bug #40004 [Serializer] Prevent access to private properties without getters (julienfalque)

nicolas-grekas · nicolas-grekas · commit 8533ea223e99 · 2021-01-27T19:11:59.000+01:00
This PR was merged into the 4.4 branch. Discussion ---------- [Serializer] Prevent access to private properties without getters | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - When upgrading `symfony/serializer` from `v5.2.1` to `v5.2.2`, the serializer starts throwing exceptions because it cannot access some private properties that don't have a getter. This looks related to #38900. Commits ------- f0409b4 [Serializer] Prevent access to private properties without getters
diff --git a/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
@@ -107,18 +107,20 @@ protected function extractAttributes($object, $format = null, array $context = [
 
         // properties
         foreach ($reflClass->getProperties() as $reflProperty) {
+            $isPublic = $reflProperty->isPublic();
+
             if ($checkPropertyInitialization) {
-                $isPublic = $reflProperty->isPublic();
                 if (!$isPublic) {
                     $reflProperty->setAccessible(true);
                 }
                 if (!$reflProperty->isInitialized($object)) {
                     unset($attributes[$reflProperty->name]);
                     continue;
                 }
-                if (!$isPublic) {
-                    continue;
-                }
+            }
+
+            if (!$isPublic) {
+                continue;
             }
 
             if ($reflProperty->isStatic() || !$this->isAllowedAttribute($object, $reflProperty->name, $format, $context)) {
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php
@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+final class DummyPrivatePropertyWithoutGetter
+{
+    private $foo = 'foo';
+    private $bar = 'bar';
+
+    public function getBar()
+    {
+        return $this->bar;
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
@@ -33,6 +33,7 @@
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Serializer\SerializerInterface;
 use Symfony\Component\Serializer\Tests\Fixtures\CircularReferenceDummy;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyPrivatePropertyWithoutGetter;
 use Symfony\Component\Serializer\Tests\Fixtures\GroupDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\MaxDepthDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\OtherSerializedNameDummy;
@@ -143,6 +144,15 @@ public function testNormalizeObjectWithUninitializedPrivateProperties()
         );
     }
 
+    public function testNormalizeObjectWithPrivatePropertyWithoutGetter()
+    {
+        $obj = new DummyPrivatePropertyWithoutGetter();
+        $this->assertEquals(
+            ['bar' => 'bar'],
+            $this->normalizer->normalize($obj, 'any')
+        );
+    }
+
     public function testDenormalize()
     {
         $obj = $this->normalizer->denormalize(
