Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[RFC] [Serializer] Introduce param config to drop the BC check in AbstractNormalizer::getAllowedAttributes #58697

New issue
New issue
Open
Open
[RFC] [Serializer] Introduce param config to drop the BC check in AbstractNormalizer::getAllowedAttributes#58697
Labels
RFCRFC = Request For Comments (proposals about features that you want to be discussed)Serializer
@VincentLanglet

Description

@VincentLanglet
VincentLanglet
opened on Oct 28, 2024

Description

Currently there is a check in AbstractNormalizer::getAllowedAttributes which is made for BC

symfony/src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php

Lines 250 to 253 in 91588b3

if (!$ignoreUsed && !$groupsHasBeenDefined && $allowExtraAttributes) {
// Backward Compatibility with the code using this method written before the introduction of @Ignore
return false;
}

But this one has a big impact when excluded field from the denormalization.

Let's say I have an entity Foo with a field barData and a bazData.
When working with the Serializer from Symfony, thanks to all the name converter things and the way property are set, all this data are working to update the Foo data:

$serializer('{"bar_data": 42}', Foo::class, 'json');
$serializer('{"barData": 42}', Foo::class, 'json');
$serializer('{"bArDaTa": 42}', Foo::class, 'json');

Let's say I'd like to disallow the update of the barData and only allow bazData BUT I still want to allow extra attribute (cause in real world example you don't control the data, or you have 1000 field to allow and only one to disallow). Then

$serializer($content, Foo::class, 'json', ['ignored_attributes' => ['barData']]);

is a good way to do it. Unfortunately it seems like it disallow bar_data and barData but not bArDaTa so

$serializer('{"bArDaTa": 42}', Foo::class, 'json');

still update the field.

When using #[Ignore] on barData field it also disallow bArDaTa ; but it will for all the serializer ; I only want to ignore for this one. But to my surprise, using #[Ignore] to another field (let say ignoreData) will also allow

$serializer($content, Foo::class, 'json', ['ignored_attributes' => ['barData']]);

to fully work, because we don't enter in the

if (!$ignoreUsed && !$groupsHasBeenDefined && $allowExtraAttributes) {

condition anymore.

Example

Imho the BC behavior should be dropped and so far I saw symfony doing this by:

  • Introducing a parameter legacy_behavior default true
  • Adding a deprecation not setting legacy_behavior to false is deprecated and will change in SF8
  • Changing in SF8 from true to false by default
  • Deprecating the parameter
  • Dropping the parameter in SF9

Should we do the same here ?

If the old behavior make sens to be kept, it would be great to have a way to chose the behavior:

  • Either by a config bundle
  • Or at least by passing a special value to the context of the serializer.

But I personally think we should move forward and drop the legacy behavior. WDYT ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFCRFC = Request For Comments (proposals about features that you want to be discussed)Serializer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions