionMethod#invokeArgs()` will no longer throw an exception when used against a protected/private method * for extensions developers, `reflection_object->ignore_visibility` no longer exists ===== Proposed PHP Version(s) ===== 8.1 ===== RFC Impact ===== ==== To SAPIs ==== None ==== To Existing Extensions ==== None ==== To Opcache ==== None ==== New Constants ==== None ==== php.ini Defaults ==== None ===== Open Issues ===== None ===== Proposed Voting Choices ===== Accept turning `ReflectionProperty#setAccessible()` and `ReflectionMethod#setAccessible()` into a no-op? (yes/no) ===== Patches and Tests ===== php#5412 ===== Vote ===== This is a Yes/No vote, requiring a 2/3 majority. Voting started on 2021-06-23 and ends on 2021-07-07. <doodle title="Make reflection setAccessible() no-op" auth="ocramius" voteType="single" closed="true"> * Yes * No </doodle> ```
Ocramius
force-pushed
the
feature/remove-effects-of-reflection-property-and-method-accessibility
branch
from
f3fb39a to
cad43f4
Compare
Ocramius
commented
Jul 7, 2021
There was a problem hiding this comment.
@patrickallaert or @ramsey can you take this to merge into master and into 8.1.x?, according to voting results?
Ref:
- https://externals.io/message/115068#115351
- https://marc.info/?l=php-internals&m=162566643315847&w=2
- https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
Waited for green build before pinging :)
nikic
approved these changes
Jul 8, 2021
Ocramius
deleted the
feature/remove-effects-of-reflection-property-and-method-accessibility
branch
Ocramius
added a commit
to Ocramius/psalm
that referenced
this pull request
Dec 7, 2022
…rom PHP 8.1 onwards This will highlight unused code. Ref: php/php-src#5412 Ref: https://wiki.php.net/rfc/make-reflection-setaccessible-no-op Ref: php/php-src#5411 Example https://3v4l.org/PNeeZ ```php <?php class Foo { private $bar = 'baz'; private function taz() { return 'waz'; } } //var_dump((new ReflectionProperty(Foo::class, 'bar'))->getValue(new Foo)); //var_dump((new ReflectionMethod(Foo::class, 'taz'))->invoke(new Foo)); ``` Produces (starting from PHP 8.1): ``` string(3) "baz" string(3) "waz" ```
Ocramius
added a commit
to Roave/SecurityAdvisoriesBuilder
that referenced
this pull request
Dec 19, 2022
These calls are no longer needed as per: * https://wiki.php.net/rfc/make-reflection-setaccessible-no-op * php/php-src#5412
Ocramius
added a commit
to Roave/you-are-using-it-wrong
that referenced
this pull request
Dec 19, 2022
These calls are no longer needed as per: * https://wiki.php.net/rfc/make-reflection-setaccessible-no-op * php/php-src#5412
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RFC: https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
Follow-up to #5411: also removes the
ReflectionProperty#setAccessible(false)andReflectionMethod#setAccessible(false).Make
ReflectionProperty#setAccessible()andReflectionMethod#setAccessible()no-opWith this patch, it is no longer required to call
ReflectionProperty#setAccessible()orReflectionMethod#setAccessible()at all: calling these methods will no longer have anyeffect on the behavior of
ReflectionMethodandReflectionProperty.If a userland consumer already got to the point of accessing object/class information via reflection,
it makes little sense for
ext/reflectionto disallow accessingprivate/protectedsymbols ever.TODOs