Skip to content

[Serializer] Fix readonly property initialization from incorrect scope #61028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 9, 2025
Merged

[Serializer] Fix readonly property initialization from incorrect scope #61028

merged 1 commit into from
Jul 9, 2025
+134 −1

Conversation

santysisi
Copy link
Contributor

@santysisi santysisi commented Jul 2, 2025
edited
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #60846
License MIT

Readonly properties couldn't be initialized during denormalization due to scope restrictions. This change checks if a property is readonly and uninitialized, if so, it sets the value using the declaring class's scope.

Also added a safety check to throw a LogicException if a readonly property is already initialized, to avoid accidental mutation.

@santysisi santysisi requested a review from dunglas as a code owner July 2, 2025 23:30
@carsonbot carsonbot added this to the 6.4 milestone Jul 2, 2025
@santysisi santysisi force-pushed the fix/readonly-property-initialization branch 5 times, most recently from 2f87dc4 to 5c28257 Compare July 3, 2025 00:10
nicolas-grekas
nicolas-grekas reviewed Jul 7, 2025
View reviewed changes
src/Symfony/Component/Serializer/Normalizer/PropertyNormalizer.php
@@ -202,7 +203,22 @@ protected function setAttributeValue(object $object, string $attribute, mixed $v
return;
}

$reflectionProperty->setValue($object, $value);
if (!$reflectionProperty->isReadOnly()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose we should deal with asymmetric visibility also?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out!

I tested the current implementation using properties with asymmetric visibility in PHP 8.4 and everything works as expected. The values are correctly set using ReflectionProperty::setValue() without throwing errors.

I believe this is because, starting from PHP 8.4.0, ReflectionProperty::setValue() still bypasses visibility restrictions (including asymmetric ones)

To make this explicit, I’ve added some tests that cover this behavior specifically for PHP 8.4.

Let me know if you'd prefer a stricter approach that checks write visibility explicitly.

@santysisi santysisi force-pushed the fix/readonly-property-initialization branch from 5c28257 to caee87a Compare July 7, 2025 23:03
@santysisi santysisi force-pushed the fix/readonly-property-initialization branch from caee87a to 79c2ea6 Compare July 7, 2025 23:23
@OskarStark OskarStark changed the title [Serializer] Fix readonly property initialization from incorrect scope [Serializer] Fix readonly property initialization from incorrect scope Jul 8, 2025
@nicolas-grekas
Copy link
Member

Thank you @santysisi.

@nicolas-grekas nicolas-grekas merged commit d524bc9 into symfony:6.4 Jul 9, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dunglas dunglas dunglas approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@mtarld mtarld mtarld approved these changes

Assignees
No one assigned
Labels
Bug Serializer Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
5 participants
@santysisi @nicolas-grekas @dunglas @mtarld @carsonbot
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy